Published on June 14th, 2016 📆 | 7501 Views ⚑
0DECRYPTION UTILITIES UNLOCK FILES ENCRYPTED BY ALL TESLACRYPT VERSIONS
iSpeech
For close to a month, the master encryption key unlocking files ravaged by TeslaCrypt has been publicly available, putting an end to a profitable strain of ransomware. In the weeks since, various decryptors have been developed that can be used to unlock files. Kaspersky Lab, for one, updated its Rakhni utility to include TeslaCrypt v3 and 4 decryption capabilities, and yesterday, Cisco joined the fray, updating its own decryptor to address all four versions of TeslaCrypt.
The master key, released on May 19, unlocked files encrypted by versions 3 and 4 of TeslaCrypt, said Earl Carter, security research engineer with Cisco Talos, the companyâs research arm. âWeâre not sure [the master key] works on previous versions,â Carter said. âVersion 2 had a flaw and was decrypted, plus we had the decryptor for the original. All the different decryptors required the user to figure out which version they were infected with and find the right decryptor. We updated our original tool so that now everything is in one spot.â
Itâs still a mystery as to why TeslaCrypt was shut down by its maintainers. Ransomware continues to hit businesses and consumers unabated, and the FBI puts first quarter revenues at more than $200 million and estimates it will be a billion-dollar business by yearâs end. Still TeslaCrypt had its soft spots, and almost from the get-go, experts were able to find decryption keys hidden in its code and build utilities victims could use to unlock files. This would initiate a cat-and-mouse game where the criminals would batten down the encryption behind their malware, and researchers would dig deeper. âThere are a few that use symmetric encryption, and any time itâs on the box and you can find the key, you can decrypt files,â Carter said. âOthers using PKI keep the key off the box and itâs much harder to recover because it was never on the box in the first place.â Once one variant is decrypted, it becomes a calling card for other researchers to poke around too. In the case of TeslaCrypt, this could be a reason the operation as shut down.
âRansomware is such a money-maker, everyone wants a piece of the pie,â Carter said. âWith all of these [TeslaCrypt] versions decrypted, it almost seems like they were not making as much money as they wanted. Itâs hard to guess, we really donât have any data to back that up. But looking from the surface, that would appear to be the case. People were having success taking their software apart, they werenât making the money they wanted, so they gave up.â The master key was dropped in a TeslaCrypt support site forum after a researcher from ESET saw hints the ransomware might be phased out and asked for the key.
[adsense size='1']
Experts at BleepingComputer said that CryptXXX might be the successor to TeslaCrypt; already popular exploit kits are distributing CryptXXX, and as a counter, some security companies, including Kaspersky Lab, have built decryptors for early versions of the malware. TeslaCryptâs encryption was updated fairly regularly in order to steer clear of security researchers and tools trying to analyze how it worked. By early this year, WordPress and Joomla sites infected with exploit kits such as Nuclear were in on the act, moving TeslaCrypt onto computers visiting those sites. In April, researchers at Endgame Inc., found two separate TeslaCrypt updates that included new obfuscation and evasion techniques, and an expansive and new list of targeted file extensions. Those attacks were primarily distributed via extensive spam campaigns. âExploit kits started dropping ransomware payloads versus keyloggers or click-fraud (malware),â Carter said. âExploit kits combined with malvertising made it real easy to target people.â
Gloss