Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:50 PM
Connect Directly

Cisco Offers Free Decryption Tool For Ransomware Victims

Tool decrypts, unlocks files hit by TeslaCrypt ransomware attacks.

First the good news: there are now free utilities for decrypting your data after a ransomware attack. Now the bad news:  the tools only work for specific ransomware, not all variants.

Cisco Systems' Talos team today released a free tool for victims of the TeslaCrypt ransomware attack that decrypts the locked-down files. TeslaCrypt, which Cisco says may be related to the now mostly defunct CryptoLocker, uses symmetric AES encryption, which allowed Cisco to build a tool using the decryption key. Interestingly, TeslaCrypt warns that it uses strong asymmetric AES-2048 encryption to lock victims out of their files, but that's not the case.

TeslaScript goes after various victims, including PC gamers, whose games and coveted and valuable Steam activation keys get locked down in its attack.

"We reverse engineered the way the TeslaCrypt worked and were able to develop the tool based on that," says Earl Carter, threat researcher with Talos. "In the past, we have also reverse engineered other ransomware, like Cryptowall, but in that case, the ransomware was using asymmetric encryption, so creating a tool was not possible."

Kaspersky Lab, meanwhile, offers a tool for victims of the CoinVault ransomware. Kaspersky, which teamed up with Dutch law enforcement authorities in the CoinVault attacks, obtained access to the private keys from the attackers and offers CoinVault victims who are locked out of their data access to their confiscated key.

"The Kaspersky instance is similar to the original CryptoLocker decryption tool that was developed after the police takedown of CryptoLocker.  Both of those tools consists of a list of private keys obtained by law enforcement -- not necessarily all of the private keys generated by the ransomware. If one of these private keys corresponds to the key used to encrypt your system -- the keys are unique per system -- then you can recover your files," Cisco's Carter says.

Cisco's tool is different in that it can recover the files on any system infected by TeslaCrypt "as long as the master key is still on the system and we developed the tool without having to access one of the threat actor's servers," he says.

Dave Lewis, global security advocate for Akamai, says ransomware decryption tools are more of a stopgap measure. These ransomware decryption tools help, he says, but it's a temporary fix.

Lewis says he's noticed how ransomware attackers have gradually upped the ante in their blackmail. "I've noticed it's been slightly going up incrementally," says Lewis, who will speak at the Dark Reading Cyber Security Crash Course at Interop Las Vegas tomorrow.

The key to defending against ransomware attacks are basic security hygiene: layered defenses and good security awareness programs for end users, according to Lewis.

Cisco's Carter says the tool is aimed at all levels of victims, technical or nontechnical. "This tool is only a single instance of ransomware. There are many variants of ransomware currently attacking user systems," he notes. "The best defense is a strong multi-layered defense strategy including an industry standard backup and restore policy. A good backup will circumvent almost all of these ransomware variants."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/12/2017 | 3:59:24 AM
Great software
Well I started using Impedio Security a while ago and I must say that I'm suprised I didn't find it earlier. It's great way to keep your data safe and don't have to worry about your files being corrupted iny any way. It's helpful because last time my friend acidentally deleted folder where I had important stuff for school and now I just put these folders in read-only volumes so no one can delete them, even malicious softwares. I was ransomware victim once but thank God now it's all over and I encouraged all of you to get Impedio and don't worry about malware anymore (y)
User Rank: Strategist
2/21/2017 | 12:39:27 PM
Re: Free Decryption Tools For Ransomware Victims
Unfortunately, not all of them are possible to decrypt. Here is the list of ransomware extensions and available decryptors for them.
BPID Security
BPID Security,
User Rank: Strategist
5/4/2015 | 5:25:14 PM
Thank you
Thank you Kelley.

This represents the good and bad of security.

First the bad you can get your data locked and the good is get help unlocking.

Second the bad means that for a price there are tools to decrypt your data available to those who shouldn't have them and your data is no longer 'safe' as there are free tools to unlock it. The good? Gee I don't know anything more than getting help when your data is locked and you don't have a key.

Great article and thanks for sharing.


Paul BPID Security


User Rank: Apprentice
4/29/2015 | 3:27:53 PM
Help remove TeslaCrypt Virus - Worked for me...

Hey I know the TeslaCrypt virus is extremely prevalent this time of year, However; I was able to remove it from my computer using the steps listed in this 3-step guide 


Please let me know if anyone else if successful in removing this virus. The instructions are a little lengthy but it did the trick for me.

Hope this helps at least a few people,


User Rank: Ninja
4/29/2015 | 9:00:45 AM
Temporary Fix
Unfortunately, because this is only for certain variants of ransomware I see this teetering out in the near future. I can't see companies offering free utilities and spending man hours to reverse engineer all the new variants that come out. Though this is a good start, its not sustainable.
User Rank: Apprentice
4/28/2015 | 7:45:21 PM
Re: From Reverse Engineering to Development
That's the way... You have to reverse to have the key
User Rank: Ninja
4/28/2015 | 5:15:24 PM
From Reverse Engineering to Development
Something about this reminds me of how the first skeleton key must have come about, followed by a long and distinguished array of lock pickers.  Not only that, but the large keyring of both original and skeleton keys that we've come to associate with the locksmith who you call when you get locked out.  More on that later...

First, I think this is a brilliant piece of work on the part of all parties who have provided decryption tools to victims.  Not just because that is what they should do, but because it makes good business sense and it sets the tone for other companies and their customer relationships.

...and we're back.  What I see here is an opportunity, too.  Imagine developing a decryption tool that is the equivalent of that keyring your handy locksmith sports about.  You'd keep it on a USB or similar device, and it would have hundreds of thousands of modules based upon reverse-engineered ransomware (or other sources of encryption) and their key stores.  It would be bootable and based on GNU/Linux, BSD or a similar UNIX flavor.

No, you wouldn't be handing this out to folks, and no, only a "locksmith" (or in this case an InfoSec professional) would carry it. 

There are similar USB-geared projects out there but there is so much more you could do with the architecture.  Thinking out loud.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...