Ransomware Shuts Down, Issues Key

Monday, May 23, 2016 @ 09:05 AM gHale


A ransomware operation shut down and is now offering a free decryption key to unlock files.

The researcher said he contacted the TeslaCrypt operators using their ransom website hosted on the Dark Web, via their support channel. TeslaCrypt operators said they were shutting down operations, and agreed to offer a master decryption key for all users, said an ESET researcher in a published report.

RELATED STORIES
Stealthy Malware Goes to Extreme
Ransomware Decryption Tool Updated
Ransomware Knocks Out Entire PC
New Attack Approach for Revised Ransomware

The ransomware operators posted the decryption key on the regular Dark Web website where users came to pay the ransom, with the following message:

“Project closed. Master key for decrypt [KEY] Wait for other people make universal decrypt software. We are sorry!”

The decryption master key works for both TeslaCrypt v3 and v4 infections, which regularly appended a secondary file extension to each encrypted file in the form of .xxx, .ttt, .micro, or .mp3.

Users didn’t have to wait long for TeslaCrypt decryption software to appear, though. ESET created one (download, usage instructions), and BloodyDolly updated his older TeslaDecoder to handle the newly announced decryption master key (download, usage instructions).

Lawrence Abrams from Bleeping Computer said researchers noticed a gradual slowdown in the number of infections caused by this ransomware, along with a decrease in the number of spam messages sent out to infect users.

Fortinet ranked TeslaCrypt as number three in a list of the most popular ransomware infections during the first three months of the year, after CryptoWall and Locky.

Abrams said TeslaCrypt operators slowly switched to the CryptXXX ransomware instead. It appears that TeslaCryt operators aren’t really “sorry” but merely found a better ransomware strain.

TeslaCrypt has been cracked numerous times in the past, hence the presence of BloodyDolly’s TeslaDecoder application. Switching to CryptXXX might have not been such a great idea either, since Kaspersky had already cracked the ransomware twice. It did so for CryptXXX 1.0, and it did it so for CryptXXX 2.0, just a few days after crooks released it.