Exploiting a Flaw in Ransomware

Tuesday, January 26, 2016 @ 04:01 PM gHale

It is always nice to see when the good guys find a flaw in ransomware. That is just what happened with the TeslaCrypt malware which contains a design flaw that allows for decryption tools to come in and free a computer.

The development was the result of when former victims and researchers decided to work together for the past month to exploit a flaw in TeslaCrypt’s encryption key storage algorithm. While this remained a secret to prevent the malware’s creator catching on and patching the flaw, now TeslaCrypt 3.0 released and the group decided to release their findings, said researcher Lawrence Abrams in a blog post.

OpenSSH Flaw could Leak Private Keys
Ransomware Locks Files, Tosses Key
Ransomware Spreads Via Exploit Kit
Attack Tricks Security, Continues Assault

The flaw affects TeslaCrypt and variants of TeslaCrypt 2.0, giving victims of these strains the possibility of decrypting their machines and files without giving in to the malware creator’s demands.

Ransomware is a serious bit of malware. Often debilitating, once a variant of ransomware such as TeslaCrypt or Cryptowall finds its way onto a victim machine, the system ends up locked and the bad guys demand a payment. Unless the victim pays the demand — in virtual currency to protect the attacker — files end up encrypted, and without the key content ends up lost.

In TeslaCrypt’s case, the latest 3.0 version patched the design flaw, but victims of previous versions may now be able to decrypt their files for free.

The ransomware’s flaw is not in the encryption algorithm itself, but rather how encryption keys end up stored on a victim’s PC.

A new AES key generates every time TeslaCrypt restarts to encrypt files during the session, which means some files may end up encrypted using different keys. To protect these keys, the malware creator used another algorithm, but today’s computing power and the expertise of a few researchers resulted in the creation of tools able to reconstruct keys despite this protection.

“The size of this stored key was not sufficiently strong enough to withstand the computing power of today’s modern computers,” Abrams said.

“Thus it was possible to use specialized programs to factorize these large numbers in order to retrieve their prime numbers. Once the prime numbers ended up retrieved, specialized tools are then able to use them to reconstruct the decryption key. For some victims this process could take as a little as 5 minutes to complete, while others that had stronger numbers could take days.”

The design flaw allowed researchers the opportunity to develop software able to generate decryption keys for TeslaCrypt files with the extensions .ECC, .EZZ, .EXX, .XYZ, .ZZZ,.AAA, .ABC, .CCC, and .VVV.

The newest version of TeslaCrypt utilizes the .TTT, .XXX, and .MICRO extensions., which remains impenetrable.

Methods and tools for decrypting these files appeared a while ago, but remained hidden through forum requests and private hosting to prevent TeslaCrypt’s author from learning about the fix. Now the new variant is not vulnerable to the same flaw, however, the researcher’s efforts are now out in the open.

TeslaCrack is now available for use by victims of the ransomware. The tool contains scripts to retrieve keys in a Windows environment.