Something unprecedented has occurred: TeslaCrypt, one of the most prevalent samples of ransomware, has ceased operations, according to security firm ESET. Not only that, but its developers released a public encryption key that will allow anyone who was infected to retrieve their data.
TeslaCrypt Was Big
The ransomware burst on the scene roughly a year ago. It has gone through some updates since then, with its 4.0 version being the last. It used AES encryption to encrypt its victims’ files, then demanded payment to restore them.
TeslaCrypt was the third-biggest player in the ransomware arena at the beginning of March, according to SecurityWeek. The Angler rootkit dropped it as its malicious payload, and it was also distributed by malicious downloads, exploit kits and phishing campaigns.
Why Did It End?
Why would such an effective and profitable cybercriminal campaign end?
“While it is possible that they felt bad for the damage done, another possible reason is that they wanted to start fresh with a new code base,” said ESET’s Linda Myers in an email.
“My guess is that this wasn’t a fluke so much as an awareness that software development can be really difficult to do well. Sometimes updates to an existing product can make things more error-prone, which makes it harder to make money. Ending an old project can allow for a clean slate from which to start again.”
While a redesign with a new code base is certainly possible, it seems at odds with the greed of the typical cybercriminal. Perhaps there was a more immediate impetus to stop the infections.
Conjectures
One reason might be the “honor among thieves” scenario. It could be that the code’s custodians felt they weren’t getting the amount of money they were due and, in a revenge move, shut down the entire effort. For cybercriminals who are motivated by pride as much as money, such a display makes sense.
But it seems there could be another cause: Authorities, or security companies looking to make a name for themselves, caught the scent of the perpetrators. After all, US-CERT had just issued an alert on ransomware; the public is beginning to treat the threat rather seriously.
If the criminals thought they were in danger of being identified, they may have decided that burning the whole thing to the ground was the only safe option. For example, if authorities had a Tor exploit that could link the payment website to the perpetrators, it would likely be enough to cause a panicked shutdown.
It seems likely that the smell of wiped data and burning log files is in the air. This is the first time that a working ransomware has ever shut itself down midcampaign. Something had to cause that action — besides altruism toward victims. No matter what, users should be happy that there’s one less ransomware acting up in the wild.
Principal, PBC Enterprises