Teslacrypt 2.0 Factoring
 

Since there's an influx of people asking about Teslacrypt virus factorizations, it seemed appropriate to put up an instructional post that will let you do it yourself!

1) Convert the hexadecimal numbers to decimal here: [url]https://www.mathsisfun.com/binary-decimal-hexadecimal-converter.html[/url]

2) Go to [url]www.factordb.com[/url] and search for the number--you might get lucky and it's already factorized!

3) If not, you want to use a program called YAFU ("Yet Another Factoring Utility"). You can find executables here: [URL="http://sourceforge.net/projects/yafu/"]http://sourceforge.net/projects/yafu/[/URL]

4) Run YAFU with a command similar to the following (this is for Windows):
[CODE]yafu-x64.exe "factor(YOUR NUMBER HERE)" -v -threads 4[/CODE]

This will find smaller factors relatively quickly. Be sure to put those factors in at factordb.com with your number--this way you can keep track of all the factors.

5) If YAFU starts producing lines like this:[CODE]360 167333700367 192196274858148617776495[/CODE]
It is advantageous to switch over to msieve. MSieve can be found here: [url]http://sourceforge.net/projects/msieve/[/url]

6) Download the files attached to this post (factmsieve.py and the executables) and put them into a folder at C:\GGNFS. Put the msieve executable in this folder as well.

7) If you have an NVIDIA GPU with a compute capability of 2.0 or greater, change the variable USE_CUDA on Line 73 of factmsieve.py to TRUE. You should also change THREADS_PER_CORE to the number of CPUs you have (i.e., 2 for dual core, 4 for quad core, and so on).

8) Put your number into a file named "my_number.n".

9) Go to the start menu and type "cmd" and press enter. From the command prompt, type "cd C:\GGNFS" and press enter. This will put you in the appropriate folder. Call the python script:[CODE]python factmsieve.py my_number[/CODE].

10) You should see it begin. Depending on the size of the number (and whether you utilize a GPU), the factorization will take a few hours to a few days. Be patient, and good luck!

Lastly, there may be some mistakes here since I did this off the top of my head, so feel free to ask questions in this thread.

[QUOTE=wombatman;420109]Since there's an influx of people asking about Teslacrypt virus factorizations, it seemed appropriate to put up an instructional post that will you do it yourself![/QUOTE]

Thank you for doing this. Sincerely.

On the other hand, one might ask how and why one was infected by a "virus" in the first place which could run software locally and access the file-system.

It could be argued that Teslacrypt (since it is so easily bypassed) was actually designed to point out that people need to be much more careful.

Anyone serious, using the same "vector", could cause much more harm.

A tangent... When was the last time you did a full off-line backup?

Perhaps a kind gift to a friend (or perhaps yourself) would be a couple of 1 or 2 TB USB drives....

Yeah, I haven't been affected by the virus, but I definitely need to be better about backing things up... :smile:

[QUOTE=wombatman;420116]Yeah, I haven't been affected by the virus, but I definitely need to be better about backing things up... :smile:[/QUOTE]

Sorry... When I said "You" above I meant "The abstract/general you" (as LaurV often uses so very well), not _you_ specifically. :smile:

But, yeah... Transactional backups, off-line backups, "cloud based" backups...

The Internet can be a dangerous place.

Manage your risk.

English is an awful language in oh so many ways.

Hahaha, I figured as much! It was a good reminder for me personally, though. :smile:

To add to my generally unspoken thoughts on posting this, it looks like Teslacrypt is at least sometimes caught by a Flash exploit ([url]http://www.bbc.com/news/technology-31869589[/url]), and I generally loathe the type of people who create ransomware, so I figured it would be nice to help out those affected.

Also, holiday season, glad tidings, etc. :tu:

700 win32 downloads from the sourceforge page this week, jeez.

I've set Flash, Java and Unity player to ask before running and Ad-blocker blocks most other stuff. Ideally I'd like to delete Flash and Java entirely, but some (trusted) websites still use them and the site experience is terrible without them.
It is a compromise, but isn't it always?

Do I understand it correctly that this virus targets games specifically? I've bought virtually all my games on Steam and I think many PC gamers do nowadays. You just format the harddrive, perform a clean install and you can re-download the games from Steam (the licences are connected to your account).

[QUOTE=jasonp;420173]700 win32 downloads from the sourceforge page this week, jeez.[/QUOTE]

376 for yafu.

Haven't seen that much activity since... ever :smile:



[QUOTE=wombatman;420109]
5) If YAFU starts producing lines like this:[CODE]360 167333700367 192196274858148617776495[/CODE]
It is advantageous to switch over to msieve. MSieve can be found here: [url]http://sourceforge.net/projects/msieve/[/url]

[/QUOTE]

Note also that unless you have a gpu, yafu can handle the NFS portion of the job equivalently to factmsieve. You again need the ggnfs executables, and you need to modify yafu.ini to point to the directory they are stored in, e.g.: ggnfs_dir=C:/ggnfs-bin/
then it should be good to go.

Put a tax. One buck per dld. Increase one cent for every new dld. Do like Amazon does, see the thread with the famous book costing a million, or so. Should I teach you how to make money? :wink:

These guys would pay the buck to get their files back, for sure, and they worth to be taken out of a buck, so they can learn that the fox who does not guard its fur will have it eaten by the wolf...

If anyone want ~C120 factored, PM me, I will do it for a buck per composite, and I accept paypal and bitcoin. It is not the money, but the lesson. Otherwise they will never learn.

Paul, sorry for the competition :razz:

Edit: buck = 1.0 US$

[QUOTE=LaurV;420179]
If anyone want ~C120 factored, PM me, I will do it for a buck per composite, and I accept paypal and bitcoin. It is not the money, but the lesson. Otherwise they will never learn.

Paul, sorry for the competition :razz:

Edit: buck = 1.0 US$[/QUOTE]No problem. I posted that only to teach people that asking something for nothing is impolite.

My fee is actually a donation to an appropriate charity,

[QUOTE=jasonp;420173]700 win32 downloads from the sourceforge page this week, jeez.[/QUOTE]
[QUOTE=bsquared;420175]376 for yafu.

Haven't seen that much activity since... ever :smile:





Note also that unless you have a gpu, yafu can handle the NFS portion of the job equivalently to factmsieve. You again need the ggnfs executables, and you need to modify yafu.ini to point to the directory they are stored in, e.g.: ggnfs_dir=C:/ggnfs-bin/
then it should be good to go.[/QUOTE]

Man, I didn't realize quite how much attention this one would get...

Also, good to know about YAFU. I'm not sure I've ever let it run all the way through an NFS job.

[QUOTE=VictordeHolland;420174]I've set Flash, Java and Unity player to ask before running and Ad-blocker blocks most other stuff. Ideally I'd like to delete Flash and Java entirely, but some (trusted) websites still use them and the site experience is terrible without them.
It is a compromise, but isn't it always?

Do I understand it correctly that this virus targets games specifically? I've bought virtually all my games on Steam and I think many PC gamers do nowadays. You just format the harddrive, perform a clean install and you can re-download the games from Steam (the licences are connected to your account).[/QUOTE]

It targets a variety of files, including games, based on what I've read.

[QUOTE=xilman;420180]No problem. I posted that only to teach people that asking something for nothing is impolite.

My fee is actually a donation to an appropriate charity,[/QUOTE]

If we wanted to add the dollar donation, maybe it could be toward the forum's fund?

[QUOTE=wombatman;420186]If we wanted to add the dollar donation, maybe it could be toward the forum's fund?[/QUOTE]The forum doesn't need money ATM.

How about:

[URL]http://www.mersenne.org/donate/[/URL]
[URL]https://supporters.eff.org/donate[/URL]
[url]http://oeisf.org/[/url]

:tu:

Thank you
 

I registered just to thank you guys, especially Googulator (not sure if he visits this forum) and wombatman for the help with resolving this issue.

My laptop woke up from sleep by itself during the night, and I woke up with all my files locked. I have no idea how I got infected; I have never used an antivirus, but I'm alert about the files I open and I had never been infected with a virus before. I have absolutely no programming knowledge, had never used python scripts or encryption keys, etc., but the information I found here and from Googulator's tools were enough to figure out how to decrypt everything after several failed attempts. I, of course, shared my factorizations to factordb.com, hoping it can help others. I recovered 3 partitions and 2 external HDDs (close to 6 TB of data). Thank you so much!!

anyone knows for what reason after some working , script is always searching for something
"c:/ggnfs/gnfs-lasieve4I13e_argfix.exe"?
[QUOTE]C:\ggnfs>factmsieve.py example2
-> ________________________________________________________________
-> | Running factmsieve.py, a Python driver for MSIEVE with GGNFS |
-> | sieving support. It is Copyright, 2010, Brian Gladman and is |
-> | a conversion of factmsieve.pl that is Copyright, 2004, Chris |
-> | Monico. Version 0.76 (Python 2.6 or later) 10th Nov 2010. |
-> |______________________________________________________________|
-> This is client 1 of 1
-> Running on 1 Core with 2 hyper-threads per Core
-> Working with NAME = example2
-> Selected default factorization parameters for 119 digit level.
-> Selected lattice siever: gnfs-lasieve4I13e
-> No parameter change detected, resuming...
-> Running setup ...
-> Estimated minimum relations needed: 8.7e+06
-> resuming a block for q from 2000000 to 2100000
-> Running lattice siever ...
-> entering sieving loop
-> making sieve job for q = 2000000 in 2000000 .. 2025000 as file example2.job.T
0
-> making sieve job for q = 2025000 in 2025000 .. 2050000 as file example2.job.T
1
-> Lattice sieving algebraic q from 2000000 to 2100000.
-> gnfs-lasieve4I13e -k -o spairs.out.T0 -v -n0 -a example2.job.T0
-> gnfs-lasieve4I13e -k -o spairs.out.T1 -v -n1 -a example2.job.T1
"c:/ggnfs/gnfs-lasieve4I13e_argfix.exe" is not recognized as internal or esternal command, executable or batch file
"c:/ggnfs/gnfs-lasieve4I13e_argfix.exe" is not recognized as internal or esternal command, executable or batch file
-> Return value 1. Updating job file and terminating...
Terminating...

C:\ggnfs>[/QUOTE]

EDIT: FOUND THAT PROBLEM IS INSIDE gnfs-lasieve4I13e.exe executable... my enviroment is win7 32bit

Try putting the executables attached here into the same folder and see if that fixes the problem. :smile:

[QUOTE=DoumQC;420267]I registered just to thank you guys, especially Googulator (not sure if he visits this forum) and wombatman for the help with resolving this issue.

My laptop woke up from sleep by itself during the night, and I woke up with all my files locked. I have no idea how I got infected; I have never used an antivirus, but I'm alert about the files I open and I had never been infected with a virus before. I have absolutely no programming knowledge, had never used python scripts or encryption keys, etc., but the information I found here and from Googulator's tools were enough to figure out how to decrypt everything after several failed attempts. I, of course, shared my factorizations to factordb.com, hoping it can help others. I recovered 3 partitions and 2 external HDDs (close to 6 TB of data). Thank you so much!![/QUOTE]

Only just saw this message, but I'm glad it helped! That's what I was going for :smile:

is anyone know this error ?

Msieve v. 1.52 (SVN unknown)
Thu Dec 31 19:22:34 2015
random seeds: 6e585bc0 ad104d1e
factoring 619838370694573489677615657761314429981701046554484927594725478425232273862780267750658149
2406890270674 (153 digits)
searching for 15-digit factors
P-1 stage 2 factor found
searching for 20-digit factors
searching for 25-digit factors
200 of 214 curves
completed 214 ECM curves
searching for 30-digit factors
425 of 430 curves
completed 430 ECM curves
searching for 35-digit factors
903 of 904 curves
completed 904 ECM curves
searching for 40-digit factors
ECM stage 1 factor found
commencing quadratic sieve (106-digit input)
using multiplier of 21
using VC8 32kb sieve core
sieve interval: 41 blocks of size 32768
processing polynomials in batches of 5
using a sieve bound of 4509961 (158667 primes)
using large prime bound of 676494150 (29 bits)
using double large prime bound of 7842874720045650 (45-53 bits)
using trial factoring cutoff of 53 bits
polynomial 'A' values have 14 factors
restarting with 2268 full and 136950 partial relations

sieving in progress (press Ctrl-C to pause)
159024 relations (37823 full + 121201 combined from 2341028 partial), need 158763
159024 relations (37823 full + 121201 combined from 2341028 partial), need 158763
sieving complete, commencing postprocessing
failed to reallocate 1000643456 bytes

thks

Hi could you help me?
 

I have tried to factorize number and all this stuff but i don't know if i'm doing correctly.

1º Collect an encrypted file from the attacked machine. Choose a file with a known initial magic number - unfactor.py is pre-configured for working with PDF files; change the magic number in unfactor.py from '%PDF' to the correct value if you are not using a PDF (e.g. 'PK' for .zip, ODF or .docx/OOXML files; '\xff\xd8' for JPEGs; or '\xd0\xcf\x11\xe0' for MS Office .doc files).

Done my files is:

[url]https://drive.google.com/file/d/0BwvRVDkjEDS0VTd1dlRHVlVaUFk/view?usp=sharing[/url]

now I have used teslacrack
C:\Python27>python teslacrack.py
Cannot decrypt ./PRENSA2.pdf.vvv, unknown key
Cannot decrypt ./PRENSA3.pdf.vvv, unknown key
Software has encountered the following unknown AES keys, please crack them first
using msieve:
10ACCB6406EB1FE0D93DCC2C5BBDACD8710A04DEB15520EEF1D4CFEDC2DFCA3895943154618918FE
62DA23B722D5809C7AE170584FA8BE30267C1FAF516A5D40 found in ./PRENSA2.pdf.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use
them with TeslaDecoder:
5A418C2F6DD510539255FDDFF6EA230CCBA15B0D044B400BFEBE9DE5B1D663F645BF81EEAFC8A519
36947065D4DAACFB5EA0B7BC1B5ED6B17002C95DF69121A1 found in ./PRENSA2.pdf.vvv

3º converted number to decimal
10ACCB6406EB1FE0D93DCC2C5BBDACD8710A04DEB15520EEF1D4CFEDC2DFCA3895943154618918FE62DA23B722D5809C7AE170584FA8BE30267C1FAF516A5D40 to decimal

4º 873339487944179624297665682793624357542779586186821779339346113975875887520645272460238898815353382661720310066441112454002450497814716346179687199432000
5º then go to dbfactors
[url]http://factordb.com/index.php?query=873339487944179624297665682793624357542779586186821779339346113975875887520645272460238898815353382661720310066441112454002450497814716346179687199432000[/url]

6º and it's supossed to be composed by:

2 2 2 2 2 2 3 5 5 5 29 59 103 151 2081 2039603 322173601224816155025890456134799554747520954466786092411112732191046966619956024078927303819677756483239813379900670701979755688047

7º now tried C:\Python27>python.exe unfactor-ecdsa.py PRENSA2.pdf.vvv 2 2 2 2 2 2 3 5 5 5 29
59 103 151 2081 2039603 32217360122481615502589045613479955474752095446678609241
1112732191046966619956024078927303819677756483239813379900670701979755688047
No keys found, check your factors!


So whats wrong?

for me moment i'm factorizing numbers by myself.

Thanks

Good job Thanks

just factorized some other numbers and put them into factdb :) if anyone need help in factoring for teslacrypt data recovery i am always avaible
thanks for all the help, suggestions and patience:)
best 2016 to all of you:D

[QUOTE=munozbasols;421158]I have tried to factorize number and all this stuff but i don't know if i'm doing correctly.

5º then go to dbfactors
[url]http://factordb.com/index.php?query=873339487944179624297665682793624357542779586186821779339346113975875887520645272460238898815353382661720310066441112454002450497814716346179687199432000[/url]

6º and it's supossed to be composed by:

2 2 2 2 2 2 3 5 5 5 29 59 103 151 2081 2039603 [B]322173601224816155025890456134799554747520954466786092411112732191046966619956024078927303819677756483239813379900670701979755688047[/B]

So whats wrong?

for me moment i'm factorizing numbers by myself.

Thanks[/QUOTE]

The number in bold is not fully factored. Look at the factordb link you provided--the 322... number is a composite number with 3 factors. You need to break it down to those three factors.

error msieve
 

C:\ggnfs>factmsieve.py example.n
-> ________________________________________________________________
-> | Running factmsieve.py, a Python driver for MSIEVE with GGNFS |
-> | sieving support. It is Copyright, 2010, Brian Gladman and is |
-> | a conversion of factmsieve.pl that is Copyright, 2004, Chris |
-> | Monico. Version 0.86 (Python 2.6 or later) 20th June 2011. |
-> |______________________________________________________________|
-> Running Python 3.6
-> This is client 1 of 1
-> Running on 2 Cores with 4 hyper-threads per Core
-> Working with NAME = example
-> Found n = 7369542122515376332728682822621167555323949319060063938380723223278665767214673077154299750527464962727415553945306829727310748856587422451334735662052691.
-> Polynomial file example.poly does not exist!
-> Running polynomial selection ...
-> msieve -s .\example.dat.T0 -l .\example.log.T0 -i .\example.ini.T0 -nf .\example.fb.T0 -np 801,900 -v >> .\example.msp.T0
-> msieve -s .\example.dat.T1 -l .\example.log.T1 -i .\example.ini.T1 -nf .\example.fb.T1 -np 901,1000 -v >> .\example.msp.T1
-> msieve -s .\example.dat.T2 -l .\example.log.T2 -i .\example.ini.T2 -nf .\example.fb.T2 -np 1001,1100 -v >> .\example.msp.T2
-> msieve -s .\example.dat.T3 -l .\example.log.T3 -i .\example.ini.T3 -nf .\example.fb.T3 -np 1101,1200 -v >> .\example.msp.T3
-> msieve -s .\example.dat.T4 -l .\example.log.T4 -i .\example.ini.T4 -nf .\example.fb.T4 -np 1201,1300 -v >> .\example.msp.T4
-> msieve -s .\example.dat.T5 -l .\example.log.T5 -i .\example.ini.T5 -nf .\example.fb.T5 -np 1301,1400 -v >> .\example.msp.T5
-> msieve -s .\example.dat.T6 -l .\example.log.T6 -i .\example.ini.T6 -nf .\example.fb.T6 -np 1401,1500 -v >> .\example.msp.T6
-> msieve -s .\example.dat.T7 -l .\example.log.T7 -i .\example.ini.T7 -nf .\example.fb.T7 -np 1501,1600 -v >> .\example.msp.T7

What seems to be the error?

Bouygues Construction victim of ransomware


[URL]https://www.usine-digitale.fr/article/bouygues-construction-victime-d-un-rancongiciel.N924894[/URL]