Teslacrypt 2.0 Factoring

[wombatman]

Quote:

Originally Posted by jasonp

700 win32 downloads from the sourceforge page this week, jeez.

Quote:

Originally Posted by bsquared

376 for yafu.

Haven't seen that much activity since... ever





Note also that unless you have a gpu, yafu can handle the NFS portion of the job equivalently to factmsieve. You again need the ggnfs executables, and you need to modify yafu.ini to point to the directory they are stored in, e.g.: ggnfs_dir=C:/ggnfs-bin/
then it should be good to go.

Man, I didn't realize quite how much attention this one would get...

Also, good to know about YAFU. I'm not sure I've ever let it run all the way through an NFS job.

Quote:

Originally Posted by VictordeHolland

I've set Flash, Java and Unity player to ask before running and Ad-blocker blocks most other stuff. Ideally I'd like to delete Flash and Java entirely, but some (trusted) websites still use them and the site experience is terrible without them.
It is a compromise, but isn't it always?

Do I understand it correctly that this virus targets games specifically? I've bought virtually all my games on Steam and I think many PC gamers do nowadays. You just format the harddrive, perform a clean install and you can re-download the games from Steam (the licences are connected to your account).

It targets a variety of files, including games, based on what I've read.

Quote:

Originally Posted by xilman

No problem. I posted that only to teach people that asking something for nothing is impolite.

My fee is actually a donation to an appropriate charity,

If we wanted to add the dollar donation, maybe it could be toward the forum's fund?

[Xyzzy]

Quote:

Originally Posted by wombatman

If we wanted to add the dollar donation, maybe it could be toward the forum's fund?

The forum doesn't need money ATM.

How about:

http://www.mersenne.org/donate/
https://supporters.eff.org/donate
http://oeisf.org/

[DoumQC]

I registered just to thank you guys, especially Googulator (not sure if he visits this forum) and wombatman for the help with resolving this issue.

My laptop woke up from sleep by itself during the night, and I woke up with all my files locked. I have no idea how I got infected; I have never used an antivirus, but I'm alert about the files I open and I had never been infected with a virus before. I have absolutely no programming knowledge, had never used python scripts or encryption keys, etc., but the information I found here and from Googulator's tools were enough to figure out how to decrypt everything after several failed attempts. I, of course, shared my factorizations to factordb.com, hoping it can help others. I recovered 3 partitions and 2 external HDDs (close to 6 TB of data). Thank you so much!!

[conan981]

anyone knows for what reason after some working , script is always searching for something
"c:/ggnfs/gnfs-lasieve4I13e_argfix.exe"?

Quote:

C:\ggnfs>factmsieve.py example2
-> ________________________________________________________________
-> | Running factmsieve.py, a Python driver for MSIEVE with GGNFS |
-> | sieving support. It is Copyright, 2010, Brian Gladman and is |
-> | a conversion of factmsieve.pl that is Copyright, 2004, Chris |
-> | Monico. Version 0.76 (Python 2.6 or later) 10th Nov 2010. |
-> |______________________________________________________________|
-> This is client 1 of 1
-> Running on 1 Core with 2 hyper-threads per Core
-> Working with NAME = example2
-> Selected default factorization parameters for 119 digit level.
-> Selected lattice siever: gnfs-lasieve4I13e
-> No parameter change detected, resuming...
-> Running setup ...
-> Estimated minimum relations needed: 8.7e+06
-> resuming a block for q from 2000000 to 2100000
-> Running lattice siever ...
-> entering sieving loop
-> making sieve job for q = 2000000 in 2000000 .. 2025000 as file example2.job.T
0
-> making sieve job for q = 2025000 in 2025000 .. 2050000 as file example2.job.T
1
-> Lattice sieving algebraic q from 2000000 to 2100000.
-> gnfs-lasieve4I13e -k -o spairs.out.T0 -v -n0 -a example2.job.T0
-> gnfs-lasieve4I13e -k -o spairs.out.T1 -v -n1 -a example2.job.T1
"c:/ggnfs/gnfs-lasieve4I13e_argfix.exe" is not recognized as internal or esternal command, executable or batch file
"c:/ggnfs/gnfs-lasieve4I13e_argfix.exe" is not recognized as internal or esternal command, executable or batch file
-> Return value 1. Updating job file and terminating...
Terminating...

C:\ggnfs>

EDIT: FOUND THAT PROBLEM IS INSIDE gnfs-lasieve4I13e.exe executable... my enviroment is win7 32bit

[wombatman]

Try putting the executables attached here into the same folder and see if that fixes the problem.

[wombatman]

Quote:

Originally Posted by DoumQC

I registered just to thank you guys, especially Googulator (not sure if he visits this forum) and wombatman for the help with resolving this issue.

My laptop woke up from sleep by itself during the night, and I woke up with all my files locked. I have no idea how I got infected; I have never used an antivirus, but I'm alert about the files I open and I had never been infected with a virus before. I have absolutely no programming knowledge, had never used python scripts or encryption keys, etc., but the information I found here and from Googulator's tools were enough to figure out how to decrypt everything after several failed attempts. I, of course, shared my factorizations to factordb.com, hoping it can help others. I recovered 3 partitions and 2 external HDDs (close to 6 TB of data). Thank you so much!!

Only just saw this message, but I'm glad it helped! That's what I was going for

[darkskysofrenia]

is anyone know this error ?

Msieve v. 1.52 (SVN unknown)
Thu Dec 31 19:22:34 2015
random seeds: 6e585bc0 ad104d1e
factoring 619838370694573489677615657761314429981701046554484927594725478425232273862780267750658149
2406890270674 (153 digits)
searching for 15-digit factors
P-1 stage 2 factor found
searching for 20-digit factors
searching for 25-digit factors
200 of 214 curves
completed 214 ECM curves
searching for 30-digit factors
425 of 430 curves
completed 430 ECM curves
searching for 35-digit factors
903 of 904 curves
completed 904 ECM curves
searching for 40-digit factors
ECM stage 1 factor found
commencing quadratic sieve (106-digit input)
using multiplier of 21
using VC8 32kb sieve core
sieve interval: 41 blocks of size 32768
processing polynomials in batches of 5
using a sieve bound of 4509961 (158667 primes)
using large prime bound of 676494150 (29 bits)
using double large prime bound of 7842874720045650 (45-53 bits)
using trial factoring cutoff of 53 bits
polynomial 'A' values have 14 factors
restarting with 2268 full and 136950 partial relations

sieving in progress (press Ctrl-C to pause)
159024 relations (37823 full + 121201 combined from 2341028 partial), need 158763
159024 relations (37823 full + 121201 combined from 2341028 partial), need 158763
sieving complete, commencing postprocessing
failed to reallocate 1000643456 bytes

thks

[munozbasols]

I have tried to factorize number and all this stuff but i don't know if i'm doing correctly.

1º Collect an encrypted file from the attacked machine. Choose a file with a known initial magic number - unfactor.py is pre-configured for working with PDF files; change the magic number in unfactor.py from '%PDF' to the correct value if you are not using a PDF (e.g. 'PK' for .zip, ODF or .docx/OOXML files; '\xff\xd8' for JPEGs; or '\xd0\xcf\x11\xe0' for MS Office .doc files).

Done my files is:

https://drive.google.com/file/d/0Bwv...ew?usp=sharing

now I have used teslacrack
C:\Python27>python teslacrack.py
Cannot decrypt ./PRENSA2.pdf.vvv, unknown key
Cannot decrypt ./PRENSA3.pdf.vvv, unknown key
Software has encountered the following unknown AES keys, please crack them first
using msieve:
10ACCB6406EB1FE0D93DCC2C5BBDACD8710A04DEB15520EEF1D4CFEDC2DFCA3895943154618918FE
62DA23B722D5809C7AE170584FA8BE30267C1FAF516A5D40 found in ./PRENSA2.pdf.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use
them with TeslaDecoder:
5A418C2F6DD510539255FDDFF6EA230CCBA15B0D044B400BFEBE9DE5B1D663F645BF81EEAFC8A519
36947065D4DAACFB5EA0B7BC1B5ED6B17002C95DF69121A1 found in ./PRENSA2.pdf.vvv

3º converted number to decimal
10ACCB6406EB1FE0D93DCC2C5BBDACD8710A04DEB15520EEF1D4CFEDC2DFCA3895943154618918FE62DA23B722D5809C7AE170584FA8BE30267C1FAF516A5D40 to decimal

4º 873339487944179624297665682793624357542779586186821779339346113975875887520645272460238898815353382661720310066441112454002450497814716346179687199432000
5º then go to dbfactors
http://factordb.com/index.php?query=...79687199432000

6º and it's supossed to be composed by:

2 2 2 2 2 2 3 5 5 5 29 59 103 151 2081 2039603 322173601224816155025890456134799554747520954466786092411112732191046966619956024078927303819677756483239813379900670701979755688047

7º now tried C:\Python27>python.exe unfactor-ecdsa.py PRENSA2.pdf.vvv 2 2 2 2 2 2 3 5 5 5 29
59 103 151 2081 2039603 32217360122481615502589045613479955474752095446678609241
1112732191046966619956024078927303819677756483239813379900670701979755688047
No keys found, check your factors!


So whats wrong?

for me moment i'm factorizing numbers by myself.

Thanks

[munozbasols]

Good job Thanks

[conan981]

just factorized some other numbers and put them into factdb :) if anyone need help in factoring for teslacrypt data recovery i am always avaible
thanks for all the help, suggestions and patience:)
best 2016 to all of you:D

[wombatman]

Quote:

Originally Posted by munozbasols

I have tried to factorize number and all this stuff but i don't know if i'm doing correctly.

5º then go to dbfactors
http://factordb.com/index.php?query=...79687199432000

6º and it's supossed to be composed by:

2 2 2 2 2 2 3 5 5 5 29 59 103 151 2081 2039603 322173601224816155025890456134799554747520954466786092411112732191046966619956024078927303819677756483239813379900670701979755688047

So whats wrong?

for me moment i'm factorizing numbers by myself.

Thanks

The number in bold is not fully factored. Look at the factordb link you provided--the 322... number is a composite number with 3 factors. You need to break it down to those three factors.