Researchers have discovered that TeslaCrypt contains an inherent design flaw which has granted an avenue for the development of free decryption tools.
Security researcher Lawrence Abrams explained in a blog post this week that a number of former victims and researchers have been working together for the past month to exploit a flaw in TeslaCrypt's encryption key storage algorithm. While this was kept quiet to prevent the malware's creator catching on and patching the flaw, now TeslaCrypt 3.0 has been released, the group have decided to release their findings.
The design flaw affects TeslaCrypt and variants of TeslaCrypt 2.0, giving victims of these strains the hope of decrypting their machines and files without giving in to the malware creator's demands.
Ransomware is a particularly concerning piece of malware. Often debilitating, once a variant of ransomware such as TeslaCrypt or Cryptowall finds its way onto a victim machine, the system is locked and a demand for payment is made. Unless the demand is met -- in virtual currency to prevent the attacker's systems being traced -- files are encrypted and without the key, the content is lost.
In TeslaCrypt's case, unfortunately, the latest 3.0 version has patched the design flaw -- but victims of previous versions may now be able to decrypt their files for free.
The ransomware's flaw is not in the encryption algorithm itself, but rather how encryption keys are stashed on a victim's PC. A new AES key is generated every time TeslaCrypt is restarted to encrypt files during the session, which means that some files may be encrypted using different keys. To protect these keys, the malware creator used another algorithm, but today's computing power and the expertise of a few researchers resulted in the creation of tools able to reconstruct keys despite this protection.
"The size of this stored key were not sufficiently strong enough to withstand the computing power of today's modern computers," Abrams says.
"Thus it was possible to use specialized programs to factorize these large numbers in order to retrieve their prime numbers. Once the prime numbers were retrieved, specialized tools are then able to use them to reconstruct the decryption key. For some victim's this process could take as a little as 5 minutes to complete, while others that had stronger numbers could take days."
The design flaw has allowed researchers the opportunity to develop software able to generate decryption keys for TeslaCrypt files with the extensions .ECC, .EZZ, .EXX, .XYZ, .ZZZ,.AAA, .ABC, .CCC, and .VVV.
The newest version of TeslaCrypt utilizes the .TTT, .XXX, and .MICRO extensions., which is yet to be cracked.
Methods and tools for decrypting these files appeared a while back but were hidden through forum requests and private hosting to prevent TeslaCrypt's author from being notified. Now the new variant is not vulnerable to the same flaw, however, the researcher's efforts are now out in the open.
TeslaCrack and TeslaDecoder are now available for use by victims of the ransomware. The tools contain scripts to retrieve keys in a Windows environment. Alternatively, those who are not confident enough to perform the malware scrub themselves can request volunteer help in the TeslaCrypt Decryption Support Requests topic in the Bleeping Computer forum.