There’s now a decryption tool for TeslaCrypt ransomware

“Here’s some very good news for victims of the TeslaCrypt ransomware: Cisco researchers have created a tool for them to decrypt the files themselves and avoid paying the asked for ransom.

First spotted and analyzed in March 2015, TeslaCrypt looks very much like the Cryptolocker ransomware, but in addition to encrypting the usual assortment of file types (documents, images, videos, database files, etc.), it also hits file types associated with video games and game related software (saved games, Steam activation keys, etc.).

It also encrypts iTunes-related files. All in all, it targets over 180 file extensions.

Even though the malware claims to encrypt the files with the RSA-2048 asymmetric algorithm, it in fact uses the AES symmetric algorithm, meaning that the same key is used both to encrypt and decrypt the files.

This allowed the researchers to create a (partially) successful tool, as this master key can be recovered from the key.dat file some versions of the malware put on the target machine so that it can calculate the encryption key if it can’t contact the C&C.

If the key.dat file doesn’t include the master key, the tool will not work.

In those cases, the key has been encrypted in the recovery key with elliptic curve cryptography and sent to the C&C server. “I am working on the algorithm used to do that, but we don’t know if we will be able to produce a working algorithm able to do the opposite in a short time,” researcher Andrea Allievi noted.

The TeslaCrypt decryption is a command line utility, but it’s easy to use and the researchers included instructions.

It can be downloaded in three different formats: Windows binary, Python script, source code for the Windows binary.

“The Decryption utility is a test tool which is not officially supported and the user assumes all liability for the use of the tool,” the researchers finally noted, advising users to back up their encrypted files before they use the utility.

Earlier this month, Kaspersky Lab researchers and the National High Tech Crime Unit (NHTCU) of the Netherlands police have made available a repository of decryption keys and a decryption application for CoinVault ransomware victims, and the former also published ScraperDecryptor, a tool that can decrypt most of the files encrypted by the TorLocker ransomware.

Despite all this, the best protection against ransomware is still to regularly back up important files.”