How to recover files encrypted by all Teslacrypt Ransomware variants

Experts from Cisco Talos team have improved their decryptor tool to allow the recovery of files encrypted by all the Teslacrypt Ransomware variants

In May, criminals behind the TeslaCrypt ransomware leaked online the master encryption key that allowed security experts to develop a decryption tool for the last variant of the threat.

“In surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key. Over the past few weeks, an analyst for ESET had noticed that the developers of TeslaCrypt have been slowly closing their doors, while their previous distributors have been switching over to distributing the CryptXXX ransomware. ” reported Lawrence Abrams from bleepingcomputer.com that also published a step by step guide to use the Teslacrypt decryption Tool.

The decryptor was developed by experts from the ESET security Firm, it was able to unlock files encrypted by versions 3 and 4 of TeslaCrypt by using the above master key, released on May 19.

“Today, ESET® released a decryptor for recent variants of the TeslaCrypt ransomware. If you have been infected by one of the new variants (v3 or v4) of the notorious ransomware TeslaCrypt and the encrypted files have the extensions .xxx, .ttt, .micro, .mp3 or remained unchanged, then ESET has good news for you.” announced ESET.

I have other good news for the victims of all TeslaCrypt variants, Cisco Talos Team has updated its decryptor tool to address all four versions of TeslaCrypt ransomware in wild.

“Talos has developed a decryption tool to aid users whose files have been encrypted by TeslaCrypt ransomware. The Talos TeslaCrypt Decryption Tool is an open source command line utility for decrypting TeslaCrypt encrypted files so users’ files can be returned to their original state.” states the announcement published by Cisco Talos.

Version 1.0 is able to decrypt all the files encrypted by all version of TeslaCrypt and AlphaCrypt:

TeslaCrypt 0.x – Encrypts files using an AES-256 CBC algorithm
AlphaCrypt 0.x – Encrypts files using AES-256 and encrypts the key with EC
TeslaCrypt 2.x – Same as previous versions, but uses EC to create a weak Recovery key. The application is able to use factorization to recover the victim’s global private key.
TeslaCrypt 3 & 4 – The latest versions. Able to decrypt thanks to the C&C server EC private key which was recently released.

It’s still unclear why crooks decided to leak the TeslaCrypt ransomware masterkey, the threat is continuing to infect netizens and businesses across the world.

The experts from the FBI estimated the first quarter revenues for the TeslaCrypt ransomware at more than $200 million.

In some cases, the experts have discovered the decryption keys hidden in the source code of the threat, a circumstance that allowed them to build a decryption tool.

Last improvements for the TeslaCrypt ransomware were observed by experts at Endgame Inc in April, the authors implemented new sophisticated obfuscation and evasion techniques and were able to target new file types.

You can download Teslacrypt Tool for free from Talosintel.com

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – cybercrime, TeslaCrypt Ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.