Slashdot Mirror

← Back to Stories (view on slashdot.org)

TeslaCrypt Isn't All That Cryptic

Posted by timothy on from the nelson-laugh dept.

citpyrc writes: TeslaCrypt, the latest-and-greatest ransomware branch off of the CryptoWall family, claims to the unwitting user that his/her documents are encrypted with "a unique public key generated for this computer". This coudn't be farther from truth. In actuality, the developers of this malware appear to have been lazy and implemented encryption using symmetric AES256 with a decryption key generated on the user's machine. If any of your machines are afflicted, Talos has developed a tool that can be used to generate the user's machine's symmetric key and decrypt all of the ransomed files.

3 of 52 comments (clear)

  1. Re:Further from the truth by monkeyzoo · · Score: 5, Funny

    They could have claimed to have encrypted the documents using a slice of lemon wrapped around a hamster.

    The problem with hamster-based encryption is the animal rarely survives the XOR process.

    [Nice username.] =)

  2. Re:Further from the truth by jratcliffe · · Score: 5, Insightful

    The problem with hamster-based encryption is the animal rarely survives the XOR process.

    [Nice username.] =)

    Actually, that's not that hard. Getting a slice of hamster is pretty straightforward. It's unslicing the lemon that's challenging.

  3. Re:Does it matter? by ledow · · Score: 5, Insightful

    Anyone with a brain:

    Would you trust the guys that infected your system, removed your access to files, ransomed the decryption key from you etc. to correctly - and perfectly - restore your untouched data?

    Because, I know I wouldn't. Not without hashes of pre-infected data that I could trust, on some untouched backup device, to compare against. And then the restoration, comparison and cleanup operation is actually worse than just restoring to pre-infection backups.

    You have to think of this. These people put a virus on your system that locked your files away. And you're "trusting" them to not only restore those files but to do so without introducing further infection vectors in the process. What's to say that their decrypt / encrypt routine isn't just a smokescreen to infect all your files with something else en-route? Or that they've not just done it to delay you realising that they now have that document you had with all your passwords in it...

    If you're victim to ransomware, there are two options:

    - You have no backups, the data wasn't important enough for a GBP50 device and you pressing the button once a month, so you've not lost anything of major value by not paying the ransom.
    - You have virtually-full, verified backups just over there anyway and would have to perform all kinds of integrity checks to ensure the ransomed data is clean.

    The option of "pay ransom" is really a sign that you've failed yourself (and your customers, if you're a business). You can't stop data exposure, but to have to pay to get your data back, that's just stupidity on your part.

    As such, blocking the infection vector is infinitely more important than anything else, and then taking a good backup on a regular basis is second on the list. Anything else is very much bottom of the list.

    What scares me most about ransomware is not the encryption, or the ransom, or the difficulty of decryption (once that data is compromised, it's gone, it's as simple as that). It's purely that it means a system-level restore of your PC / network, and that you had a hole somewhere whereby it could wreak that kind of havoc.