Anti-Malware , Encryption , Technology

Master Key to TeslaCrypt Released by Ransomware Gang

In a Surprise Twist, Cybercrime Developers Tell Victims: 'We Are Sorry!'
Master Key to TeslaCrypt Released by Ransomware Gang

There's rarely good news in the world of cybercrime. But for victims of the TeslaCrypt ransomware, there's been a surprising twist, and one that provides relief.

See Also: Ransomware: The Look at Future Trends

On Wednesday, security vendor ESET said whomever is behind the TelsaCrypt ransomware - part of a noxious family of malware that encrypts most files on a computer and demands a ransom - suddenly released the master decryption key.

"One of ESET's analysts contacted the group anonymously using the official support channel offered to the ransomware victims ... and requested the universal master decryption key," ESET says in a blog post. "Surprisingly, they made it public."

With the key in hand, ESET was able to build and release a tool that will unlock computers affected by any of the four versions of TeslaCrypt that have been seen to date. Another tool for unlocking TeslaCrypt-infected PCs is TeslaDecoder, which has also been updated to make use of the now-released master decryption key, according to the Bleeping Computer forum, which reports that TeslaCrypt's developers appear to have been wrapping up their operations recently, and that many ransomware users have been switching to CryptXXX ransomware instead.

The TeslaCrypt decryption key was published on a hidden ".onion" website viewable through the Tor browser. It included a mystifying note in broken English: "Project closed. Wait for other people to make universal decrypt software. We are sorry!"

Whether the apology is sincere is impossible to tell. But ransomware - by all measures - has become one the greatest threats facing Internet users. Law enforcement and computer security companies have been struggling to counter it.

Ransomware Attacks Surge

Once ransomware infects a computer, it typically encrypts most file types and displays a message demanding a ransom, usually payable in the virtual currency bitcoin or another Internet-based payment system. In return for the ransom, cybercriminals promise to share a decryption key that will unlock all of the files.

Although ransomware has been around for more than decade, it has proliferated over the past couple of years. Consumers often see an average ransom demand of a few hundred dollars (see Please Don't Pay Ransoms, FBI Urges).

Those running the schemes have increasingly diversified their targets, going after governments, schools and hospitals in hopes of higher payments.

"Ransomware attacks are not only proliferating, they're becoming more sophisticated," the FBI warned on April 29 (see FBI Alert: $18 Million in Ransomware Losses). "Several years ago, ransomware was normally delivered through spam emails, but because email systems got better at filtering out spam, cybercriminals turned to spear phishing emails targeting specific individuals."

Ransomware Defenses

One defense is to not fall prey to targeted attacks through email and to avoid opening malicious documents or links. Security software can often spot and block attacks, but such applications are far from foolproof (see Ransomware: 7 Defensive Strategies).

A sure-fire way to recover from ransomware is to ensure that files are backed up and that the backup is not connected to the same network as an infected computer. But some organizations do not segregate their backups in such a way or even do timely ones.

TeslaCrypt was first seen early last year and appeared to be a variant of CryptoLocker, another type of ransomware designed to forcibly encrypt PCs. In mid-2014, CryptoLocker disappeared after the U.S. Department of Justice, working with law enforcement agencies in Australia, Germany, France, Japan, Ukraine and the United Kingdom, shut down the Gameover Zeus botnet.

TeslaCrypt initially focused on targeting gamers. It was engineered to encrypt files containing saved game sessions and activation keys for the Steam gaming marketplace, according to a Cisco blog post. The ransom demand was typically $500.

But in April 2015, Cisco's Talos unit created a tool that could recover files encrypted by an early version of TeslaCrypt. That version used a weak encryption algorithm and stored the decryption keys on the victim's device.

The triumph, however, was only temporary, as subsequent versions of TeslaCrypt closed that hole. Other researchers have occasionally found coding errors or mistakes in other types of ransomware, but developers and the cybercrime gangs who increasingly rely on ransomware to generate illicit profits usually react quickly to code flaws and fix the malware, so as to not disrupt their revenue stream.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network