How to recover files encrypted by all Teslacrypt Ransomware variants

Pierluigi Paganini June 11, 2016

Experts from Cisco Talos team have improved their decryptor tool to allow the recovery of files encrypted by all the Teslacrypt Ransomware variants

In May, criminals behind the TeslaCrypt ransomware leaked online the master encryption key that allowed security experts to develop a decryption tool for the last variant of the threat.

“In surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key. Over the past few weeks, an analyst for ESET had noticed that the developers of TeslaCrypt have been slowly closing their doors, while their previous distributors have been switching over to distributing the CryptXXX ransomware. ” reported  from bleepingcomputer.com that also published a step by step guide to use the Teslacrypt decryption Tool.

Teslacrypt ransomware decryption tool

The decryptor was developed by experts from the ESET security Firm, it was able to unlock files encrypted by versions 3 and 4 of TeslaCrypt by using the above master key, released on May 19.

“Today, ESET® released a decryptor for recent variants of the TeslaCrypt ransomware. If you have been infected by one of the new variants (v3 or v4) of the notorious ransomware TeslaCrypt and the encrypted files have the extensions .xxx, .ttt, .micro, .mp3 or remained unchanged, then ESET has good news for you.” announced ESET.

I have other good news for the victims of all TeslaCrypt variants, Cisco Talos Team has updated its decryptor tool to address all four versions of TeslaCrypt ransomware in wild.

“Talos has developed a decryption tool to aid users whose files have been encrypted by TeslaCrypt ransomware. The Talos TeslaCrypt Decryption Tool is an open source command line utility for decrypting TeslaCrypt encrypted files so users’ files can be returned to their original state.” states the announcement published by Cisco Talos.

Version 1.0 is able to decrypt all the files encrypted by all version of TeslaCrypt and AlphaCrypt:

  • TeslaCrypt 0.x – Encrypts files using an AES-256 CBC algorithm
  • AlphaCrypt 0.x – Encrypts files using AES-256 and encrypts the key with EC
  • TeslaCrypt 2.x – Same as previous versions, but uses EC to create a weak Recovery key. The application is able to use factorization to recover the victim’s global private key.
  • TeslaCrypt 3 & 4 – The latest versions. Able to decrypt thanks to the C&C server EC private key which was recently released.

It’s still unclear why crooks decided to leak the TeslaCrypt ransomware masterkey, the threat is continuing to infect netizens and businesses across the world.

The experts from the FBI estimated the first quarter revenues for the TeslaCrypt ransomware at more than $200 million.

In some cases, the experts have discovered the decryption keys hidden in the source code of the threat, a circumstance that allowed them to build a decryption tool.

Last improvements for the TeslaCrypt ransomware were observed by experts at Endgame Inc in April, the authors implemented new sophisticated obfuscation and evasion techniques and were able to target new file types.

You can download Teslacrypt Tool for free from Talosintel.com

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – cybercrime, TeslaCrypt Ransomware)



you might also like

leave a comment