Another “failed” crypto-malware allows security researchers to create a decryption tool. The tool allows TeslaCrypt blackmailed users to recover their data without paying the ransom.
TeslaCrypt malware appeared relatively recently and can encrypt a large list of files, such as saved game data, documents, photos, and more. It's a variation of the famous CryptoLocker.
The TeslaCrypt malware uses an AES algorithm, which uses the same key for encryption and decryption, despite claims by the malicious developers that they use a strong RSA public-key for encryption and a private one for reversing. procedures.
In the second case the private key is usually stored on the attacker's server, thus making it impossible recovery of data from the victim's side.
The decryption tool, created by Cisco researchers, is a command line application, but comes with clear instructions on how it can be used to restore your files.
The auxiliary program analyzes a file created by the malware called “key.dat.” This file stores the master encryption key when the file locking process starts. The path of this file is in the user's 'Application Data' folder. Without this .dat file, the decryption tool will not work.
In some versions TeslaCrypt, as reported by researchers in one publishing on their blog, malicious software creates this recovery key if communication with the malware management and control server can not be achieved.
While researchers' efforts are commendable, users should not rely solely upon them to keep their records safe. There are other ransomware currently in circulation and it's impossible to decrypt them.
Regular backup of your data and storage on a disk that is not at risk of being infected remains the most effective method to protect the integrity of your files.
Download the Cisco tool
Windows binary:
http://labs.snort.org/files/TeslaDecrypt_exe.zip
ZIP SHA256: 57ce1c16e920a9e19ea1c14f9c323857c9a40751619d3959684c7e17956d66c6
Python script:
https://labs.snort.org/files/TeslaDecrypt_python.zip
ZIP SHA256: ea58c2dd975ed42b5a30729ca7a8bc50b6edf5d8f251884cb3b3d3ceef32bd4e
Source code to Windows binary:
https://labs.snort.org/files/TeslaDecrypt_cpp.zip
ZIP SHA256: 45908f0b3f8eb73bf820ded0a886842ac5c3e4c83068097806daad662046b1e0