TeslaCrypt Maker 'Sorry,' Releases Master Key

Victims of the TeslaCrypt ransomware have a new hope. The developers of the nefarious malware strain have apparently shut down operations and released a master key that will unlock all encrypted files on computers infected by the latest versions of TeslaCrypt.

Credit: BestPhotoStudio/Shutterstock

(Image credit: BestPhotoStudio/Shutterstock)

"Project closed," one of the developers said in a posting on the TeslaCrypt Dark Web site. "Master key for decrypt: 440A241DD80FCC5664E861989DB716E08CE627D8D40C7EA360AE855C727A49EE. Wait for other people make universal decrypt software. We are sorry!"

That note was prompted by a question from a researcher from Slovak antivirus firm ESET, who had noticed that TeslaCrypt operations seemed to be winding down in recent weeks.

Using the master key, ESET has created a decryptor tool that is available for download, with detailed instructions, from the ESET website. Another TeslaCrypt decoder with an easier-to-use interface has been posted on the Bleeping Computer website.

MORE: How Can I Protect Myself from Ransomware?

TeslaCrypt first appeared in early 2015 and initially targeted players of PC games, locking up game files and demanding $500 in Bitcoin to release the decryption keys. It later became more generalized, attacking all sorts of PC users. Infection generally came via corrupted websites, malvertising or email attachments.

TeslaCrypt was also added to the Angler and Nuclear browser exploit kits, prepackaged troves of malware that hit browsers with one attack after another. Versions 1 and 2 of TeslaCrypt had flaws that were discovered and exploited by antivirus researchers, but versions 3 and 4 were much better. 

ESET's decryptor tool works against both of the latter versions, unlocking files that were given the extensions .xxx, .ttt, .micro or .mp3, as well as those files that had the original file extensions unchanged.

This isn't the first time a ransomware developer or distributor has had a change of heart. In June, the apparent creator of the Locker ransomware suddenly unlocked all the computers that had been infected, possibly because he'd made enough money over the eight days that Locker was active.

"I'm sorry about the encryption, your files are unlocked for free," he wrote in a note. "Be good to the world and don't forget to smile."

Likewise, Bleeping Computer's Lawrence Abrams noted that the distributors of TeslaCrypt, who may be separate from the ransomware's developers, had moved on to distributing the newer CryptXXX ransomware.

Fortunately, CryptXXX has been cracked at least twice, most recently by Kaspersky Labs, which has its own CryptoXXX decryptor tool available for download. Bitdefender has a generic ransomware-decryption tool that periodically adds new updates.

Ransomware has lately become the malware of choice for cybercriminals. It's guaranteed to generate substantial returns, as the victims often include hospitals, small-town police departments or educational facilities that can't afford to lose valuable data on patients, ongoing criminal cases or students.

For those victims, paying $500 or $1,000 in Bitcoin is a lot easier than hiring an outside consulting firm to try to recover the data, a task made nearly impossible if the ransomware's encryption is implemented correctly. Even backup drives are often encrypted if the drives are permanently connected to the main system.

However, most ransomware attacks exploit well-known software flaws, or use easy-to-spot email scams. So keep your software patched and don't click to open resumes, invoices or shipping invoices in emails you're not expecting. And don't forget to install and run robust antivirus software.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Online Security
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Best antivirus software
How does antivirus software work
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Android 12
Google March Android Security Update fixes two high severity vulnerabilities — update now
An Android bot next to an Android TV remote
Millions of Android TVs hijacked in massive botnet — how to see if yours is at risk
Latest in News
Meta Ray-Ban smart glasses next to AirPods Pro 2
New report says Apple is working on Meta-style smart glasses and AirPods with cameras
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Crystle Stewart as Mallory in Tyler Perry's "Beauty in Black" on Netflix
Tyler Perry’s suspenseful drama series just crashed the Netflix top 10 — and you can stream new episodes now
JBL Charge 6 on beach
JBL just launched two new Bluetooth speakers with lossless audio — and my fave has 20 hours of battery life
ExpressVPN connected on Linux app
ExpressVPN launches huge Linux update – what you need to know
Cover of Robbie Williams as a CGI monkey in "Better Man"
This music biopic I missed from 2024 is finally coming to streaming