In early May, Igor Kabina, a researcher with security firm ESET, noticed that the group behind the third most prevalent ransomware operation, TeslaCrypt, had seemingly taken a breather.
Following the April release of version 4 of its data-encryption malware, the group’s development efforts slowed. Wondering if the group was closing up shop, Kabina pretended to be a victim and used the group’s support service to ask if it would release the master key.
“On April 27th, a version that later turned out to be the very last version of TeslaCrypt was compiled,” he stated in a company interview. “Soon after that, I noticed that the people behind it had stopped spreading this version and that all the links they used were slowly dying. So I tried my luck, pretended to be one of their victims and asked them if they would be so kind as to release all four of the private keys they had been using since TeslaCrypt started.”
To the surprise of everyone at the security firm, a few days later, on May 18, the ransomware group announced it was shutting down and publicly released its private key.
The reason for the abrupt halt of the criminal operation, however, remains a mystery. Although the group ended its brief goodbye note with an apology—”we are sorry!”—researchers doubt that shame led the group to cease operations. The criminals behind TeslaCrypt sometimes allowed lesser payments and even decrypted for free, but the group did not generally show remorse in dealing with victims.
One possibility raised by researchers is that the group behind TeslaCrypt had become wary of getting too much attention from law enforcement and security researchers.
“Several companies were doing deep dives to find issues in their programs, and add to that law enforcement targeting them,” Craig Williams, senior technical leader with Cisco Systems’ Talos team, told eWEEK. “When you are a bad guy, having too much attention on you is not something you want.”
As soon as TeslaCrypt arrived in February 2015, security firms began tracking the software. Initially, it appeared to be a knock-off of the CryptoLocker ransomware. A subsequent update emulated CryptoWall but used the name TeslaCrypt.
Security firms and researchers kept up with the malware’s code changes. Cisco created a tool to decrypt the first versions of the ransomware. Later, both ESET and an online researcher known as BloodDolly created utilities to decrypt up to version 2 of the malware. Subsequent versions, however, contained no obvious mistakes in their encryption algorithms. For most victims, the only hope of recovering their data was to pay for the key.
Yet, the gift of the master key meant that the decryption utilities could be updated to work with even the latest versions. Following the release of the master key in May, both ESET and BloodDolly used the code to decrypt data scrambled by versions 3 and 4 of the program.
It’s unlikely that an insider or rival leaked the key, according to security firm Kaspersky Lab.
Security Researchers Puzzled by Demise of TeslaCrypt Ransomware
“If that would have been the case, they could have changed the key and continued the operation,” Jornt van der Wiel, a security researcher with Kaspersky Lab, told eWEEK in an email interview.
In the end, TeslaCrypt may not have been worth the risk to the group behind the malware. After all, it was not the most successful ransomware operation by far. If CryptoLocker and CryptoWall are the Coke and Pepsi of ransomware, TeslaCrypt is the knock-off that cannot be found in most stores.
In data published in March, for example, network security firm Fortinet found that 83 percent of ransomware traffic consisted of compromised computers communicating with CryptoWall command-and-control (C&C) servers and 16 percent with Locky servers. Only a sliver of bandwidth, 0.08 percent, sought out C&C servers of the third most pervasive ransomware, TeslaCrypt.
Its share remained slim even after a massive push by the group in December, when security firms noticed that TeslaCrypt-related traffic had climbed.
The low C&C traffic, however, does not mean the ransomware was not profitable. Soon after TeslaCrypt came out, over a two-month period between February and April 2015 security firm FireEye followed bitcoin transactions to track the group’s profits. It found the group made nearly $77,000 from 163 victims. CryptoLocker, by comparison, made an estimated $3 million between September 2013 and when it was shut down in May 2014—about eight times more on a monthly basis.
The abandonment of TeslaCrypt is not the first time a cyber-criminal group has given up on its ransomware operation. On May 30, 2015, a person claiming to be the author of another niche ransomware program known as Locker halted operations and posted an apology to PasteBin.
“I am the author of the Locker ransomware and I’m very sorry about that [it’s (sic) release] has happened,” stated the author, using the name ‘Poka BrightMinds.’ “It was never my intention to release this.”
The TeslaCrypt group had ruthlessly encrypted data on victims’ systems, but its exit could have been far worse, David Harley, senior research fellow at ESET, told eWEEK in an email interview.
“I can’t say I admire the people behind TeslaCrypt, but they could have simply dropped development and left their remaining victims with no way to recover their files, and the fact that they were persuaded not to probably deserves a muted cheer,” he said.
However, people should not expect a respite from ransomware. With the shutdown of TeslaCrypt, a new data-encrypting malicious program, CryptXXX, is taking its place. The 3-month-old ransomware program has taken off, has been updated recently and has switched from being distributed via the Angler exploit kit to the Neutrino exploit kit, according to researchers.
“Technically, these instances don’t tell us much about ransomware in general,” Harley said. “However, they do suggest that not all ransomware developers are the kind of complete sociopath who actually enjoys inflicting damage, doesn’t care if victims get their treasured files back, and may even cause files to be deleted … in order to encourage the victim to pay up faster.”