May 23, 2016 By Larry Loeb 2 min read

Something unprecedented has occurred: TeslaCrypt, one of the most prevalent samples of ransomware, has ceased operations, according to security firm ESET. Not only that, but its developers released a public encryption key that will allow anyone who was infected to retrieve their data.

TeslaCrypt Was Big

The ransomware burst on the scene roughly a year ago. It has gone through some updates since then, with its 4.0 version being the last. It used AES encryption to encrypt its victims’ files, then demanded payment to restore them.

TeslaCrypt was the third-biggest player in the ransomware arena at the beginning of March, according to SecurityWeek. The Angler rootkit dropped it as its malicious payload, and it was also distributed by malicious downloads, exploit kits and phishing campaigns.

Why Did It End?

Why would such an effective and profitable cybercriminal campaign end?

“While it is possible that they felt bad for the damage done, another possible reason is that they wanted to start fresh with a new code base,” said ESET’s Linda Myers in an email.

“My guess is that this wasn’t a fluke so much as an awareness that software development can be really difficult to do well. Sometimes updates to an existing product can make things more error-prone, which makes it harder to make money. Ending an old project can allow for a clean slate from which to start again.”

While a redesign with a new code base is certainly possible, it seems at odds with the greed of the typical cybercriminal. Perhaps there was a more immediate impetus to stop the infections.

Conjectures

One reason might be the “honor among thieves” scenario. It could be that the code’s custodians felt they weren’t getting the amount of money they were due and, in a revenge move, shut down the entire effort. For cybercriminals who are motivated by pride as much as money, such a display makes sense.

But it seems there could be another cause: Authorities, or security companies looking to make a name for themselves, caught the scent of the perpetrators. After all, US-CERT had just issued an alert on ransomware; the public is beginning to treat the threat rather seriously.

If the criminals thought they were in danger of being identified, they may have decided that burning the whole thing to the ground was the only safe option. For example, if authorities had a Tor exploit that could link the payment website to the perpetrators, it would likely be enough to cause a panicked shutdown.

It seems likely that the smell of wiped data and burning log files is in the air. This is the first time that a working ransomware has ever shut itself down midcampaign. Something had to cause that action — besides altruism toward victims. No matter what, users should be happy that there’s one less ransomware acting up in the wild.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today