New Utility Decrypts Data Lost to TeslaCrypt Ransomware

Cisco published an analysis of TeslaCrypt and a decryptor tool that recovers files lost to the ransomware.

Crypto-ransomware variants have enterprises on edge because of the threat of irreversibly damaged files. Some organizations, including most recently the Tewksbury, Ma., police department have gone as far as to pay hundreds of dollars in ransom for the recovery key.

Some technology companies are beginning to fight back with tools that decrypt potentially lost data. Kaspersky Lab, in cooperation with the National High Tech Crime Unit of the Netherlands and the Netherlands National Prosecutors Office, recently made available tool that helps recover files lost to the CoinVault ransomware. As of April 17, there were more than 700 decryption keys available in the database of the decryption application.

Today, Cisco followed suit with a lengthy analysis of the TeslaCrypt ransomware and a similar decryption tool, a command line utility that is capable of decrypting files lost to TeslaCrypt provided the owner is able to provide a master key.

TeslaCrypt is a CryptoLocker variant that specifically targets gamers, but that scope could be soon expanding with some researchers noting that exploit kits including Nuclear, Sweet Orange and Angler, have been dropping TeslaCrypt.

Once it infects a machine and encrypts files, TeslaCrypt instructs the victim to proceed to a decryption site where for 2.5 BTC or about $550, they can decrypt their files. As of April 16, no one had paid a ransom, researchers from the SANS Institute said.

Researchers at Bromium, last month, said TeslaCrypt goes after data files associated with 20 different online games, locking downloadable content in an attempt to target younger computer users. An unnamed compromised website was serving the malware, and victims are redirected by a Flash exploit to a site hosting the Angler exploit kit, and Angler drops the CryptoLocker variant.

Cisco’s TeslaCrypt Decryptor require the key.dat file in order to recover the master key used for encryption.

“Before it begins execution, it searches for ‘key.dat’ in its original location (the user’s Application Data directory), or in the current directory,” Cisco’s Talos researchers wrote today. “If it isn’t able to find and correctly parse the ‘key.dat’ file, it will return an error and exit.”

If the key.dat file can be copied into the tool’s directory, the user can specify which files or directories to decrypt. A number of command line options are made available as well that not only decrypt files and directories, but can also kill and delete the TeslaCrypt dropper. Cisco advises users to back up encrypted files before using the utility. Cisco made available a Windows binary, Python script and Windows source code for its tool.

“Our tool is missing a few features. In particular we haven’t had the time to implement the algorithm needed to recover the master key from the recovery key,” Cisco said. “This is important because in some versions of the dropper, the master key is stripped from the ‘key.dat’ file as soon as the file-encryption is completed.”

In its analysis of TeslaCrypt, Cisco researchers said the ransomware is making use of symmetric AES encryption, rather than asymmetric RSA-2048 as it claims in the warning presented to victims. Gamers should note that the ransomware encrypts saved games and Steam activation keys.

“This means that TeslaCrypt is targeting many different types of users, including PC gamers. Just like irreplaceable photos, a game save, which is the product of countless hours of gaming, is extremely valuable and hard to replace,” Cisco said.

Suggested articles


  • Will Read on

    Hey I know the TeslaCrypt virus is extremely prevalent this time of year, However; I was able to remove it from my computer using the steps listed in this 3-step guide Please let me know if anyone else if successful in removing this virus. The instructions are a little lengthy but it did the trick for me. Hope this helps at least a few people, Will
    • m1t0s1s on

      Will, Your life must suck.
  • Ignore Will on

    Lets just be clear about this for those seeking help. Ignore Will's comment a) SpyHunter will not recover decrpted files b) Spyhunter will not even clean the virus ... unless you pay for it! So clean up using malwarebytes anti-malware, and then hopefully dectrypt using the cisco tool, all for no charge :)
  • Carlos Guzman on

    What can i do, if I do not have a file key.dat and my pc was formatted and reinstalled?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.