Cisco Offers Free Decryption Tool For Ransomware Victims

First the good news: there are now free utilities for decrypting your data after a ransomware attack. Now the bad news:  the tools only work for specific ransomware, not all variants.

Cisco Systems' Talos team today released a free tool for victims of the TeslaCrypt ransomware attack that decrypts the locked-down files. TeslaCrypt, which Cisco says may be related to the now mostly defunct CryptoLocker, uses symmetric AES encryption, which allowed Cisco to build a tool using the decryption key. Interestingly, TeslaCrypt warns that it uses strong asymmetric AES-2048 encryption to lock victims out of their files, but that's not the case.

TeslaScript goes after various victims, including PC gamers, whose games and coveted and valuable Steam activation keys get locked down in its attack.

"We reverse engineered the way the TeslaCrypt worked and were able to develop the tool based on that," says Earl Carter, threat researcher with Talos. "In the past, we have also reverse engineered other ransomware, like Cryptowall, but in that case, the ransomware was using asymmetric encryption, so creating a tool was not possible."

Kaspersky Lab, meanwhile, offers a tool for victims of the CoinVault ransomware. Kaspersky, which teamed up with Dutch law enforcement authorities in the CoinVault attacks, obtained access to the private keys from the attackers and offers CoinVault victims who are locked out of their data access to their confiscated key.

"The Kaspersky instance is similar to the original CryptoLocker decryption tool that was developed after the police takedown of CryptoLocker.  Both of those tools consists of a list of private keys obtained by law enforcement -- not necessarily all of the private keys generated by the ransomware. If one of these private keys corresponds to the key used to encrypt your system -- the keys are unique per system -- then you can recover your files," Cisco's Carter says.

Cisco's tool is different in that it can recover the files on any system infected by TeslaCrypt "as long as the master key is still on the system and we developed the tool without having to access one of the threat actor's servers," he says.

Dave Lewis, global security advocate for Akamai, says ransomware decryption tools are more of a stopgap measure. These ransomware decryption tools help, he says, but it's a temporary fix.

Lewis says he's noticed how ransomware attackers have gradually upped the ante in their blackmail. "I've noticed it's been slightly going up incrementally," says Lewis, who will speak at the Dark Reading Cyber Security Crash Course at Interop Las Vegas tomorrow.

The key to defending against ransomware attacks are basic security hygiene: layered defenses and good security awareness programs for end users, according to Lewis.

Cisco's Carter says the tool is aimed at all levels of victims, technical or nontechnical. "This tool is only a single instance of ransomware. There are many variants of ransomware currently attacking user systems," he notes. "The best defense is a strong multi-layered defense strategy including an industry standard backup and restore policy. A good backup will circumvent almost all of these ransomware variants."