Yesterday, a security researcher from ESET found out that the popular TeslaCrypt ransomware operation is shutting down. Currently, the malware is offering a free decryption key to anyone who needs his files to be unlocked.
According to the security expert, he has contacted the TeslaCrypt operators using their ransom website hosted on the Dark Web, via their support channel. The hackers admitted they were shutting down TeslaCrypt operations, and voluntarily offered a master decryption key for the ransomeware victims.
The cyber criminals published the decryption key on the Dark Web website where all users came to pay the ransom, with the following message:
“Project closed. Master key for decrypt [KEY] Wait for other people make universal decrypt software. We are sorry!”
The decryption key works for both TeslaCrupt v3 and v4 infections, which regularly appended a secondary file extension to each encrypted file in the form of .xxx, .ttt, .micro, or .mp3. Though, users should know that automatic decryption software is also available.
Some time ago, ESET created the automatic decryption tool, and BloodyDolly updated his older TeslaDecoder to handle the newly announced decryption master key.
According to the security expert Lawrence Abrams, lots of security researchers noticed a gradual slowdown in the number of infections caused by this ransomware, along with a decrease in the number of spam messages sent out to infect users.
During the first three months of this year, TeslaCrypt was ranked by Fortinet as number 3 in a list of the most popular ransomware infections, following after CryptoWall and Locky ransomeware. Later on, TeslaCrypt operators switched to CryptXXX.
Apparently, TeslaCryt operators aren’t really “sorry” but merely found a better ransomware strain.
TeslaCrypt has been cracked numerous times in the past, hence the presence of BloodyDolly’s TeslaDecoder application.
Considering the fact that Kaspersky had already cracked this ransomware twice, switching to CryptXXX might have not been such a great idea. Besides, CryptXXX 1.0 and CryptXXX 2.0 have also been cracked, just a few days after hackers released it.
During the past few months, some white hats have also hacked the distribution networks of various ransomware strains, like Locky for instance, distributing antivirus software, empty files, or warning messages instead of the ransomware. However, the case doesn’t seem to be the same now, since only the TeslaCrypt coders would have had full access to TeslaCrypt’s source code and knew of the existence of a master decryption key for this ransomware.