Connect with us

Hi, what are you looking for?


Malware & Threats

TeslaCrypt Flaw Allows Free File Decryption

TeslaCrypt, a ransomware family that emerged roughly a year ago, includes a design flaw that has already allowed security researchers build a free file decryption tool.

TeslaCrypt, a ransomware family that emerged roughly a year ago, includes a design flaw that has already allowed security researchers build a free file decryption tool.

The issue affects TeslaCrypt and TeslaCrypt 2.0 variants of the malware and resides in the encryption key storage algorithm, Lawrence Abrams explains in a blog post. The issue has been fixed in TeslaCrypt 3.0, but files encrypted with the older versions of the ransomware can be decrypted without paying cybercriminals to do so.

Spotted in late February 2015, the ransomware was found to encrypt not only photos, videos, and documents, but files associated with video games as well. In July, TeslaCrypt 2.0 emerged with an improved encryption mechanism, and researchers discovered in December that the malware was being delivered through a newly patched Adobe Flash Player vulnerability.

Researchers note that their decryption tool can be used to generate the necessary keys for recovering encrypted TeslaCrypt files with extensions .ECC, .EZZ, .EXX, .XYZ, .ZZZ, .AAA, .ABC, .CCC, and .VVV. However, files encrypted with the newer versions of TeslaCrypt, which use the .TTT, .XXX, and .MICRO extensions, cannot be decrypted.

The issue with TeslaCrypt is not in the encryption algorithm itself, but how the encryption keys were being stored on the victim’s computer, Abrams explains. TeslaCrypt encrypts files with the AES encryption algorithm and uses the same key for both encryption and decryption.

Researchers discovered that TeslaCrypt generated a new AES key each time it was restarted, and that it stored the key in the files encrypted during the session. The keys were stored in every encrypted file, but were secured using another algorithm, and the information about this encrypted key was stored in each encrypted file.

However, the size of this stored key was found to be insufficiently strong to withstand decryption. Using specialized programs that can factorize these large numbers, their prime numbers were extracted, and other specialized tools were used to reconstruct the decryption key using these prime numbers.

Advertisement. Scroll to continue reading.

Methods and tools to decrypt files encrypted using the TeslaCrypt appeared a while ago, but they were kept private, to ensure that the malware developers are not alerted on them. However, since TeslaCrypt 3.0 resolves the aforementioned issue, projects such as TeslaCrack ( have stated to emerge, along with volunteers willing to help victims of the malware.

Written in Python, TeslaCrack requires the use of encrypted files that had a known file header (PDF, JPG, etc) and needs to be modified when not using an encrypted PDF file. Moreover, users would have to use the tool to attack multiple keys to decrypt all files, provided that TeslaCrypt was restarted when encrypting the hard disk content.

TeslaDecoder, a tool that has been used for decrypting TeslaCrypt files since May 2015, has been also updated to recover the encryption key for all TeslaCrypt variants. This tool tackles the master private key that TeslaCrypt used on the victim’s computer, thus allowing users to decrypt all files, regardless of whether the ransomware was restarted or not.

The tool was designed to run on Windows and do not require specific encrypted file types, making it suitable for general use. It can also be used in combination with specialized factorization tools such as Msieve and Yafu to help victims recover their files for free.

Victims can use either TeslaDecoder or TeslaCracker to decrypt their files, but can also head over to the TeslaCrypt (.VVV, .CCC, etc Files) Decryption Support Requests topic to ask for help in retrieving the encryption keys.

Related Reading: Why Ransomware Is Not Going Away Any Time Soon

Related Reading: File-Encrypting Ransomware Targets Linux Users

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.