"If that would have been the case, they could have changed the key and continued the operation," Jornt van der Wiel, a security researcher with Kaspersky Lab, told eWEEK in an email interview.
In the end, TeslaCrypt may not have been worth the risk to the group behind the malware. After all, it was not the most successful ransomware operation by far. If CryptoLocker and CryptoWall are the Coke and Pepsi of ransomware, TeslaCrypt is the knock-off that cannot be found in most stores.
In data published in March, for example, network security firm Fortinet found that 83 percent of ransomware traffic consisted of compromised computers communicating with CryptoWall command-and-control (C&C) servers and 16 percent with Locky servers. Only a sliver of bandwidth, 0.08 percent, sought out C&C servers of the third most pervasive ransomware, TeslaCrypt.
Its share remained slim even after a massive push by the group in December, when security firms noticed that TeslaCrypt-related traffic had climbed.
The low C&C traffic, however, does not mean the ransomware was not profitable. Soon after TeslaCrypt came out, over a two-month period between February and April 2015 security firm FireEye followed bitcoin transactions to track the group's profits. It found the group made nearly $77,000 from 163 victims. CryptoLocker, by comparison, made an estimated $3 million between September 2013 and when it was shut down in May 2014—about eight times more on a monthly basis.
The abandonment of TeslaCrypt is not the first time a cyber-criminal group has given up on its ransomware operation. On May 30, 2015, a person claiming to be the author of another niche ransomware program known as Locker halted operations and posted an apology to PasteBin.
"I am the author of the Locker ransomware and I'm very sorry about that [it's (sic) release] has happened," stated the author, using the name 'Poka BrightMinds.' "It was never my intention to release this."
The TeslaCrypt group had ruthlessly encrypted data on victims' systems, but its exit could have been far worse, David Harley, senior research fellow at ESET, told eWEEK in an email interview.
"I can’t say I admire the people behind TeslaCrypt, but they could have simply dropped development and left their remaining victims with no way to recover their files, and the fact that they were persuaded not to probably deserves a muted cheer," he said.
However, people should not expect a respite from ransomware. With the shutdown of TeslaCrypt, a new data-encrypting malicious program, CryptXXX, is taking its place. The 3-month-old ransomware program has taken off, has been updated recently and has switched from being distributed via the Angler exploit kit to the Neutrino exploit kit, according to researchers.
"Technically, these instances don’t tell us much about ransomware in general," Harley said. "However, they do suggest that not all ransomware developers are the kind of complete sociopath who actually enjoys inflicting damage, doesn’t care if victims get their treasured files back, and may even cause files to be deleted … in order to encourage the victim to pay up faster."