Posted by David Harley on May 19, 2016.

Are the TeslaCrypt operators genuinely apologizing? Probably not, since it seems that they may well have moved on to CryptXXX rather than retiring to a monastery to flagellate themselves with birch twigs. However, after an ESET analyst, noticing that the TeslaCrypt project seemed to be shutting down, contacted them via the Tesla support/payment site and asked them to release the master decryption key.

Unexpected Benevolence

Since ransomware operators aren’t generally renowned for their benevolence, it was a pleasant surprise to see them post the master key with the message:

Project closed

master key for decrypt […]

wait for other people make universal decrypt software

we are sorry!

And, sure enough, both ESET and BloodDolly quickly came up with decryptors. Instructions for the use of the ESET tool are here, and for BloodDolly’s tool at Bleeping Computer here. [Added 21st May 2016: Note that neither tool seems to be able to decrypt all files mangled by all variants of TeslaCrypt.]

For Softpedia, Catalin Cimpanu noted that:

TeslaCrypt has been cracked numerous times in the past […] Switching to CryptXXX might have not been such a great idea either, since Kaspersky had already cracked the ransomware twice. It did so for CryptXXX 1.0, and it did it so for CryptXXX 2.0, just a few days after crooks released it.

[Added 25th May] In case it’s of interest: Peter Stancik discusses the decline and fall of TeslaCrypt with Igor Kabana, who was responsible for ESET’s decryption tool.

[Added 19th May 2016]

TeslaCrypt Revisited

TeslaCrypt has had a chequered career: here’s some earlier info drawn from the AVIEN ransomware resource pages. A flaw in TeslaCrypt that allowed decryption by third parties was fixed in TeslaCrypt 3.0, but you may find it interesting nonetheless for the insight into how security companies and researchers work: TeslaCrypt Decrypted: Flaw in TeslaCrypt allows Victim’s to Recover their Files

More recent versions included a range of other ‘improvements’: it stopped using extensions to flag encrypted files (thus making identification a little harder), and was now delivered by spam campaign as well as by exploit kits. Here are a few links regarding those versions.

David Harley