Hacker Gang Gives Up Key to Private Data

Last week, digital security company Eset announced that it had created a free tool for victims of all iterations of the TeslaCrypt ransomware. Using the software, victims who have encountered data loss at the hands of criminals can regain access to their previously hacked and locked personal data.

teslacrypt2The company stated that the criminal gang behind TeslaCrypt recently abandoned all support of the malicious software. When an analyst at Eset reached out to the group anonymously using the channel that TeslaCrypt’s operators offered to ransomware victims, the group of cyber criminals was surprisingly helpful. The analyst simply requested the universal master decryption key, and the hackers gave it up without a fight.

It’s not clear why the TeslaCrypt hackers decided to make public their master decryption key, especially since their malicious software has made the offenders millions of dollars.

“While it’s possible that they felt bad for the damage done, another possible reason is that they wanted to start fresh with a new codebase,” stated Lysa Myers, a security research with Eset. It may be that the group burned out on the ransomware market, and were looking for a change. “Soemtimes updates to an existing product can make things more error-prone, which makes it harder to make money,” Myers continued.

“Ending an old project can allow for a clean slate from which to start again.”

That said, one would think that the TelsaCrypt hackers could have just abandoned their existing software without giving everyone their personal data back. Either way, most security analysts don’t expect more generous behavior from the group. According to Bromium chief security architect Rahul Kashyap, it’s unlikely the hackers are done using ransomware to make easy money.

“They may want to change their payment scheme or try out a different business model,” he guessed. “It’s unlikely that they’re deserting the ransomware business.”

Mark Nunnikhoven, vice president of cloud research at Trend Micro, explained that releasing the master decryption key to TeslaCrypt software could actually be a strategic move for the hackers if they plan to continue with their ransomware scams.

“While it may seem like the right thing to do, there’s a profit motivation even in this,” he stated. “Ransomware criminals rely on their reputation of actually releasing the data in order to entice victims to pay… If the gang behind TeslaCrypt left victims high and dry, any new campaigns they are associated with would be less likely to be profitable due to their previous reputation.”

decrypt2“The group may be concerned that if they continue to develop the code, it is only a matter of time before law enforcement catches them,” mused Brad Cyprus, chief of security and compliance at Netsurion. “By turning the decryption key, they’re hoping to fall lower on law enforcement’s radar while other malware and ransomware projects will garner more attention, leaving the makers of TeslaCrypt to spend their ill-gotten gains.”

The precise number behind those ill-gotten gains is difficult to manage due to their illicit nature, but TeslaCrypt has been estimated to generate somewhere around $80 million a year.

“TeslaCrypt has never been among the top earners for ransomware since its first appearance about a year ago,” Nunnikhoven explains. “While still devestating to its victims, it never showed signs of the wild profitability we’ve seen with Cryptolocker or Locky.”

According to industry professionals, TeslaCrypt was showing up considerably less in the months that led up to the hacker team’s offering of the universal decryption key.

“Currently it’s unclear if the former TeslaCrypt engineers have abandoned the extortion business altogether or simply moved on to another strain of malicious software,” commented Daniel Korsunsky, director of product strategy at Comodo. “The latter is extremely unlikely, especially given that TeslaCrypt was starting to crumble under the weight of a multitude of decryptors that were making it less effective when used.”