The attackers behind the TeslaCrypt ransomware pulled up stakes and released the master decryption key for their creations, and now security researchers with Cisco’s TALOS team have published a tool that will decrypt files encrypted with any version of TeslaCrypt.
The TeslaCrypt ransomware isn’t the most well-known or the nastiest of the variants that have been plaguing users for the last few years. But it has been spreading in a variety of different ways, most recently through the Angler exploit kit. Security researchers have been engaged in a back-and-forth with the attackers behind TeslaCrypt for several months now, publishing decryptors for certain versions of the malware, and then seeing the creators release new versions that defeat those tools.
But now, Cisco’s researchers have been able to put together a decryption tool that works against every version of TeslaCrypt. With TeslaCrypt now out of development, this should be the last word in the fight against that particular strain of ransomware.
“Ransomware is a constantly growing threat, but with respect to TeslaCrypt, the battle is effectively over in that there is a decryptor for all versions of this ransomware variant. TeslaCrypt has been harassing users since early in 2015, and during that time it has been a constant battle between the defenders and the threat actors. To assist anyone who may still have files that are encrypted from this ransomware variant, Talos is releasing a decryption tool that is compatible with any version of TeslaCrypt,” Earl Carter of Cisco TALOS wrote in a post explaining the tool.
Security researchers have been able to release decryption tools for various versions of ransomware, which typically are based on some vulnerability or mistake in key management made by the attackers. But those tools usually only work against specific versions and aren’t universal solutions to ransomware infections. The Cisco tool is the closest thing we’ve seen to a solution for one ransomware family.
Despite the fact that the TeslaCrypt creators have abandoned the project and released the decryption key, there still are other attackers out there actively infecting victims with the ransomware. Earlier this week, researchers at FireEye identified attacks using the Angler exploit kit to eventually infect users with TeslaCrypt.