In a surprising turn of events, the creators of the notorious TeslaCrypt ransomware shut down their operation and revealed the master key for decrypting all files. They even said they are sorry, as displayed in the image below.

SorryImage

Figure 1: TeslaCrypt Shut Down Message

 

The motive behind this step remains unclear. The attackers could be trying to lower their profile to avoid law enforcement agencies or they could really be sorry for the damage they have done. Either way, the users who were infected by TeslaCrypt have already payed the price.

As we have reported earlier, TeslaCrypt, which emerged in 2015, was known especially for its ability to adapt. Several versions of it were distributed, each time with better stealth capabilities and without the flaws found in the previous version. As seen in TeslaCrypt’s forensic analysis tree, created by SandBlast Agent, the malware is distributed by the infamous Angler exploit kit. The malware in this version continues to use windows binaries for its malicious operations.  We have outlined this phenomenon in a recent blog post titled Digging Deeper: How Ransomware and Malware use Microsoft Windows’ Known Binaries.

 

SandBlastagentforensics

Figure 2: TeslaCrypt SandBlast Agent Forensics Signature

 

TeslaCrypt shutting down its operation is a good reminder for users who decide not to pay the ransom to keep their files in case a decryption key is found or the creators suddenly develop a conscience. While this is a welcomed development, we should not forget that there are many more ransomware families out there – and their number is ever increasing.

You may also like