Another "failed" crypto-malware allows security researchers to create a decryption tool. The tool allows users who have been victims of blackmail by the TeslaCrypt to recover their data without paying ransom.
TeslaCrypt malware appeared relatively recently and can encrypt a large list of files, such as saved game data, documents, photos, and more. It's a variation of the famous CryptoLocker.
The malicious TeslaCrypt software uses an AES algorithm, which uses the same key for encryption and decryption, despite malicious developers' claims that they use a strong RSA public-key for encryption and a private one for reversing the process.
In the latter case, the private key is usually stored on the attacker's server, making it impossible for data to be retrieved from the victim's side.
The decryption tool, created by Cisco researchers, is a command-line application, but it comes with clear instructions on how it can be used to restore archives you.
The utility analyzes a file created by the malware called “key.dat.” This file stores the master encryption key when the file locking process starts. The path of this file is in the user's 'Application Data' folder. Without this .dat file, the decryption tool will not work.
In some versions TeslaCrypt, as reported by researchers in one publishing on their blog, malicious software creates this recovery key if communication with the malware management and control server can not be achieved.
While researchers' efforts are commendable, users should not rely solely upon them to keep their records safe. There are other ransomware currently in circulation and it's impossible to decrypt them.
Regular backup of your data and storage on a disk that is not at risk of being infected remains the most effective method to protect the integrity of your files.
Download the Cisco tool
Windows binary:
http://labs.snort.org/files/TeslaDecrypt_exe.zip
ZIP SHA256: 57ce1c16e920a9e19ea1c14f9c323857c9a40751619d3959684c7e17956d66c6
Python script:
https://labs.snort.org/files/TeslaDecrypt_python.zip
ZIP SHA256: ea58c2dd975ed42b5a30729ca7a8bc50b6edf5d8f251884cb3b3d3ceef32bd4e
Source code to Windows binary:
https://labs.snort.org/files/TeslaDecrypt_cpp.zip
ZIP SHA256: 45908f0b3f8eb73bf820ded0a886842ac5c3e4c83068097806daad662046b1e0