Cyber-criminals have already shifted to another ransomware program, CryptXXX, but researchers continue to puzzle over why TeslaCrypt’s operators gave up their encryption keys.
In early May, Igor Kabina, a researcher with security firm ESET, noticed that the group behind the third most prevalent ransomware operation, TeslaCrypt, had seemingly taken a breather.Following the April release of version 4 of their data-encryption malware, the group’s development efforts had slowed. Wondering if the group was closing up shop, Kabina pretended to be a victim and used their support service to ask if they would release their master key.”On April 27th, a version that later turned out to be the very last version of TeslaCrypt was compiled,” he stated in a company interview. “Soon after that, I noticed that the people behind it had stopped spreading this version and that all the links they used were slowly dying.
So I tried my luck, pretended to be one of their victims and asked them if they would be so kind as to release all four of the private keys they had been using since TeslaCrypt started.”To the surprise of everyone at the security firm, a few days later, on May 18, the ransomware group announced that they would shut down and publicly released their private key.
The reason for the abrupt halt of the criminal operation, however, remains a mystery. While the group ended their brief goodbye note with an apology—”we are sorry!”—researchers doubt that shame led the group to cease operations.
The criminals behind TeslaCrypt had sometimes allowed lesser payments or even decrypted for free, but the group did not generally show remorse in dealing with victims.
One possibility raised by researchers is that the group behind TeslaCrypt had become leery of getting too much attention from law enforcement and security researchers.”Several companies were doing deep dives to find issues in their programs, and add to that law enforcement targeting them,” Craig Williams, senior technical leader with Cisco’s Talos team, told eWEEK. “When you are a bad guy, having too much attention on you is not something you want.”As soon as TeslaCrypt arrived in February 2015, security firms had started to track the software.
Initially, it appeared to be a knock off of the CryptoLocker ransomware.
A subsequent update emulated CryptoWall, but used the name TeslaCrypt.Security firms and researchers kept up with the malware’s code changes.
Cisco created a tool to decrypt the first versions of the ransomware. Later, both ESET and an online researcher known as BloodDolly created utilities to decrypt up to version 2 of the malware.
Subsequent versions, however, made no obvious mistakes in their encryption algorithms.
For most victims, the only hope of recovering their data was to pay for the key.Yet, the gift of the master key meant that the decryption utilities could be updated to work even the latest versions.
Following the release of the master key in May, both ESET and BloodDolly used the code to decrypt data scrambled by versions 3 and 4 of the program.It’s unlikely that an insider or rival leaked the key, according to security firm Kaspersky Lab.