« Previous 1 2
Freeing your data from ransomware
Get Yours
Decrypting the Files
First, we can only advise you not to accept the blackmailer's offer by paying a ransom. Transferring the money just encourages cyber criminals to increase the sum requested. Second, it is unclear whether you will ever receive a working key after paying. Security vendors have repeatedly offered special decryption tools that are capable of restoring the encrypted files – if you don't have a recent backup.
In the case of TeslaCrypt, the Cisco Talos group has created the option of decrypting the files without paying. The tool required for this, Talos TeslaCrypt Decryption tool [2], can decrypt by using the generated key.dat
file. This file typically resides below the user data directory on the system (user Application Data
directory in Windows), but you should only run the command-line tool after first backing up all the encrypted files. Some data loss is possible if the files cannot be correctly decrypted. Use and deployment of this program is at your own risk. The parameters in Table 1 can be used with the command-line tool.
Table 1
Parameters for Talos Tool
Parameter | Action |
---|---|
/key
|
Manually specifies the master key for decryption |
/keyfile
|
Specifies the path to key.dat
|
/file
|
Decrypts a file |
/dir
|
Decrypts all ECC files in the target folder |
/scanEntirePc
|
Decrypts all ECC files on the target system |
/KeepOriginal
|
Keeps all original encrypted files |
/deleteTeslaCrypt
|
Automatically terminates and deletes the TeslaCrypt malware |
Conclusions
A number of variants of the TeslaCrypt ransomware are currently invading the malware markets. In fact, just before this magazine went to print, TeslaCrypt 4, which uses RSA-4096 for data encryption, was discovered. This variant was impervious to known decoding tools at the time, which makes suitable measures all the more important. Keeping current with patches and malware signatures for both the operating system and all third-party applications are part of your mandatory defenses.
If worse comes to worse, do not pay, but try to restore your files using decryption tools. Better still: Restore the current backups on a system that you set up from scratch.
Infos
- DirectShow Spy: http://alax.info/blog/1460
- Talos TeslaCrypt Decryption tool: https://github.com/vrtadmin/TeslaDecrypt/tree/master/Windows/
« Previous 1 2
Buy this article as PDF
(incl. VAT)