14 DAY TRIAL // Due to an error in how encryption keys are stored on the victim's computer, security researchers from Kaspersky and Bleeping computer have discovered a method of decrypting older versions of the TeslaCrypt ransomware.
TeslaCrypt is one of the most active ransomware families around, releasing new versions at regular intervals. According to Bleeping Computer, all TeslaCrypt versions prior to the latest one, version 3.0, have a flaw that allowed some security researchers to break down encrypted files and extract the encryption key.
This includes all TeslaCrypt infections that locked files with the .ECC, .EZZ, .EXX, .XYZ, .ZZZ, .AAA, .ABX, .CCC, and .VVV file extensions. This does not include version 3.0, released a week ago, which locks files with the .TTT, .XXX, and .MICRO extensions.
The flaw discovered by the researchers resided in how older TeslaCrypt versions stored the encryption key on the user's computer.
TeslaCrypt stored the encryption key improperly
By default, TeslaCrypt uses the AES encryption algorithm to encrypt files. This algorithm uses the same key to encrypt and decrypt files because it makes the whole process less complex but also less CPU-intensive.
TeslaCrypt's author decided to use the same encryption key for all the user's files and then encrypt this encryption key with a stronger algorithm, saving this "encrypted-encryption key" inside each encrypted file.
First to discover this encryption mechanism slip-up were security researchers from Kaspersky, who helped some of their users decrypt files without paying the ransom.
A Bleeping Computer forum user named Googulator also came across this information and created a few Python scripts that would analyze a TeslaCrypt-locked file and extract the AES encryption key from its second-stage encrypted form.
His work was published on GitHub as the TeslaCrack repository and soon made its way in TeslaDecoder, a Windows application that was put together to decrypt older TeslaCrypt versions.
TeslaCrypt's cracking was kept a secret for all users except victims
All these discoveries were kept secret to prevent TeslaCrypt's author from fixing his encryption process. Since this happened anyway with the release of TeslaCrypt 3.0, all this information was made public on Bleeping Computer, along with the revelation that many of the site's forum users have been secretly helping others decrypt their files.
As it turns out, many users have been providing their time and computational resources for cracking the second-stage encryption, which, while in some cases took five minutes, for other users required larger processing power and even took days to complete.
If you're one of the older TeslaCrypt victims, the first place to go is this Bleeping Computer forum support thread.