TeslaCrypt has shut down and the security researchers of ransomware have created a tool that can decrypt files affected by recent versions of the malicious program.
Over the past few weeks, an analyst for ESET had noticed that the developers of TeslaCrypt have been slowly closing their doors, while their previous distributors have been switching over to distributing the CryptXXX ransomware.
When the ESET researcher used the support chat on the Tesla payment site to ask if they would release the master TeslaCrypt decryption key. To his surprise and pleasure, they agreed to do so and posted it on their now defunct payment site with an apology for their acts.
“Project closed, master key for decrypt XXX…XXX, we are sorry.”
It is hard to believe that the crooks really were sorry, but it seems that the master was genuine. The decision appears to kill off the net menace.
TeslaCrypt, which first appeared in early 2015 often targeted gamers, landed on systems through malicious downloads; web domains which load exploit kits and phishing campaigns. As ransomware, TeslaCrypt infected systems and encrypted user files, sticking up a landing page and removing access to the PC until a ransom is paid, usually in virtual currency Bitcoin.
What made TeslaCrypt a particularly severe case is that the developers behind the malware were very active, and researchers found it difficult to crack the software before new, even more sophisticated versions were released into the wild.
The program had some moderate success in the beginning, earning its creators $76,522 in less than two months. However, in April 2015, researchers from Cisco Systems discovered a flaw in the ransomware program that allowed them to create a decryption tool for some of its variants.
The number of TeslaCrypt attacks spiked in December and starting with version 3.0.1 of the program, which appeared in March, all encryption flaws were fixed and the existing decryption tools were rendered ineffective. That lasted until Wednesday.
A TeslaCrypt expert has been able to use the master key to update the TeslaDecoder decryption software to unlock all versions of the ransomware which are encrypting files with the .xxx, .ttt, .micro, .mp3 or extensionless files without giving into the malware's demands for payment.
With the release of the master decryption key for TeslaCrypt, victims can now download TeslaDecoder to decrypt files encrypted by TeslaCrypt.
Each computer, or more commonly each file, uses a unique, randomly chosen key that is never saved on disk, so it can’t be recovered directly.
Instead, the file encyption key is then itself encrypted using a public key for which only the crooks have the corresponding private key.
It is all-but-unheard-of for ransomware authors to release a master key capable of decrypting all infected files.