A proven method to to get rid of .ccc ransomware ?

iamgenius

Senior member
Jun 6, 2008
801
86
91
My brother gave me his computer so that I can help him get rid of the nasty .ccc virus/ransomware. It is a virus that will encrypt all your files and give them .ccc file extension. You will not be able to open the files at all. I use Malwarebytes and Avast antivirus. They can detect the virus, but I'm not sure whether the files will be readable after all instances of the virus/malware are removed.

I need to do a boot scan which will take a long time. Has anybody got infected and successfully got rid of all bad files and was able to recover all his files?

I searched the web, but there doesn't seem to be a known way to get things fixed easily.

Can anybody help?

Thanks.
 

KeithP

Diamond Member
Jun 15, 2000
5,661
199
106
If the files are encrypted it won't matter if you remove the program that encrypted them, the files will remain encrypted.

http://www.bleepingcomputer.com/new...re-adds-the-ccc-extension-to-encrypted-files/

A new version of TeslaCrypt has been released that is now using the ccc extension when encrypting files. This version utilizes the same payment site as previous variants and requires a 2 bitcoin, or approximately $500 USD, ransom in order to decrypt your files. Unfortunately, there is no way to decrypt this version for free at this time due to how the private decryption keys are generated. The ransom notes for this version are named howto_recover_file_.txt and howto_recover_file_.html. These ransom notes are generated in each folder that a file has been encrypted and on your Windows desktop.

-KeithP
 

iamgenius

Senior member
Jun 6, 2008
801
86
91
If the files are encrypted it won't matter if you remove the program that encrypted them, the files will remain encrypted.

http://www.bleepingcomputer.com/new...re-adds-the-ccc-extension-to-encrypted-files/



-KeithP

This is what I was afraid of. So, the files are really encrypted then, not just corrupted or something similar. And they are really using public key cryptography ! Shame on them bad guys!

Will paying them really get the files back? I doubt that.

Some say restoring previous versions of files can recover them. I'll see what I can do.

What a nasty malware!!!

Thanks for your comment keith.
 

slag

Lifer
Dec 14, 2000
10,473
81
101
Some say restoring previous versions of files can recover them.

I read this in my best Jeremy Clarkson voice.

Seems to make sense that if you restored versions prior to their encryption that they would now not be encrypted.
 

John Connor

Lifer
Nov 30, 2012
22,757
617
121
This is why I use Sandboxie. It will help greatly. I also use NoScript, but that can be very cumbersome. You can disable NoScript and allow it to not block scripts for basic protection though.
 

Captante

Lifer
Oct 20, 2003
30,331
10,841
136
This is why I use Sandboxie. It will help greatly. I also use NoScript, but that can be very cumbersome. You can disable NoScript and allow it to not block scripts for basic protection though.


Yep ... the one time I ran into the so-called FBI virus Sandboxie stopped it in its tracks. Norton detected it too but fortunately that didn't matter.
 

lxskllr

No Lifer
Nov 30, 2004
58,400
8,691
126
Will paying them really get the files back? I doubt that.
Everything I've heard says paying will decrypt the files, and they even have good cs. Their business plan wouldn't work if they didn't follow through.
 

iamgenius

Senior member
Jun 6, 2008
801
86
91
format/reinstall ?

The main problem isn't getting the system clean again and in a good working condition. In fact that's a much easier task. The actual problem is getting the files to open. And I'm talking about actual data files, not system files( Mostly word docs and images).They now have .ccc extension and no program can open them. They are encrypted as explained and need to be decrypted with the appropriate key. At first, I thought it was just some symptoms of the infection.

I really hope that the files come back after getting rid of all virus instances, but that doesn't seem to be the case as you can see.

I made avast do a boot scan and left the PC for the weekend. It will take a long time. Hopefully things will be alright.
 
Last edited:

Elixer

Lifer
May 7, 2002
10,371
762
126
Everything I've heard says paying will decrypt the files, and they even have good cs. Their business plan wouldn't work if they didn't follow through.

There is no guarantee that you will get the files back either.
That said, I still wouldn't give in to blackmail.
 

crashtech

Lifer
Jan 4, 2013
10,624
2,191
146
A tutorial on backup strategies might be called for. An OS is a breeze to restore, personal data, not so much.
 

iamgenius

Senior member
Jun 6, 2008
801
86
91
Damn it. I have never been this helpless. The PC is clean now, but as expected the files remained encrypted. I think I'll image the whole disk ( 250 GB) and save it somewhere in two different locations so that if a solution comes up, I'll use it to try to recover the files. Some said the encryption used is actually symmetric and not public key crypto, and they were able to somehow extract the key. For now, I'll just format the PC to ensure nothing is left from this nasty malware, and I'll then reload windows. Hell, I might even write zeros to it.

Everyone, take preventive measures. This is no ordinary infection. I myself will review my backup strategies.
 

lxskllr

No Lifer
Nov 30, 2004
58,400
8,691
126
That said, I still wouldn't give in to blackmail.
I generally agree, but it depends on how valuable the data is. Most people's data is worth far more than the computer it sits on, and in some cases can be worth hundreds of thousands $. Valuable data should have a backup plan that matches its value, but you know how that goes. It's all fun and games til your shit ends up encrypted...
 

JEDIYoda

Lifer
Jul 13, 2005
33,986
3,320
126
My brother gave me his computer so that I can help him get rid of the nasty .ccc virus/ransomware. It is a virus that will encrypt all your files and give them .ccc file extension. You will not be able to open the files at all. I use Malwarebytes and Avast antivirus. They can detect the virus, but I'm not sure whether the files will be readable after all instances of the virus/malware are removed.

I need to do a boot scan which will take a long time. Has anybody got infected and successfully got rid of all bad files and was able to recover all his files?

I searched the web, but there doesn't seem to be a known way to get things fixed easily.

Can anybody help?

Thanks.
Are you really a genius??
 

JamesV

Platinum Member
Jul 9, 2011
2,002
2
76
Curious... did you try and simply change the extension of the encrypted files?

If they really were encrypted it obviously wouldn't do anything, but I'm guessing there might be copycat scammers out there that might try and simply change the extension without actually encrypting.

Just a shot in the dark. Good luck.
 

iamgenius

Senior member
Jun 6, 2008
801
86
91
Curious... did you try and simply change the extension of the encrypted files?

If they really were encrypted it obviously wouldn't do anything, but I'm guessing there might be copycat scammers out there that might try and simply change the extension without actually encrypting.

Just a shot in the dark. Good luck.

Yes, I actually did. It was one of the first things I tried. The extension is really changed to.ccc. The files don't open even if you try to open them with correct associated program.

Thanks for the tip though
 

JEDIYoda

Lifer
Jul 13, 2005
33,986
3,320
126
needless to say - if you are not backing up your data , I would call you an idiot!!
 

Elixer

Lifer
May 7, 2002
10,371
762
126
TeslaCrypt no more?
http://www.bleepingcomputer.com/new...huts-down-and-releases-master-decryption-key/

In surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key. Over the past few weeks, an analyst for ESET had noticed that the developers of TeslaCrypt have been slowly closing their doors, while their previous distributors have been switching over to distributing the CryptXXX ransomware.

When the ESET researcher realized what was happening, he took a shot in the dark and used the support chat on the Tesla payment site to ask if they would release the master TeslaCrypt decryption key. To his surprise and pleasure, they agreed to do so and posted it on their now defunct payment site.
 

Elixer

Lifer
May 7, 2002
10,371
762
126
And if that wasn't enough...
TeslaDecoder can now decrypt all variants of TeslaCrypt 3.x and 4.x.
Available here: http://www.bleepingcomputer.com/for...pt-exx-ezz-ecc-files-encrypted-by-teslacrypt/

They also say "we are sorry"?
new-tor-message.png

Wonder if they got pinched, and now, they are doing this to avoid criminal trials?