Thursday, June 9, 2016

TeslaCrypt: The Battle is Over



Talos has updated its TeslaCrypt decryptor tool, which now works with any version of this variant of ransomware. You can download the decryptor here.

When Talos first examined TeslaCrypt version 1.0 in April of 2015, we articulated how this ransomware operated and were able to develop a decryptor.  Soon thereafter, TeslaCrypt version 2.0 was released, improving the encryption process so our original decryptor no longer worked. 


A cat-and-mouse game seemingly ensued when, in January, it became public knowledge, as a result of the release of TeslaCrypt version 3.0, that another security researcher had previously identified a vulnerability in TeslaCrypt version 2.0, but was hesitant to go public in order to quietly help users decrypt their files without alerting the threat actors that their latest version contained a flaw. 

Months later, in May 2016, the authors of the TeslaCrypt ransomware surprisingly decided to stop their activities and released their master key. ESET took that information and released a decryptor for TeslaCrypt versions 3 & 4. 

Ransomware is a constantly growing threat, but with respect to TeslaCrypt, the battle is effectively over in that there is a decryptor for all versions of this ransomware variant. TeslaCrypt has been harassing users since early in 2015, and during that time it has been a constant battle between the defenders and the threat actors. To assist anyone who may still have files that are encrypted from this ransomware variant, Talos is releasing a decryption tool that is compatible with any version of TeslaCrypt. Details about the cryptographic shortfalls in each version, as well as the source code for the decryption tool, are available here

1 comment:

  1. Hi,
    I've been successfully using Teslacrypt to decrypt an entire harddisk, but is there a way, like a plugin maybe, to scan emails inside clients (like outlook or thunderbird)? As far as I know the virus could be in one of them. Thanks for your wonderful job done here.

    ReplyDelete

Post a Comment