TeslaCrypt victims can now decrypt their files for free

19.05.2016
Victims of the widespread TeslaCrypt ransomware are in luck: Security researchers have created a tool that can decrypt files affected by recent versions of the malicious program.

Surprisingly, the TeslaCrypt creators themselves helped the researchers.

TeslaCrypt first appeared in early 2015 and stood out by targeting game-related user content, such as save files and custom maps, in addition to personal documents and pictures -- 185 different file extensions in total.

The program had some moderate success in the beginning, earning its creators $76,522 in less than two months. However, in April 2015, researchers from Cisco Systems discovered a flaw in the ransomware program that allowed them to create a decryption tool for some of its variants.

The number of TeslaCrypt attacks spiked in December and starting with version 3.0.1 of the program, which appeared in March, all encryption flaws were fixed and the existing decryption tools were rendered ineffective. That lasted until Wednesday.

Researchers from security vendor ESET have recently managed to obtain a copy of TeslaCrypt's master key, allowing them to create a new decryption tool that is capable of recovering files affected by the newer versions of TeslaCrypt (3.0 and higher). They didn't do this by exploiting a vulnerability in the program or its command-and-control servers, but by asking its creators for it.

"Recently, TeslaCrypt’s operators announced that they are wrapping up their malevolent activities," the ESET researchers said in a blog post. "On this occasion, one of ESET’s analysts contacted the group anonymously, using the official support channel offered to the ransomware victims by the TeslaCrypt’s operators, and requested the universal master decryption key. Surprisingly, they made it public."

The tool can recover TeslaCrypt-encrypted files whose extension was changed to .xxx, .ttt, .micro and .mp3, as well as those whose extension hasn't been modified. Instructions on downloading and using the tool can be found on ESET's support website.

Lucian Constantin