An ESET researcher discovered yesterday that the vaunted TeslaCrypt ransomware operation shut down and is now offering a free decryption key that anyone can use to unlock their files.
The researcher said he contacted the TeslaCrypt operators using their ransom website hosted on the Dark Web, via their support channel. Crooks admitted they were shutting down TeslaCrypt operations, and surprisingly, agreed to offer a master decryption key for all users.
The crooks posted the decryption key on the regular Dark Web website where users came to pay the ransom, with the following message:
“ Project closed. Master key for decrypt [KEY] Wait for other people make universal decrypt software. We are sorry! ”
The decryption master key works for both TeslaCrupt v3 and v4 infections, which regularly appended a secondary file extension to each encrypted file in the form of .xxx, .ttt, .micro, or .mp3.
Automatic decryption software is already available
Users didn’t have to wait long for TeslaCrypt decryption software to appear, though. ESET created one (, ), and BloodyDolly updated his older TeslaDecoder to handle the newly announced decryption master key ( , ).
Lawrence Abrams from Bleeping Computer says many security researchers noticed a gradual slowdown in the number of infections caused by this ransomware, along with a decrease in the number of spam messages sent out to infect users.
Fortinet ranked TeslaCrypt asin a list of the most popular ransomware infections during the first three months of the year, after CryptoWall and Locky.
TeslaCrypt operators switched to CryptXXX
Abrams says that TeslaCrypt operators have slowly switched to the CryptXXX ransomware instead. It appears that TeslaCryt operators aren’t really “sorry” but merely found a better ransomware strain.
TeslaCrypt has been cracked numerous times in the past, hence the presence of BloodyDolly’s TeslaDecoder application. Switching to CryptXXX might have not been such a great idea either, since Kaspersky had already cracked the ransomware twice. It did so for CryptXXX 1.0, and it did it so for CryptXXX 2.0, just a few days after crooks released it.
In the past months, some white hats have also hacked the distribution networks of various ransomware strains,, distributing antivirus software, empty files, or warning messages instead of the ransomware. This doesn’t seem to be the case since only the TeslaCrypt coders would have had full access to TeslaCrypt’s source code and knew of the existence of a master decryption key.