For close to a month, the master encryption key unlocking files ravaged by TeslaCrypt has been publicly available, putting an end to a profitable strain of ransomware.
In the weeks since, various decryptors have been developed that can be used to unlock files. Kaspersky Lab, for one, updated its Rakhni utility to include TeslaCrypt v3 and 4 decryption capabilities, and yesterday, Cisco joined the fray, updating its own decryptor to address all four versions of TeslaCrypt.
The master key, released on May 19, unlocked files encrypted by versions 3 and 4 of TeslaCrypt, said Earl Carter, security research engineer with Cisco Talos, the company’s research arm.
“We’re not sure [the master key] works on previous versions,” Carter said. “Version 2 had a flaw and was decrypted, plus we had the decryptor for the original. All the different decryptors required the user to figure out which version they were infected with and find the right decryptor. We updated our original tool so that now everything is in one spot.”
It’s still a mystery as to why TeslaCrypt was shut down by its maintainers. Ransomware continues to hit businesses and consumers unabated, and the FBI puts first quarter revenues at more than $200 million and estimates it will be a billion-dollar business by year’s end. Still TeslaCrypt had its soft spots, and almost from the get-go, experts were able to find decryption keys hidden in its code and build utilities victims could use to unlock files. This would initiate a cat-and-mouse game where the criminals would batten down the encryption behind their malware, and researchers would dig deeper.
“There are a few that use symmetric encryption, and any time it’s on the box and you can find the key, you can decrypt files,” Carter said. “Others using PKI keep the key off the box and it’s much harder to recover because it was never on the box in the first place.”
Once one variant is decrypted, it becomes a calling card for other researchers to poke around too. In the case of TeslaCrypt, this could be a reason the operation as shut down.
“Ransomware is such a money-maker, everyone wants a piece of the pie,” Carter said. “With all of these [TeslaCrypt] versions decrypted, it almost seems like they were not making as much money as they wanted. It’s hard to guess, we really don’t have any data to back that up. But looking from the surface, that would appear to be the case. People were having success taking their software apart, they weren’t making the money they wanted, so they gave up.”
The master key was dropped in a TeslaCrypt support site forum after a researcher from ESET saw hints the ransomware might be phased out and asked for the key. Experts at BleepingComputer said that CryptXXX might be the successor to TeslaCrypt; already popular exploit kits are distributing CryptXXX, and as a counter, some security companies, including Kaspersky Lab, have built decryptors for early versions of the malware.
TeslaCrypt’s encryption was updated fairly regularly in order to steer clear of security researchers and tools trying to analyze how it worked. By early this year, WordPress and Joomla sites infected with exploit kits such as Nuclear were in on the act, moving TeslaCrypt onto computers visiting those sites. In April, researchers at Endgame Inc., found two separate TeslaCrypt updates that included new obfuscation and evasion techniques, and an expansive and new list of targeted file extensions. Those attacks were primarily distributed via extensive spam campaigns.
“Exploit kits started dropping ransomware payloads versus keyloggers or click-fraud (malware),” Carter said. “Exploit kits combined with malvertising made it real easy to target people.”