TeslaCrypt Maker 'Sorry,' Releases Master Key

Victims of the TeslaCrypt ransomware have a new hope. The developers of the nefarious malware strain have apparently shut down operations and released a master key that will unlock all encrypted files on computers infected by the latest versions of TeslaCrypt.

Credit: BestPhotoStudio/Shutterstock

(Image credit: BestPhotoStudio/Shutterstock)

"Project closed," one of the developers said in a posting on the TeslaCrypt Dark Web site. "Master key for decrypt: 440A241DD80FCC5664E861989DB716E08CE627D8D40C7EA360AE855C727A49EE. Wait for other people make universal decrypt software. We are sorry!"

That note was prompted by a question from a researcher from Slovak antivirus firm ESET, who had noticed that TeslaCrypt operations seemed to be winding down in recent weeks.

Using the master key, ESET has created a decryptor tool that is available for download, with detailed instructions, from the ESET website. Another TeslaCrypt decoder with an easier-to-use interface has been posted on the Bleeping Computer website.

MORE: How Can I Protect Myself from Ransomware?

TeslaCrypt first appeared in early 2015 and initially targeted players of PC games, locking up game files and demanding $500 in Bitcoin to release the decryption keys. It later became more generalized, attacking all sorts of PC users. Infection generally came via corrupted websites, malvertising or email attachments.

TeslaCrypt was also added to the Angler and Nuclear browser exploit kits, prepackaged troves of malware that hit browsers with one attack after another. Versions 1 and 2 of TeslaCrypt had flaws that were discovered and exploited by antivirus researchers, but versions 3 and 4 were much better. 

ESET's decryptor tool works against both of the latter versions, unlocking files that were given the extensions .xxx, .ttt, .micro or .mp3, as well as those files that had the original file extensions unchanged.

This isn't the first time a ransomware developer or distributor has had a change of heart. In June, the apparent creator of the Locker ransomware suddenly unlocked all the computers that had been infected, possibly because he'd made enough money over the eight days that Locker was active.

"I'm sorry about the encryption, your files are unlocked for free," he wrote in a note. "Be good to the world and don't forget to smile."

Likewise, Bleeping Computer's Lawrence Abrams noted that the distributors of TeslaCrypt, who may be separate from the ransomware's developers, had moved on to distributing the newer CryptXXX ransomware.

Fortunately, CryptXXX has been cracked at least twice, most recently by Kaspersky Labs, which has its own CryptoXXX decryptor tool available for download. Bitdefender has a generic ransomware-decryption tool that periodically adds new updates.

Ransomware has lately become the malware of choice for cybercriminals. It's guaranteed to generate substantial returns, as the victims often include hospitals, small-town police departments or educational facilities that can't afford to lose valuable data on patients, ongoing criminal cases or students.

For those victims, paying $500 or $1,000 in Bitcoin is a lot easier than hiring an outside consulting firm to try to recover the data, a task made nearly impossible if the ransomware's encryption is implemented correctly. Even backup drives are often encrypted if the drives are permanently connected to the main system.

However, most ransomware attacks exploit well-known software flaws, or use easy-to-spot email scams. So keep your software patched and don't click to open resumes, invoices or shipping invoices in emails you're not expecting. And don't forget to install and run robust antivirus software.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.