03:50 PM
Connect Directly

Cisco Offers Free Decryption Tool For Ransomware Victims

Tool decrypts, unlocks files hit by TeslaCrypt ransomware attacks.

First the good news: there are now free utilities for decrypting your data after a ransomware attack. Now the bad news:  the tools only work for specific ransomware, not all variants.

Cisco Systems' Talos team today released a free tool for victims of the TeslaCrypt ransomware attack that decrypts the locked-down files. TeslaCrypt, which Cisco says may be related to the now mostly defunct CryptoLocker, uses symmetric AES encryption, which allowed Cisco to build a tool using the decryption key. Interestingly, TeslaCrypt warns that it uses strong asymmetric AES-2048 encryption to lock victims out of their files, but that's not the case.

TeslaScript goes after various victims, including PC gamers, whose games and coveted and valuable Steam activation keys get locked down in its attack.

"We reverse engineered the way the TeslaCrypt worked and were able to develop the tool based on that," says Earl Carter, threat researcher with Talos. "In the past, we have also reverse engineered other ransomware, like Cryptowall, but in that case, the ransomware was using asymmetric encryption, so creating a tool was not possible."

Kaspersky Lab, meanwhile, offers a tool for victims of the CoinVault ransomware. Kaspersky, which teamed up with Dutch law enforcement authorities in the CoinVault attacks, obtained access to the private keys from the attackers and offers CoinVault victims who are locked out of their data access to their confiscated key.

"The Kaspersky instance is similar to the original CryptoLocker decryption tool that was developed after the police takedown of CryptoLocker.  Both of those tools consists of a list of private keys obtained by law enforcement -- not necessarily all of the private keys generated by the ransomware. If one of these private keys corresponds to the key used to encrypt your system -- the keys are unique per system -- then you can recover your files," Cisco's Carter says.

Cisco's tool is different in that it can recover the files on any system infected by TeslaCrypt "as long as the master key is still on the system and we developed the tool without having to access one of the threat actor's servers," he says.

Dave Lewis, global security advocate for Akamai, says ransomware decryption tools are more of a stopgap measure. These ransomware decryption tools help, he says, but it's a temporary fix.

Lewis says he's noticed how ransomware attackers have gradually upped the ante in their blackmail. "I've noticed it's been slightly going up incrementally," says Lewis, who will speak at the Dark Reading Cyber Security Crash Course at Interop Las Vegas tomorrow.

The key to defending against ransomware attacks are basic security hygiene: layered defenses and good security awareness programs for end users, according to Lewis.

Cisco's Carter says the tool is aimed at all levels of victims, technical or nontechnical. "This tool is only a single instance of ransomware. There are many variants of ransomware currently attacking user systems," he notes. "The best defense is a strong multi-layered defense strategy including an industry standard backup and restore policy. A good backup will circumvent almost all of these ransomware variants."

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/12/2017 | 3:59:24 AM
Great software
Well I started using Impedio Security a while ago and I must say that I'm suprised I didn't find it earlier. It's great way to keep your data safe and don't have to worry about your files being corrupted iny any way. It's helpful because last time my friend acidentally deleted folder where I had important stuff for school and now I just put these folders in read-only volumes so no one can delete them, even malicious softwares. I was ransomware victim once but thank God now it's all over and I encouraged all of you to get Impedio and don't worry about malware anymore (y)
User Rank: Strategist
2/21/2017 | 12:39:27 PM
Re: Free Decryption Tools For Ransomware Victims
Unfortunately, not all of them are possible to decrypt. Here is the list of ransomware extensions and available decryptors for them.
BPID Security
BPID Security,
User Rank: Strategist
5/4/2015 | 5:25:14 PM
Thank you
Thank you Kelley.

This represents the good and bad of security.

First the bad you can get your data locked and the good is get help unlocking.

Second the bad means that for a price there are tools to decrypt your data available to those who shouldn't have them and your data is no longer 'safe' as there are free tools to unlock it. The good? Gee I don't know anything more than getting help when your data is locked and you don't have a key.

Great article and thanks for sharing.


Paul BPID Security


User Rank: Apprentice
4/29/2015 | 3:27:53 PM
Help remove TeslaCrypt Virus - Worked for me...

Hey I know the TeslaCrypt virus is extremely prevalent this time of year, However; I was able to remove it from my computer using the steps listed in this 3-step guide

Please let me know if anyone else if successful in removing this virus. The instructions are a little lengthy but it did the trick for me.

Hope this helps at least a few people,


User Rank: Ninja
4/29/2015 | 9:00:45 AM
Temporary Fix
Unfortunately, because this is only for certain variants of ransomware I see this teetering out in the near future. I can't see companies offering free utilities and spending man hours to reverse engineer all the new variants that come out. Though this is a good start, its not sustainable.
User Rank: Apprentice
4/28/2015 | 7:45:21 PM
Re: From Reverse Engineering to Development
That's the way... You have to reverse to have the key
User Rank: Ninja
4/28/2015 | 5:15:24 PM
From Reverse Engineering to Development
Something about this reminds me of how the first skeleton key must have come about, followed by a long and distinguished array of lock pickers.  Not only that, but the large keyring of both original and skeleton keys that we've come to associate with the locksmith who you call when you get locked out.  More on that later...

First, I think this is a brilliant piece of work on the part of all parties who have provided decryption tools to victims.  Not just because that is what they should do, but because it makes good business sense and it sets the tone for other companies and their customer relationships.

...and we're back.  What I see here is an opportunity, too.  Imagine developing a decryption tool that is the equivalent of that keyring your handy locksmith sports about.  You'd keep it on a USB or similar device, and it would have hundreds of thousands of modules based upon reverse-engineered ransomware (or other sources of encryption) and their key stores.  It would be bootable and based on GNU/Linux, BSD or a similar UNIX flavor.

No, you wouldn't be handing this out to folks, and no, only a "locksmith" (or in this case an InfoSec professional) would carry it. 

There are similar USB-geared projects out there but there is so much more you could do with the architecture.  Thinking out loud.
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/g...
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image.