SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
22 Jan 2016

TeslaCrypt flaw allows free file decryption

TeslaCrypt, a ransomware family that emerged roughly a year ago, includes a design flaw that has already allowed security researchers build a free file decryption tool.

The issue affects TeslaCrypt and TeslaCrypt 2.0 variants of the malware and resides in the encryption key storage algorithm, Lawrence Abrams explains in a blog post. The issue has been fixed in TeslaCrypt 3.0, but files encrypted with the older versions of the ransomware can be decrypted without paying cybercriminals to do so.

Spotted in late February 2015, the ransomware was found to encrypt not only photos, videos, and documents, but files associated with video games as well. In July, TeslaCrypt 2.0 emerged with an improved encryption mechanism, and researchers discovered in December that the malware was being delivered through a newly patched Adobe Flash Player vulnerability. Researchers note that their decryption tool can be used to generate the necessary keys for recovering encrypted TeslaCrypt files with extensions .ECC, .EZZ, .EXX, .XYZ, .ZZZ, .AAA, .ABC, .CCC, and .VVV. However, files encrypted with the newer versions of TeslaCrypt, which use the .TTT, .XXX, and .MICRO extensions, cannot be decrypted.

The issue with TeslaCrypt is not in the encryption algorithm itself, but how the encryption keys were being stored on the victim's computer, Abrams explains. TeslaCrypt encrypts files with the AES encryption algorithm and uses the same key for both encryption and decryption. Researchers discovered that TeslaCrypt generated a new AES key each time it was restarted, and that it stored the key in the files encrypted during the session. The keys were stored in every encrypted file, but were secured using another algorithm, and the information about this encrypted key was stored in each encrypted file.

However, the size of this stored key was found to be insufficiently strong to withstand decryption. Using specialized programs that can factorize these large numbers, their prime numbers were extracted, and other specialized tools were used to reconstruct the decryption key using these prime numbers.

Methods and tools to decrypt files encrypted using the TeslaCrypt appeared a while ago, but they were kept private, to ensure that the malware developers are not alerted on them. However, since TeslaCrypt 3.0 resolves the aforementioned issue, projects such as TeslaCrack (https://github.com/Googulator/TeslaCrack) have stated to emerge, along with volunteers willing to help victims of the malware.

Written in Python, TeslaCrack requires the use of encrypted files that had a known file header (PDF, JPG, etc) and needs to be modified when not using an encrypted PDF file. Moreover, users would have to use the tool to attack multiple keys to decrypt all files, provided that TeslaCrypt was restarted when encrypting the hard disk content.

TeslaDecoder, a tool that has been used for decrypting TeslaCrypt files since May 2015, has been also updated to recover the encryption key for all TeslaCrypt variants. This tool tackles the master private key that TeslaCrypt used on the victim's computer, thus allowing users to decrypt all files, regardless of whether the ransomware was restarted or not.

The tool was designed to run on Windows and do not require specific encrypted file types, making it suitable for general use. It can also be used in combination with specialized factorization tools such as Msieve and Yafu to help victims recover their files for free. Victims can use either TeslaDecoder or TeslaCracker to decrypt their files, but can also head over to the TeslaCrypt (.VVV, .CCC, etc Files) Decryption Support Requests topic to ask for help in retrieving the encryption keys.

Tags:
TeslaCrypt information leaks
Source:
SecurityWeek
2404
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015