The Long-Awaited End of TeslaCrypt

The notorious TeslaCrypt ransomware has wreaked havoc on victims since its emergence in 2015. In March of this year, Fortinet ranked it as the third biggest player in the ransomware scene, after CryptoWall and Locky. TeslaCrypt was originally used to target gamers by encrypting files of popular games such as League of Legends, Call of Duty, World of Warcraft, etc. It has since evolved to become an extremely powerful ransomware with particularly caustic capabilities including anti-debugging and anti-monitoring features, string obfuscation, entrenchment, and more.

Researchers at ESET recently noticed that TeslaCrypt activity is slowing and possibly coming to a halt. One ESET researcher contacted TeslaCrypt's customer support on the payment website and asked if they would consider releasing the master decryption key. In an extremely surprising move, the TeslaCrypt actors did just that.

The payment function of the site was closed, and a message was released stating:

"Project closed! Master key for decrypt: 440A241DD80FCC5664E861989DB716E08CE627D8D40C7EA360AE855C727A49EE. Wait for other people make universal decrypt software. We are sorry!"

After this shocking turn of events, it seems that many threat actors have switched from TeslaCrypt to using CryptXXX as their new, preferred ransomware according to TrendMicro. This new ransomware, which came out in April, was decrypted twice within the course of one month as its first two versions were not strong enough. Today, version 3.0 is prevalent and uses anti-sandboxing features and a watchdog process to avoid detection or termination.

A number of decryption tools are available online for the various TeslaCrypt versions.

ThreatSTOP customers are protected from TeslaCrypt.

Share this: