Some users whose computers have been infected with a ransomware program called TeslaCrypt might be in luck: security researchers from Cisco Systems have developed a tool to recover their encrypted files.
TeslaCrypt appeared earlier this year and masquerades as a variant of the notorious CryptoLocker ransomware. However, its authors seemed intent on targeting gamers in particular.
Once installed on a system, the program encrypts files with 185 different extensions, over 50 of which are associated with computer games and related software, including user-generated content like game saves, maps, profiles, replays and mods.
In the ransom note displayed on infected computers, TeslaCrypt claims to be using asymmetric encryption based on the RSA public-key cryptosystem. If true, this would mean that the data is encrypted with a public key stored on the system and can only be decrypted with a private key held by the attackers.
However, after analyzing the malicious program, researchers from Cisco’s Talos Group found that it actually uses a symmetric encryption algorithm called AES. This algorithm uses the same key for both encryption and decryption.
Some versions of TeslaCrypt store the encryption key in a file called key.dat on infected systems, but others delete it after they finish encrypting files and store an encrypted version of it in a different file called RECOVERY_KEY.TXT, the Cisco researchers said Monday in a blog post.
The researchers developed a tool that can decrypt files affected by TeslaCrypt if the master encryption key is still found in key.dat. Users should save a copy of this file as soon as they realize that their computers have been infected with TeslaCrypt so they can later use it with the Cisco tool.
The Cisco researchers are still working on reverse-engineering the algorithm used by attackers to restore the master encryption key based on the recovery key. If successful, this will allow them to also decrypt files from versions of TeslaCrypt that delete the master key from the key.dat file when the encryption operation is done.