New Utility Decrypts Files Lost to TeslaCrypt Ransomware

2015-04-27T14:38:21
ID THREATPOST:B17BD69131BE1A8FB96183C40038E034
Type threatpost
Reporter Michael Mimoso
Modified 2015-04-29T20:16:38

Description

Crypto-ransomware variants have enterprises on edge because of the threat of irreversibly damaged files. Some organizations, including most recently the Tewksbury, Ma., police department have gone as far as to pay hundreds of dollars in ransom for the recovery key.

Some technology companies are beginning to fight back with tools that decrypt potentially lost data. Kaspersky Lab, in cooperation with the National High Tech Crime Unit of the Netherlands and the Netherlands National Prosecutors Office, recently made available tool that helps recover files lost to the CoinVault ransomware. As of April 17, there were more than 700 decryption keys available in the database of the decryption application.

Today, Cisco followed suit with a lengthy analysis of the TeslaCrypt ransomware and a similar decryption tool, a command line utility that is capable of decrypting files lost to TeslaCrypt provided the owner is able to provide a master key.

TeslaCrypt is a CryptoLocker variant that specifically targets gamers, but that scope could be soon expanding with some researchers noting that exploit kits including Nuclear, Sweet Orange and Angler, have been dropping TeslaCrypt.

Once it infects a machine and encrypts files, TeslaCrypt instructs the victim to proceed to a decryption site where for 2.5 BTC or about $550, they can decrypt their files. As of April 16, no one had paid a ransom, researchers from the SANS Institute said.

Researchers at Bromium, last month, said TeslaCrypt goes after data files associated with 20 different online games, locking downloadable content in an attempt to target younger computer users. An unnamed compromised website was serving the malware, and victims are redirected by a Flash exploit to a site hosting the Angler exploit kit, and Angler drops the CryptoLocker variant.

Cisco’s TeslaCrypt Decryptor require the key.dat file in order to recover the master key used for encryption.

“Before it begins execution, it searches for ‘key.dat’ in its original location (the user’s Application Data directory), or in the current directory,” Cisco’s Talos researchers wrote today. “If it isn’t able to find and correctly parse the ‘key.dat’ file, it will return an error and exit.”

If the key.dat file can be copied into the tool’s directory, the user can specify which files or directories to decrypt. A number of command line options are made available as well that not only decrypt files and directories, but can also kill and delete the TeslaCrypt dropper. Cisco advises users to back up encrypted files before using the utility. Cisco made available a Windows binary, Python script and Windows source code for its tool.

“Our tool is missing a few features. In particular we haven’t had the time to implement the algorithm needed to recover the master key from the recovery key,” Cisco said. “This is important because in some versions of the dropper, the master key is stripped from the ‘key.dat’ file as soon as the file-encryption is completed.”

In its analysis of TeslaCrypt, Cisco researchers said the ransomware is making use of symmetric AES encryption, rather than asymmetric RSA-2048 as it claims in the warning presented to victims. Gamers should note that the ransomware encrypts saved games and Steam activation keys.

“This means that TeslaCrypt is targeting many different types of users, including PC gamers. Just like irreplaceable photos, a game save, which is the product of countless hours of gaming, is extremely valuable and hard to replace,” Cisco said.