300DDR
Well-Known Member
- Reaction score
- 247
- Location
- Los Angeles, CA
A ransomware tale:
We had a 2 drive Drobo NAS with Tesla 4.x ransomware virus (no way to decrypt without paying, yet). *I found out what version virus it had using this website: https://id-ransomware.malwarehunterteam.com/identify.php.
Trying to access the Tor link referenced in the "decrypt info" .txt files failed. It seems that either the Drobo was encrypted twice (but the .txt file with URL/payment information wasn't updated/changed) or there was a bug in the virus that entered the wrong key/personal ID. With no way to access the link, there was no way to pay, and impossible to recover the files.
So, with no other options available, I used a "personal ID" from an older ransomware virus we had, in which we were able to decrypt without paying the ransom. I got access to the Tor site, but it wasn't the site specifically for the Drobo (it was for the old case). Therefore, the time period to pay the ransom had expired (it was $1000) and according to the website text, the key was already deleted.
I chatted with "support" from the Tor site for over 3 days and got them to:
1) Confirm they could still decrypt the data (even though the "key was deleted" and the "decrypt 1 file for free" option failed to work, since again, it was for a different drive with a different key)
2) Lower the price from $1000 to $800
I paid the fee and got the key the next day, but as I had feared, it failed to work.
Contacted support again. They told me to upload 1 encrypted file to sendspace.com and send link. Next day I had a new key and it worked! All data recovered.
Very interesting. It seems to suggest that either this same hacker group was responsible for the ransomware virus we got in last month (a completely different version) and/or had access to it's key. And/or, it means that they have the ability to decrypt any Tesla 4.x infected file using just the information from the headers of the encrypted files.
We had a 2 drive Drobo NAS with Tesla 4.x ransomware virus (no way to decrypt without paying, yet). *I found out what version virus it had using this website: https://id-ransomware.malwarehunterteam.com/identify.php.
Trying to access the Tor link referenced in the "decrypt info" .txt files failed. It seems that either the Drobo was encrypted twice (but the .txt file with URL/payment information wasn't updated/changed) or there was a bug in the virus that entered the wrong key/personal ID. With no way to access the link, there was no way to pay, and impossible to recover the files.
So, with no other options available, I used a "personal ID" from an older ransomware virus we had, in which we were able to decrypt without paying the ransom. I got access to the Tor site, but it wasn't the site specifically for the Drobo (it was for the old case). Therefore, the time period to pay the ransom had expired (it was $1000) and according to the website text, the key was already deleted.
I chatted with "support" from the Tor site for over 3 days and got them to:
1) Confirm they could still decrypt the data (even though the "key was deleted" and the "decrypt 1 file for free" option failed to work, since again, it was for a different drive with a different key)
2) Lower the price from $1000 to $800
I paid the fee and got the key the next day, but as I had feared, it failed to work.
Contacted support again. They told me to upload 1 encrypted file to sendspace.com and send link. Next day I had a new key and it worked! All data recovered.
Very interesting. It seems to suggest that either this same hacker group was responsible for the ransomware virus we got in last month (a completely different version) and/or had access to it's key. And/or, it means that they have the ability to decrypt any Tesla 4.x infected file using just the information from the headers of the encrypted files.
