The ransomeware family TeslaCrypt came out about a year ago and it includes a design flaw which has already allowed security researchers to build a free file decryption tool.
According to Lawrence Abrams, the problem which affects TeslaCrypt and TeslaCrypt 2.0 variants of the malware, resides in the encryption key storage algorithm. It has been fixed in TeslaCrypt 3.0, but files encrypted with the older versions of the ransomware can be decrypted without paying cybercriminals to do so.
The ransomware, which was found in 2015, is able to encrypt not only photos, videos, and documents, but files associated with video games as well. In July, TeslaCrypt 2.0 came out with an improved encryption mechanism, while in December, virus researchers discovered that the malware was being delivered via a newly patched Adobe Flash Player vulnerability.
According to the researchers, their decryption tool can be used to generate the necessary keys for recovering encrypted TeslaCrypt files with extensions .ECC, .EZZ, .EXX, .XYZ, .ZZZ, .AAA, .ABC, .CCC, and .VVV. Nevertheless, the files encrypted with the newer versions of TeslaCrypt, which use the .TTT, .XXX, and .MICRO extensions, cannot be decrypted.
Abrams stated that the problem with TeslaCrypt is not in the encryption algorithm itself, but how the encryption keys were being stored on the user’s computer. TeslaCrypt encrypts files with the AES encryption algorithm and uses the same key for both encryption and decryption.
Virus researchers found out that TeslaCrypt generated a new AES key each time it was restarted, and that it stored the key in the files encrypted during the session. The keys were stored in every encrypted file, but were secured using another algorithm, and the information about this encrypted key was stored in each encrypted file.
Nevertheless, the size of the stored key was found to be insufficiently strong to withstand decryption. Using specialized programs that can factorize these large numbers, their prime numbers were extracted, and other specialized tools were used to reconstruct the decryption key using these prime numbers.
Recently, some methods and tools for decrypting files came out, though they were kept private, to make sure that malware dcreators are not alerted on them. Nevertheless, since TeslaCrypt 3.0 resolves the aforementioned issue, projects like TeslaCrack have stated to emerge, along with volunteers willing to help victims of the malware.
As TeslaCrack is written in Python, it requires the use of encrypted files that had a known file header (PDF, JPG, etc) and should be modified when not using an encrypted PDF file. Besides, users would have to use the tool to attack multiple keys to decrypt all files, provided that TeslaCrypt was restarted when encrypting the hard disk content.
TeslaDecoder is a tool that has been used for decrypting TeslaCrypt files since May 2015, and it has been updated to recover the encryption key for all TeslaCrypt variants. This tool tackles the master private key that TeslaCrypt used on the victim’s computer, thus allowing users to decrypt all files, regardless of whether the ransomware was restarted or not.
TeslaDecoder was designed to run on Windows and do not require specific encrypted file types, making it suitable for general use. It can also be used in combination with specialized factorization tools such as Msieve and Yafu to help victims recover their files for free.
Currently, pc users can use either TeslaDecoder or TeslaCracker to decrypt their encrypted files. Also, they can go to the TeslaCrypt (.VVV, .CCC, etc Files) Decryption Support who can assist them with retrieving the encryption keys.