Teslacrypt closes shop, releases master decryption key

teslacrypt-closedIn a bit of an odd announcement, the group behind the Teslacrypt ransomware has apparently closed up shop and posted a note on their website saying “We are sorry!” and including the master key for decryption.  According to this article from ThreatPost, preliminary tests indicate that the key is legitimate and is able to decrypt files previously encrypted with v3.0 and v4.0 including .xxx, .ttt, .micro and .mp3 (no word yet on additional filetypes but I suspect that this news will spread pretty quickly and additional details will be available soon).  The TeslaDecoder has been updated and is available for download here for folks that may have been recently affected / impacted by an infection.  Something that I find odd / interesting from this (not really useful, mind you, but interesting) is that the ransom notices that I’ve seen from these types of ransomware generally include a countdown timer and, if you haven’t paid by the time the timer expires, the (only) decryption key is destroyed and your data is lost forever.  This seems to indicate that an escrow key was used.  The interesting thing is whether or not this may be commonplace with other ransomware vendors (CryptXXX seems to be the rising star now that Teslacrypt is out of the way) and, if so, does that change anything?  Perhaps not, but seems like a question worth answering.

Misc / Errata

Leave a Reply