As CFOC has reported multiple times, ransomware is one of the popular threats in the last couple of years. Both users and businesses have been affected by TorLocker, CryptoLocker, TeslaCrypt, or some other member of the vastly growing crypto-malware family. In that relation, security experts’ most efficient tip towards damage control and prevention is backing up so that crucial data stays protected against file encryption.
TeslaCrypt victims, passionate gamers, in particular, can now take a breath. The good news is that researchers from Cisco Systems have been developing a recovery tool to help the victims of TeslaCrypt ransomware. TeslaCrypt is yet another variant of the infamous CryptoLocker that has already affected plentiful users since the beginning of the year. As already mentioned, gamers were found to be TeslaCrypt’s primary target.
The research team at Cisco has performed a detailed analysis of TeslaCrypt. As a result, the team found out that the ransomware creators have used a symmetric encryption algorithm. This is an important discovery that contradicts the attackers’ initial claims on using asymmetric encryption based on the RSA public-key cryptosystem.
In other words, Cisco’s revelation actually proves that cyber crooks have used the same key for both encryption and decryption. The algorithm is called AES – Advanced Encryption Standard – and is based on the Rijndael cipher. The latter is developed by two Belgian cryptographers back in 2001.
Cisco researchers have also disclosed that some versions of TeslaCrypt store the encryption key in a file called ‘key.dat’ while other variants delete it after encryption is finished and store it in RECOVERY_KEY.TXT file. The tool developed by Cisco can decrypt encrypted files if the master encryption key is still found in the ‘key.dat’ file.
Affected users should save a copy of the file as soon as possible so that they can use it later with the help of Cisco tool.
The team is still working on attempts to reverse the attackers’ algorithm. If they succeed, the tool will be able to decrypt files from TeslaCrypt’s versions that delete the master key from key.dat.