Freeing your data from ransomware

Get Yours

Decrypting the Files

First, we can only advise you not to accept the blackmailer's offer by paying a ransom. Transferring the money just encourages cyber criminals to increase the sum requested. Second, it is unclear whether you will ever receive a working key after paying. Security vendors have repeatedly offered special decryption tools that are capable of restoring the encrypted files – if you don't have a recent backup.

In the case of TeslaCrypt, the Cisco Talos group has created the option of decrypting the files without paying. The tool required for this, Talos TeslaCrypt Decryption tool [2], can decrypt by using the generated key.dat file. This file typically resides below the user data directory on the system (user Application Data directory in Windows), but you should only run the command-line tool after first backing up all the encrypted files. Some data loss is possible if the files cannot be correctly decrypted. Use and deployment of this program is at your own risk. The parameters in Table 1 can be used with the command-line tool.

Table 1

Parameters for Talos Tool

Parameter Action
/key Manually specifies the master key for decryption
/keyfile Specifies the path to key.dat
/file Decrypts a file
/dir Decrypts all ECC files in the target folder
/scanEntirePc Decrypts all ECC files on the target system
/KeepOriginal Keeps all original encrypted files
/deleteTeslaCrypt Automatically terminates and deletes the TeslaCrypt malware

Conclusions

A number of variants of the TeslaCrypt ransomware are currently invading the malware markets. In fact, just before this magazine went to print, TeslaCrypt 4, which uses RSA-4096 for data encryption, was discovered. This variant was impervious to known decoding tools at the time, which makes suitable measures all the more important. Keeping current with patches and malware signatures for both the operating system and all third-party applications are part of your mandatory defenses.

If worse comes to worse, do not pay, but try to restore your files using decryption tools. Better still: Restore the current backups on a system that you set up from scratch.

Infos

  1. DirectShow Spy: http://alax.info/blog/1460
  2. Talos TeslaCrypt Decryption tool: https://github.com/vrtadmin/TeslaDecrypt/tree/master/Windows/

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Halting the ransomware blackmail wave
    In the tsunami of ransomware infections this year, the Locky encryption trojan is a high-water mark. With a constant stream of novel attack patterns, this continually evolving pest makes life difficult for IT managers, users, and security vendors. Here's how to protect yourself.
  • Safe Files

    Encrypting your data is becoming increasingly important, but you don’t always have to use an encrypted filesystem. Sometimes just encrypting files is enough.

  • Free Tool To Decrypt WannaCry Ransomware
  • Automatic data encryption and decryption with Clevis and Tang
    Encrypting hard disk partitions during the installation of an operating system is standard procedure. When booting the computer, you then need to enter a matching passphrase to unlock the hard drive. We show you how to automate this process and link it to a policy.
  • Web Cryptography API

    The controversial Web Cryptography API offers flexible encryption for web applications, but it also lays the groundwork for content providers to implement more powerful access restrictions through DRM.

comments powered by Disqus