Articles about ransomware often don’t make terribly happy reading, especially if you’ve gone looking for the article because you’re looking at a “pay page”. That’s the message you see from most ransomware after it has scrambled your data, when the crooks make absolutely sure you know how to go about buying your data back.
Occasionally, the malware attacks everything. That happened with ransomware called Petya that scrambled the low-level index of your C:drive so you couldn’t boot at all, let alone use a browser or copy-and-paste text, or even take a screenshot.
You had to find another computer to get online, and manually type in a long, alphanumeric personal decryption code that Petya displayed:
But most ransomware is much more commercially savvy than that, and goes to great lengths to ensure that your operating system and all your applications are left well alone. That leaves you free to get online, follow instructions, and send money to the criminals.
To leave you in doubt what to do next, some ransomware event changes your wallpaper so that the how-to-play details are permanently in your face:
So we were surprised and delighted in equal measure to read that security researchers over at ESET had reached out to the crooks behind TeslaCrypt…
…asked them for the private key used in the operation…
…and received the reply, “Project closed, master key for decrypt XXX…XXX,[…] we are sorry.”
We weren’t inclined to believe that the crooks really were sorry, but it seems that the master key was genuine.
Most ransomware uses what’s called a hybrid cryptosystem, in which files are scrambled with a regular symmetric encryption algorithm such as AES, which is fast and straightforward.
Each computer, or more commonly each file, uses a unique, randomly chosen key that is never saved on disk, so it can’t be recovered directly. Instead, the file encryption key is then itself encrypted using a public key for which only the crooks have the corresponding private key. (Public-private encryption, known as public key cryptography, relies on two related keys: one that locks data, and another that unlocks it. You can’t use mathematics to figure out the private key from the public key because they have to be generated as a pair. In other words, the public key means that other people can scramble data that only you can decrypt.)
Usually, the crooks never part with the private key – they just use it to decrypt the unique AES key or keys needed to unlock your computer.
Because your key is unique, it only works on your files, so you can’t use it to help out other victims. In other words, the announcement by the Teslacrypt gang that they’ve revealed their business secret is unusual. Indeed, various public tools have already been created to use the Teslacrypt master key to unscramble locked files for free.
Of course, only vistims who have been hit recently and haven’t yet paid up, or victims who backed up their already-encrypted data just in case, will get much use out of the master key at this stage.
Why did the crooks do it?
That really is the million pound question, and we shall probably only ever be able to guess at the answer:
We can think of the following possibilities:
- The crooks are genuinely sorry, and have retired in a fit of conscience.
- The crooks were hacked by another gang, who spilled the master key to ruin their rivals’ business.
- The crooks have switched their time and effort to newer ransomware.
- The crooks have made so much money that they want to retire in a media-friendly way before they get caught.
What do you think?