Skip to Main Content

Ransomware turns over a new leaf … maybe

Strange things are afoot in the ransomware world with some groups reportedly shutting down voluntarily while others are being out-tricked by white-hat hackers. The changes show a sector in transition where it is not clear whether cyber-criminals have shifted tactics due to a guilty conscious, there is a planned transition into a new  enterprise, or if an angry mom is shutting down her hacker child’s little business.

The jury is out.

The customer service department of the TeslaCrypt ransomware was visited surreptitiously by security researchers. The ESET researchers just played the role of an infected consumer and asked for the universal master decryption. They received this key along with a “Sorry” note. This enabled the researchers to make a free decryption key able to unlock all known variants of the ransomware.  Posting the key effectively ended the TeslaCrypt business as we now know it … After all, what use is ransomware if anyone can decrypt it for free?


A few days beforehand, white hats from Kaspersky launched their new free decryption tool for all variants of the Cryptxxx ransomware. It was the latest saga in a tit-for-tat battle with the cybercriminals. Cryptxxx has primarily been distributed through infected ads that spread a varied combination of Trojans, exploit kits, and ransomware.

We understand the never-ending battle with Cryptxxx. But, the idea of the cybercriminals behind TeslaCrypt voluntarily posting their business keys on the door and shutting down still seems odd – but did happen last year with the tox ransomware.

Here are three purely theoretical reasons why TeslaCrypt said sorry:

  1. They got religion – Perhaps they realized that stealing money from hospitals and people is a less-than-moral activity as measured by about any religion – even those wearing pasta strainers on their heads.
  2. Mom got angry – Mom got a ransomware infection on her PC. Then she found out that her adult child living in the cave downstairs is one of the people developing and distributing this horrible malware. She is angry, very angry.
  3. Transitioning to “new product” –The bad guys want to definitively put their old product out of business before launching the latest model. The short history of cybercrime is full of examples of competing bad guys fighting it out for right to steal from the good guys. As Vizzini stated in Princess Bride: “You’re trying to kidnap what I’ve rightfully stolen.”

Currently, there is a lot of speculation out there in the security world over the action from TeslaCrypt. But since we haven’t had a direct PR statement or feedback from the criminal group itself – all thoughts are still speculation.

The seeming demise of TeslaCrypt and Cryptxxx changes the landscape on the security battlefield but does not end the war – or the risks. As we know, there are many other ransomware groups such as Locky and Maktub out there. And, the crime business is very tough for them. Even among the bad guys, everybody wants “eat the cake” to, for example, directly contact the victims or operate ransomware as service.

But on the other hand, the security industry has learnt more than less how to handle the problems from the Angler Exploit kit, which was definitely one popular method for spreading ransomware.

Therefore this is no time to relax, to put down one’s guard, and to mindlessly open everything in your email box. Something new and something bad is going to come. I am quite sure we haven’t heard the last from the criminal group behind TeslaCrypt.


Team Leader Virus Lab Disinfection Service