TeslaCrypt is a now defunct variant of ransomware. It can now be considered defunct because this month (May 2016) the TeslaCrypt developer(s) released a master key that will decrypt the files on any system that were encrypted with TeslaCrypt after Lawrence Abrams, a security researcher for the IT security company ESET, asked for the master decryption key on a TeslaCrypt support site after noticing that the TeslaCrypt variant of ransomware was being phased out in favor of another ransomware variant, CryptXXX, though Abrams rated CryptXXX inferior to TeslaCrypt stating "TeslaCrypt showed a great deal of experienced coding and knowledge about cryptography. CryptXXX on the other have had both of their versions decrypted already."1
TeslaCrypt underwent improvements in its own coding over time after first emerging in March 2015. It was originally developed to encrypt files associated with some computer games forcing players to pay a ransom in bitcoins, a preferred payment method for ransomware developers, because of its anonymity feature. Once a system was infected the ransomware would search for 185 file extensions related to 40 different games, including the Call of Duty series, World of Warcraft, Minecraft and World of Tanks and encrypt files so that players would be forced to pay a ransom to the TeslaCrypt developer(s) to unlock their data2. Later the developers expanded the types of files that were encrypted to include Microsoft Word, PDF, and JPG files that would likely be found on nongamers' systems. When researchers for Cisco Systems Talos Group managed to develop a decryption tool for TeslaCrypt, the TeslaCrypt developer(s) released a version 2.0 of the ransomware so that the Talos Group tool could no longer be used to free victims from paying a $500 USD ransom to decrypt their files.
Later, in November of 2015, Kaspersky Lab researchers discovered a flaw in the 2.0 version of TeslaCrypt, which was corrected by the TelaCrypt developer(s) in a 3.0 release circulating as of January 2016.
On March 18 of 2016, version 4.0 of the ransomware was discovered. Researchers for the Danish security firm Heimdal Security published the security alert Security Alert: TeslaCrypt 4.0 – Unbreakable Encryption and Worse Data Leakage regarding enhancements to the malware that made it even harder to crack. The 4.0 upgrade also fixed a bug that would render files greater than 4 GB permanently unavailable even to those who paid the ransom. Morten Kjaersgaard, CEO of Heimdal, stated "They're really trying to make it like a product so when you do pay up you get your money's worth,"3 since ransomware developers know they won't be able to get new victims to pay the ransom if there are widespread reports by prior victims that they couldn't decrypt files even after paying the ransom. The 4.0 version of the ransomware also incorporated code to join infected computers into a botnet.
Now, though, with the release of a free, publicly available tool from ESET, which can be dowloaded from http://download.eset.com/special/ESETTeslaCryptDecryptor.exe, to decrypt files encrypted with TeslaCrypt using the master key, victims can unencrypt their files without paying a ransom.
References:
-
TeslaCrypt authors release master keys, Ransomware Info Day held 19 May
By: Danielle Correa
Date: May 20, 2016
SC Magazine -
TeslaCrypt
Wikipedia, The Free Encyclopedia -
TeslaCrypt 4.0 emerges; ransomware features tougher encryption, deeper
penetration
By: Bradley Barth, Senior Reporter March 21, 2016
SC Magazine -
Security Alert: TeslaCrypt 4.0 – Unbreakable Encryption and Worse Data Leakage
By: Andra Zaharia
Date: March 18, 2016
Heimdal Security
