A forum for reverse engineering, OS internals and malware analysis
Grinler wrote:This is teslacrypt. Notice the version number in the GUI title and game extensions.Yep, I suspected it was TeslaCrypt, but was unsure when I got the CryptoWall message. Maybe this user had both installed at one point, but the shortcuts to the ransom note were (still) of CryptoWall.
Grinler wrote:Both BleepingComputer's and Bromium's writeups state that it uses AES. Only the malware exec states that it uses RSA.Yes I have tested it, I am able to recover the key from that file...
Have you tested being able to decrypt using the key.dat?
AaLl86 wrote:And you are able to decrypt files using it? If so, do you plan on releasing a decrypter to help those affected?Grinler wrote:Both BleepingComputer's and Bromium's writeups state that it uses AES. Only the malware exec states that it uses RSA.Yes I have tested it, I am able to recover the key from that file...
Have you tested being able to decrypt using the key.dat?
Andre
Grinler wrote: And you are able to decrypt files using it? If so, do you plan on releasing a decrypter to help those affected?Yes, you can recover a key from there, but not sure which one it is as you need 2 keys. A decryption key AND a verification key. So not sure if this would be possible.
Blaze wrote:Yup, I know a key and bitcoin address resides in there, but can it actually be used to decrypt your data?Grinler wrote: And you are able to decrypt files using it? If so, do you plan on releasing a decrypter to help those affected?Yes, you can recover a key from there, but not sure which one it is as you need 2 keys. A decryption key AND a verification key. So not sure if this would be possible.
Two more samples attached.
