Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:50 PM
Connect Directly

Cisco Offers Free Decryption Tool For Ransomware Victims

Tool decrypts, unlocks files hit by TeslaCrypt ransomware attacks.

First the good news: there are now free utilities for decrypting your data after a ransomware attack. Now the bad news:  the tools only work for specific ransomware, not all variants.

Cisco Systems' Talos team today released a free tool for victims of the TeslaCrypt ransomware attack that decrypts the locked-down files. TeslaCrypt, which Cisco says may be related to the now mostly defunct CryptoLocker, uses symmetric AES encryption, which allowed Cisco to build a tool using the decryption key. Interestingly, TeslaCrypt warns that it uses strong asymmetric AES-2048 encryption to lock victims out of their files, but that's not the case.

TeslaScript goes after various victims, including PC gamers, whose games and coveted and valuable Steam activation keys get locked down in its attack.

"We reverse engineered the way the TeslaCrypt worked and were able to develop the tool based on that," says Earl Carter, threat researcher with Talos. "In the past, we have also reverse engineered other ransomware, like Cryptowall, but in that case, the ransomware was using asymmetric encryption, so creating a tool was not possible."

Kaspersky Lab, meanwhile, offers a tool for victims of the CoinVault ransomware. Kaspersky, which teamed up with Dutch law enforcement authorities in the CoinVault attacks, obtained access to the private keys from the attackers and offers CoinVault victims who are locked out of their data access to their confiscated key.

"The Kaspersky instance is similar to the original CryptoLocker decryption tool that was developed after the police takedown of CryptoLocker.  Both of those tools consists of a list of private keys obtained by law enforcement -- not necessarily all of the private keys generated by the ransomware. If one of these private keys corresponds to the key used to encrypt your system -- the keys are unique per system -- then you can recover your files," Cisco's Carter says.

Cisco's tool is different in that it can recover the files on any system infected by TeslaCrypt "as long as the master key is still on the system and we developed the tool without having to access one of the threat actor's servers," he says.

Dave Lewis, global security advocate for Akamai, says ransomware decryption tools are more of a stopgap measure. These ransomware decryption tools help, he says, but it's a temporary fix.

Lewis says he's noticed how ransomware attackers have gradually upped the ante in their blackmail. "I've noticed it's been slightly going up incrementally," says Lewis, who will speak at the Dark Reading Cyber Security Crash Course at Interop Las Vegas tomorrow.

The key to defending against ransomware attacks are basic security hygiene: layered defenses and good security awareness programs for end users, according to Lewis.

Cisco's Carter says the tool is aimed at all levels of victims, technical or nontechnical. "This tool is only a single instance of ransomware. There are many variants of ransomware currently attacking user systems," he notes. "The best defense is a strong multi-layered defense strategy including an industry standard backup and restore policy. A good backup will circumvent almost all of these ransomware variants."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/12/2017 | 3:59:24 AM
Great software
Well I started using Impedio Security a while ago and I must say that I'm suprised I didn't find it earlier. It's great way to keep your data safe and don't have to worry about your files being corrupted iny any way. It's helpful because last time my friend acidentally deleted folder where I had important stuff for school and now I just put these folders in read-only volumes so no one can delete them, even malicious softwares. I was ransomware victim once but thank God now it's all over and I encouraged all of you to get Impedio and don't worry about malware anymore (y)
User Rank: Strategist
2/21/2017 | 12:39:27 PM
Re: Free Decryption Tools For Ransomware Victims
Unfortunately, not all of them are possible to decrypt. Here is the list of ransomware extensions and available decryptors for them.
BPID Security
BPID Security,
User Rank: Strategist
5/4/2015 | 5:25:14 PM
Thank you
Thank you Kelley.

This represents the good and bad of security.

First the bad you can get your data locked and the good is get help unlocking.

Second the bad means that for a price there are tools to decrypt your data available to those who shouldn't have them and your data is no longer 'safe' as there are free tools to unlock it. The good? Gee I don't know anything more than getting help when your data is locked and you don't have a key.

Great article and thanks for sharing.


Paul BPID Security


User Rank: Apprentice
4/29/2015 | 3:27:53 PM
Help remove TeslaCrypt Virus - Worked for me...

Hey I know the TeslaCrypt virus is extremely prevalent this time of year, However; I was able to remove it from my computer using the steps listed in this 3-step guide 


Please let me know if anyone else if successful in removing this virus. The instructions are a little lengthy but it did the trick for me.

Hope this helps at least a few people,


User Rank: Ninja
4/29/2015 | 9:00:45 AM
Temporary Fix
Unfortunately, because this is only for certain variants of ransomware I see this teetering out in the near future. I can't see companies offering free utilities and spending man hours to reverse engineer all the new variants that come out. Though this is a good start, its not sustainable.
User Rank: Apprentice
4/28/2015 | 7:45:21 PM
Re: From Reverse Engineering to Development
That's the way... You have to reverse to have the key
User Rank: Ninja
4/28/2015 | 5:15:24 PM
From Reverse Engineering to Development
Something about this reminds me of how the first skeleton key must have come about, followed by a long and distinguished array of lock pickers.  Not only that, but the large keyring of both original and skeleton keys that we've come to associate with the locksmith who you call when you get locked out.  More on that later...

First, I think this is a brilliant piece of work on the part of all parties who have provided decryption tools to victims.  Not just because that is what they should do, but because it makes good business sense and it sets the tone for other companies and their customer relationships.

...and we're back.  What I see here is an opportunity, too.  Imagine developing a decryption tool that is the equivalent of that keyring your handy locksmith sports about.  You'd keep it on a USB or similar device, and it would have hundreds of thousands of modules based upon reverse-engineered ransomware (or other sources of encryption) and their key stores.  It would be bootable and based on GNU/Linux, BSD or a similar UNIX flavor.

No, you wouldn't be handing this out to folks, and no, only a "locksmith" (or in this case an InfoSec professional) would carry it. 

There are similar USB-geared projects out there but there is so much more you could do with the architecture.  Thinking out loud.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.