The operations of TeslaCrypt, one of the largest ransomware threats over the past months, appear to have shut down, with its authors already releasing a master decryption key, researchers at ESET report.
The ransomware emerged roughly a year ago and has seen numerous updates ever since, with its latest analyzed version being 4.0. Earlier this year, a flaw in TeslaCrypt and TeslaCrypt 2.0 variants allowed researchers to create a free decryption tool, but version 3.0 of the malware patched the issue.
The malware was distributed via different channels, including exploit kits, and in December 2015 exploited a newly patched Flash Player heap buffer overflow vulnerability (CVE-2015-8446) to drop TeslaCrypt onto targeted systems.
Angler continued to deliver TeslaCrypt as its malicious payload for several months, as seen in a campaign exploiting a patched Silverlight vulnerability, as well as in an attack against the EC Council website. Courtesy of numerous distribution campaigns in the past months, TeslaCrypt was the third biggest player on the ransomware scene at the beginning of March.
Although TeslaCrypt has had a constant, active presence on the threat landscape over the past year, its authors might have closed shop, and the move appears final, security company ESET claims. The researchers not only discovered that the ransomware’s operators already announced that they are closing the project, but they also convinced these actors to provide them with the master decryption key.
In an unexpected move, the TeslaCrypt operators made the key public on the ransomware’s payment site, and researchers already used the key to create a free decryption tool that should help all of the malware’s victims to restore their files. Other decryption utilities were also updated using the released key and can be used to decrypt files affected by versions 1.0 to 4.0 of the ransomware.
The news of TelsaCrypt operators shutting down their business comes just one week after researchers at Check Point published an extensive analysis (PDF) of TeslaCrypt V3.0.1. This ransomware variant came with support for offline encryption and was able to maintain a low profile by executing on low priority applications and closing suspicious ones to avoid detection.
TeslaCrypt 3.0 and later versions were deemed nearly impossible to decrypt, and Check Point’s new report reiterates that. The paper also provides a thorough analysis of the ransomware’s infection and execution chains.
Other ransomware families have attracted the attention of security researchers over the past several months, and numerous decryption tools were released for free. Examples include Kaspersky’s tool for decrypting files affected by the CryptXXX ransomware, and a decryptor for Petya. Last year, a flaw in Linux.Encoder1 allowed Bitdefender to create a decryption tool to restore victims’ files for free.