The TeslaCrypt ransomware variant was shut down unexpectedly today and the decryption master key released to the...
public, allowing anyone affected by the ransomware to recover data.
An ESET researcher reached out to the team behind TeslaCrypt and asked for the private key used by the ransomware, and the response contained a surprise. Someone behind TeslaCrypt told ESET the ransomware effort was closed, provided the TeslaCrypt master key and even said, "We are sorry."
"The sudden closing of the ransomware project is strange, especially as TeslaCrypt was one of the most prevalent strains of ransomware at the time and was likely making significant money," said Alastair Paterson, CEO and co-founder of Digital Shadows Ltd., based in San Francisco.
Michael Taylor, applications and product development lead for Rook Security Inc., based in Indianapolis, said there were a few possible reasons for the release of the TelsaCrypt master key, including that the team had a "crisis of conscience."
"It is possible that this was done in error and that the master key was not intended to be released, or that there is an internal conflict within the TeslaCrypt team wherein a member decided to undermine their revenue stream," Taylor said. "Alternatively, they could be planning to pivot their operations in another direction."
Andy Settle, head of special investigations at Forcepoint LLC, based in Austin, Texas, said it could have been a matter of self-preservation.
"If they are going dark, by releasing the key, the interest of law enforcement may well move elsewhere," Settle said in an email. "Perhaps, by releasing the key, something worse was stopped from happening -- i.e., the operators being arrested."
Regardless of the reasoning, experts agreed while this was a good thing, ransomware is still a significant threat.
"The release of the master key is good news for those users who were targeted by the original TeslaCrypt and have not yet recovered their files, but obtaining one master key does not render the ransomware industry impotent," Taylor said. "New keys may be generated using the existing platforms. The developers of this malicious software type may also generate entirely new platforms to replace the older ones as well. The threat of ransomware is far from over."
Paterson noted that "in the grand scheme, ransomware continues to be a very prevalent threat to businesses and individuals. Given the very active nature of the ransomware marketplace -- lots of new variants and development from new ransomware in the past few months -- it is almost inevitable that if this news is genuine and TeslaCrypt has indeed closed, then another variant (such as the increasingly prevalent CryptXXX or Locky ransomware versions) will take the market share of the vacuum that this leaves behind."
Learn more about a possible ransomware vaccine.
Find out about the recent ransomware attacks on Congress.