Surprisingly, after ESET sent a request for the TeslaCrypt ransomware master key to the criminal gang behind the attacks, they responded by making the decryption key public and even issued an apology. The surprise move signals the end of the ransomware that was used primarily to target gamers

TeslaCrypt Ransomware Master Key Released

So does the release of the TeslaCrypt ransomware master key mean that the attacks will now stop? The answer to that is a little complicated. Attacks using TeslaCrypt will slow and stop soon, and even if some individuals have their computer files locked by the ransomware they will not need to pay a ransom.

Once the TeslaCrypt ransomware master key was made public, security companies started work on decryption tools to unlock infections. ESET have added the key to their TeslaCrypt decryption tool, and Kaspersky Lab similarly used the master key to update the decryption tool it had been using to unlock earlier versions of the ransomware.

That does not mean that the criminal gang behind the campaign will stop its malicious activity. It just means that the gang will stop using TeslaCrypt. There are many other types of ransomware that can be used for attacks. In fact, it would appear that TeslaCrypt has now simply been replaced with a new form of ransomware called CryptXXX. According to ESET, many of the distributers of TeslaCrypt have already switched to CryptXXX.

Under normal circumstances, contacting a criminal gang and asking for the TeslaCrypt ransomware master key would not have worked. Attackers running profitable ransomware campaigns are unlikely to respond to a polite request asking to unlock an infection without paying a ransom, let alone supply a master key that can be used to unlock all infections.

The reason for the release is TeslaCrypt was already being phased out. ESET researcher Igor Kabina noticed that TeslaCrypt infections were slowing, which signaled that either the gang behind the ransomware was phasing it out in favor of a new malware, or that a new and updated version of TeslaCrypt would soon be released. Kabina decided to contact the attackers through the channels set up to allow victims to contact the gang and pay the ransom.

Kabina asked for the private decryption keys to unlock all four versions of the ransomware. He was answered within one day and was provided the key for the version he claimed to have been infected with. He then sent another message requesting the release of the latest key to unlock v4 of the ransomware, and noticed on the TeslaCrypt page that the gang had announced that the project had been closed. The universal key had been posted on an anonymous .onion page that can be accessed using the Tor browser.

There is a constant battle between security companies and ransomware developers. Oftentimes, ransomware variants contain flaws that allow antivirus companies to develop decryption tools. When these tools are released attackers work rapidly to repair the security flaw and release a new, more robust version of the ransomware. This was the case with TeslaCrypt. Flaws in the first version allowed a tool to be developed. A decryption tool was released, and version 2 of the ransomware was released. TeslaCrypt is now on the fourth version.

As with Cryptowall, TeslaCrypt has now been shut down; however, CryptXXX is still very much active and is still being updated. Furthermore, the attackers have learnt from their mistakes and have developed CryptXXX to be a much harder nut to crack.

CryptXXX is run alongside a program that monitors the system on which it is run to check if it is in a virtual environment or sandbox or otherwise being probed. If abnormal behavior is identified, the encryption routine is restarted. CryptXXX is also spread via spam email, exploit kits, and malvertising. This means that it is much easier to spread and more attacks are likely to occur. Companies and individuals therefore face a much higher risk of an attack.

The release of the TeslaCrypt ransomware master key is therefore only good news if you have been infected with TeslaCrypt. With the move to CryptXXX it is even more important to have solutions in place to prevent attacks, and a plan in place to deal with an attack when it occurs.