In early May, Igor Kabina, a researcher with security firm ESET, noticed that the group behind the third most prevalent ransomware operation, TeslaCrypt, had seemingly taken a breather.
Following the April release of version 4 of its data-encryption malware, the group's development efforts slowed. Wondering if the group was closing up shop, Kabina pretended to be a victim and used the group’s support service to ask if it would release the master key.
"On April 27th, a version that later turned out to be the very last version of TeslaCrypt was compiled," he stated in a company interview. "Soon after that, I noticed that the people behind it had stopped spreading this version and that all the links they used were slowly dying. So I tried my luck, pretended to be one of their victims and asked them if they would be so kind as to release all four of the private keys they had been using since TeslaCrypt started."
To the surprise of everyone at the security firm, a few days later, on May 18, the ransomware group announced it was shutting down and publicly released its private key.
The reason for the abrupt halt of the criminal operation, however, remains a mystery. Although the group ended its brief goodbye note with an apology—"we are sorry!"—researchers doubt that shame led the group to cease operations. The criminals behind TeslaCrypt sometimes allowed lesser payments and even decrypted for free, but the group did not generally show remorse in dealing with victims.
One possibility raised by researchers is that the group behind TeslaCrypt had become wary of getting too much attention from law enforcement and security researchers.
"Several companies were doing deep dives to find issues in their programs, and add to that law enforcement targeting them," Craig Williams, senior technical leader with Cisco Systems' Talos team, told eWEEK. "When you are a bad guy, having too much attention on you is not something you want."
As soon as TeslaCrypt arrived in February 2015, security firms began tracking the software. Initially, it appeared to be a knock-off of the CryptoLocker ransomware. A subsequent update emulated CryptoWall but used the name TeslaCrypt.
Security firms and researchers kept up with the malware's code changes. Cisco created a tool to decrypt the first versions of the ransomware. Later, both ESET and an online researcher known as BloodDolly created utilities to decrypt up to version 2 of the malware. Subsequent versions, however, contained no obvious mistakes in their encryption algorithms. For most victims, the only hope of recovering their data was to pay for the key.
Yet, the gift of the master key meant that the decryption utilities could be updated to work with even the latest versions. Following the release of the master key in May, both ESET and BloodDolly used the code to decrypt data scrambled by versions 3 and 4 of the program.
It's unlikely that an insider or rival leaked the key, according to security firm Kaspersky Lab.