

Threat Spotlight: TeslaCrypt – Decrypt It Yourself - Errorcod3
http://blogs.cisco.com/security/talos/teslacrypt

======
Errorcod3
TeslaCrypt, the latest-and-greatest ransomware branch off of the CryptoWall
family, claims to the unwitting user that his/her documents are encrypted with
"a unique public key generated for this computer". This coudn't be farther
from truth. In actuality, the developers of this malware appear to have been
lazy and implemented encryption using symmetric AES256 with a decryption key
generated on the user's machine.

If any of your machines are afflicted, Talos has developed a tool that can be
used to generate the user's machine's symmetric key and decrypt all of the
ransomed files. (From citpyrc - Slashdot)

------
danbruc
Luckily at least some malware authors suck at cryptography, too. Generate a
random symmetric key, encrypt all files with this key, encrypt the symmetric
key with an asymmetric public key included in the malware. Game over. At least
until someone manages to obtain the private key.

~~~
CJefferson
However, you do lose deniability -- if you have possession of that key, you
have to explain it.

There might be more value in not requiring you keep track of a key, at the
loss of some users who figure out how to unencrypt themselves (of course, I
might be overestimating malware authors!)

~~~
sarciszewski
> However, you do lose deniability -- if you have possession of that key, you
> have to explain it.

Full disk encryption + encrypted VMs that are powered down when not in use +
religious adherence to TOR and basic OpSec common sense -> deniability is
almost irrelevant

~~~
Derpdiherp
Assuming that TOR isn't safe - which there's strong evidence to believe at the
moment, and you can track down who's involved, crypto becomes as strong as the
resistance to pain of the people involved.

~~~
sarciszewski
> Assuming that TOR isn't safe - which there's strong evidence to believe at
> the moment

There actually isn't strong evidence here, but regardless you should be
proactively paranoid anyway.

------
malwareforme
Post analyzing a recent sample of TeslaCrypt here:
[http://www.malwarefor.me/2015-04-27-angler-ek-pushes-
teslacr...](http://www.malwarefor.me/2015-04-27-angler-ek-pushes-
teslacrypt-0-3-6-ransomware/)

