sb-as logo
Story image

Expert insight from the author of the ESET TeslaCrypt decryptor

31 May 2016

Article by Peter Stancik, ESET security expert

Our news about ransomware TeslaCrypt operators shutting up shop attracted a lot of attention and prompted several additional questions.

So we’ve approached the best-placed person to address them – Igor Kabina, the ESET malware researcher who first noticed that things had started to change around TeslaCrypt ransomware and ultimately created the universal ESET TeslaCrypt decryption tool.

TeslaCrypt ended happily – with internet users rid of this ransomware, and its victims able to take advantage of a free decryptor. And you played a crucial role in the latter, correct?

I asked TeslaCrypt’s operators to release the universal master decryption key for the latest, undecryptable version of TeslaCrypt. And they made it public. Having the key, I immediately started creating a decryption tool in order to make it possible and more convenient for ransomware victims to recover their files.

Put in a nutshell, it sounds simple. But it’s not that common to ask ransomware operators for decryption keys…

Yes, decryption keys are the ‘key’ – literally! – to the whole ransomware business. It’s what the victims must pay for, if they fall victim to ransomware and don’t have a functional backup of their data. If you fall victim of this kind of cybercrime and you’re not prepared, you will find yourself in serious trouble.

But we quite often read about decryptors that enable victims to recover their files.

Yes, sometimes the bad guys employ weak encryption or make an implementation mistake that enables us to come up with a decryptor. But such solutions usually make use of a particular hole in the ransomware attack – and holes like these tend to get closed in the next version of the ransomware.

That’s what makes this case different – thanks to the master key, I was able to implement a tool that can decrypt several of the latest TeslaCrypt versions at the same time.

Okay, let’s get back to how you got the universal decryption key. We’ve learned that you simply requested it from the malware’s operators. Was it really that simple?

For quite a long time, I’d been keeping an eye on TeslaCrypt ransomware – it’s my job to keep pace with developments in malware, in order to help keep ESET clients safe. I witnessed earlier versions of this ransomware, which, thanks to bugs inside them, allowed a decryptor to be created. Unfortunately, the latest versions of TeslaCrypt came with an improved key protection algorithm and so were really powerful.

Knowing how a typical malware lifecycle looks, I expected further development of TeslaCrypt. But several weeks ago, I noticed that development had started to slow. It seemed to me that the operators were about to quit – incidentally, some of the groups who distributed TeslaCrypt had started to switch to another brand of ransomware, CryptProjectXXX.

On April 27th, a version that later turned out to be the very last version of TeslaCrypt was compiled. Soon after that, I noticed that the people behind it had stop spreading this version and that all the links they used were slowly dying. So I tried my luck, pretended to be one of their victims and asked them if they would be so kind as to release all four of the private keys they had been using since TeslaCrypt started. They answered me in one day, which was their usual response time, but provided me only with the key for the victim I was pretending to be. I asked them again If they could, as a gesture, release at least the latest (4th) universal private key. A day and a half later I noticed that a “Project closed” announcement had been posted on the TeslaCrypt page. At first I didn’t believe they had really released the key, but after I checked the corresponding public key I was 100% sure it was the right one.

One question comes to mind as you speak about your contacts with these malware operators. Is it common for malware researchers to talk to the guys on the dirty side of the business?

Let me be clear that all the communications ran via the official channel that the bad guys had created for communicating with their victims. Think of it as normal software help desk. Since it’s anonymous, the operators had no idea who they were communicating with – I was pretending to be a random victim of TeslaCrypt.

And now let me answer your question: no, it’s not common for malware researchers get in touch with the bad guys, but in this case it seemed to be worth a shot.

Article by Peter Stancik, ESET security expert

Story image
AWS launches fully-managed fraud detection service
Businesses lose billions of dollars to online fraud every year, however businesses respond by investing in cumbersome fraud management solutions that often rely on hand-coded rules and are difficult to keep up to date.More
Story image
Tanium and Google Cloud bring greater security to distributed IT
“This joint solution with Chronicle gives Tanium customers access to massively scalable analytics and investigation capabilities far beyond that of other endpoint detection and response point tools."More
Story image
How business can lift protection against mobile threats
The mobile phone has become ubiquitous both personally and professionally. Many of these devices are able to access corporate networks and sensitive data, yet many may not be as protected or secured as company-owned devices.More
Story image
Huawei introduces all-flash OceanStor Dorado arrays
All-flash offers stability and high-performance storage with extremely low levels of latency – and it can offer reliability in the event of a disaster.More
Story image
Just 6,000 accounts responsible for over 100,000 email attacks - report
Barracuda has today released a report detailing how 6,170 malicious accounts that use Gmail, AOL, and other email services were responsible for more than 100,000 business email compromise (BEC) attacks on nearly 6,600 organisations. More
Story image
Deal triple damage against ransomware with these 3 ultimate strategies
The three main strategies you need to win every ransomware battle are education, implementation, and remediation. More