{
	"id": "d42a6b05-497b-4347-9b10-f03da111ec31",
	"created_at": "2026-04-06T00:17:40.626448Z",
	"updated_at": "2026-04-10T13:12:34.142074Z",
	"deleted_at": null,
	"sha1_hash": "2fd389a6195222d2a8338c9fadb7731221d36bd2",
	"title": "Threat Spotlight: TeslaCrypt – Decrypt It Yourself",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1021549,
	"plain_text": "Threat Spotlight: TeslaCrypt – Decrypt It Yourself\r\nBy Talos Group\r\nPublished: 2015-04-27 · Archived: 2026-04-05 21:39:59 UTC\r\nThis post was authored by: Andrea Allievi, Earl Carter \u0026 Emmanuel Tacheau\r\nUpdate 4/28: Windows files recompiled with backward compatibility in Visual Studio 2008\r\nUpdate 5/8: We’ve made the source code available via Github here\r\nUpdate 6/9/2016: We’ve released a tool to decrypt any TeslaCrypt Version\r\nAfter the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such\r\nas advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3.\r\nRansomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even\r\nlocalized regions in their own specific languages. Although it is possible that these multiple variants are sponsored\r\nby the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion\r\nof an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a\r\nderivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to\r\nencrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files\r\nencrypted by the TeslaCrypt ransomware.\r\nhttps://blogs.cisco.com/security/talos/teslacrypt\r\nPage 1 of 9\n\nClick for Larger Image\r\nAt the first glance, the dropper appears to be related to the original CryptoLocker. The malware states that data\r\nfiles, such as photos, videos and documents on the victim’s computer have been encrypted with the RSA-2048\r\nasymmetric algorithm. As we shall see, that statement is not entirely accurate.\r\nTargeting files that users value highly makes ransomware very effective at getting users to pay the ransom.\r\nTeslaCrypt is interesting because it also targets and encrypts computer games files, such as saved games and\r\nSteam activation keys. This means that TeslaCrypt is targeting many different types of users, including PC\r\ngamers. Just like irreplaceable photos, a game save, which is the product of countless hours of gaming, is\r\nextremely valuable and hard to replace.\r\nWe have analysed two samples of TeslaCrypt, the first dated March 2015 and the second dated April 2015. Their\r\nSHA256 are:\r\n3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\r\n6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4\r\nBoth samples implement the following hashing algorithms:\r\nSHA1\r\nSHA256\r\nRIPEMD160\r\nBASE58\r\nhttps://blogs.cisco.com/security/talos/teslacrypt\r\nPage 2 of 9\n\nBASE64\r\nInfection Vector And Setup Function\r\nThis ransomware is usually distributed as an email attachment or through websites that redirect the victim to the\r\nAngler Exploit Kit. In our analysis, the exploit kit delivered a malicious Flash object containing an exploit against\r\nCVE-2015-0311. The payload for this exploit was a TeslaCrypt sample.\r\nWe are only going to give a quick introduction on the dropper’s architecture and the setup function because this\r\nfunctionality has been widely covered.\r\nMost TeslaCrypt samples use COM+ sandbox evasion techniques. For example, the dropper we analysed uses\r\nsimple detection code that verifies if the “URLReader2” COM interface has been correctly installed in the\r\nDirectShow filter graph list:\r\nIf the check passes, the real dropper is extracted and executed using a well-known method that makes use of the\r\nZwMap(Unmap)ViewOfSection API functions to unmap the original PE memory image and re-map another image\r\nfile. The final unpacked executable locates specific Windows directories such as the Application Data directory,\r\nand builds support files like the “key.dat” file, and files to store decryption instructions. The executable also\r\nadjusts its own privileges (adds “SeDebugPrivilege”) and copies itself using a random file name to the user’s\r\nApplication Data directory. A new process is then spawned and execution is transferred to it. The original dropper\r\nfile is deleted. The main malware window is created and five threads are spawned, followed by the window\r\nmessage dispatching cycle.\r\nTeslaCrypt threads perform the following:\r\nDelete all system Volume Shadow Copies by executing “vssadmin.exe delete shadows /all /quiet”\r\ncommand\r\nOpen the “key.dat” file and recover encryption keys. If “key.dat” file doesn’t exist, create the keys and\r\nstore them in an encrypted form in the “key.dat” file.\r\nSend the new master encryption key to the C\u0026C server through POST request (the latest sample that we\r\nhave analysed contains the following C\u0026C server URLs:\r\n7tno4hib47vlep5o.63ghdye17.com\r\nhttps://blogs.cisco.com/security/talos/teslacrypt\r\nPage 3 of 9\n\n7tno4hib47vlep5o.79fhdm16.com\r\n7tno4hib47vlep5o.tor2web.blutmagie.de\r\n7tno4hib47vlep5o.tor2web.fi\r\nImplement anti-tampering protection: every 200 milliseconds, TeslaCrypt enumerates all running processes\r\nand if a process with a filename that contains any of the words below is found, that process is terminated\r\nusing the TerminateProcess Windows API function\r\ntaskmgr\r\nprocexp\r\nregedit\r\nmsconfig\r\ncmd.exe\r\nFile Encryption – Introduction\r\nAfter the initialization routine and the deletion of the Volume Shadow copies, the sample creates the  “key.dat” file\r\nwhere it stores all the encryption keys. The dropper from March 2015 calculates at least 2 different main keys: a\r\npayment key and a master encryption key. The other dropper implements the concept of an additional key known\r\nas the “Recovery key’.\r\n“GetAndHashOsData” is the function responsible for creating the base buffer for the generation of all keys. At\r\nstartup it acquires the following info:\r\nthe global workstation’s LAN network statistics, using the NetStatisticsGet API function\r\n64 random bytes generated by Windows Crypto functions\r\nall heap descriptors of its own process\r\nall active process descriptors and the threads descriptors of each process\r\nall loaded modules in each process\r\nthe workstation’s physical memory information\r\nOnce the data is acquired, it generates a big array of SHA1 values, one for every 20 bytes of acquired data. At the\r\nend it calculates and stores a global SHA1 value for the entire array, in a symbol that we have called\r\n“g_lpGlobalOsDataSha1”.\r\nWith these 2 items, the “FillBuffWithEncryptedOsData” routine is able to fill a generic buffer with the calculated\r\ndata, in a pseudo-random manner. A master key and a payment key are generated using this function (each key is\r\n32 bytes wide), their SHA256 is calculated and finally a custom algorithm is used to shift left and shift right the 2\r\nkeys. The two shifted SHA256 values are stored in the “key.dat” file.\r\nThe Key File\r\nThe “OpenKeyFileAndWrite” routine tries to open the “key.dat” file, located in the user’s Application Data\r\ndirectory. If it doesn’t exist, it generates the 2 master keys (3 in case of the most recent dropper) as well as other\r\nkeys, and stores them in the key file.\r\nHere is a little schema of the layout of the “key.dat” file:\r\nhttps://blogs.cisco.com/security/talos/teslacrypt\r\nPage 4 of 9\n\n* = We currently don’t know precisely how this value is used by TeslaCrypt\r\nThe latest version of the dropper creates a “RECOVERY_KEY.TXT” file inside the user’s document directory. It\r\ndoes this to achieve a particular goal: if the victim workstation is offline or if a firewall blocks the communication\r\nwith the C\u0026C server, the dropper will proceed with the destruction of the master key inside the “key.dat” file,\r\nafter the encryption of all files has been completed. To recover the files, the user would have to connect to the\r\nthreat actor’s TOR website and provide the recovery key. The threat actors use a custom algorithm to to recover\r\nthe master key from the recovery key:\r\nClick for Larger Image\r\nThe recovery key file contains 3 pieces of information in an human-readable form, separated by a carriage return\r\ncharacter:\r\nThe Bitcoin address\r\nThe payment key ID (32 hex digits)\r\nhttps://blogs.cisco.com/security/talos/teslacrypt\r\nPage 5 of 9\n\nThe recovery key (64 hex digits)\r\nThe File Encryption Algorithm\r\nFile encryption is performed in a dedicated thread. The code for the encryption thread takes the shifted master key,\r\ncalculates its SHA256 hash and starts to enumerate all files of the victim workstation (filtering by extension type,\r\nTesla Crypt supports over 170 different file extensions).\r\n“EncryptFile” is the function that manages the entire file-encryption process. It:\r\ngenerates a 16-bytes Initialization Vector for AES, using the GetAndHashOsData API function\r\nreads the target file\r\ninitializes the AES encryption algorithm through the creation of the AES context data structure\r\nfinally encrypts the contents of the file using an AES CBC 256-bit algorithm implemented in the\r\n“EncryptWithCbcAes” function.\r\nWhen the process is complete, the new encrypted file is created. The new file contains a small header (composed\r\nof the AES Initialization Vector in its first 16 bytes followed by the original file size in the next 4 bytes), and then\r\nthe actual encrypted bytes.\r\nThe pop up window displays misleading information: the encryption method is a symmetric AES, and not an\r\nasymmetric RSA-2048 as stated by TeslaCrypt in the screenshot above. As proof that TeslaCrypt is truly using\r\nsymmetric AES and not asymmetric RSA, we provide for a decryption utility capable of decrypting all the files\r\nencrypted by this ransomware (provided you have the master key).\r\nThe Talos TeslaCrypt Decryption Tool\r\nOur decryption utility is a command line utility. It needs the “key.dat” file to properly recover the master key used\r\nfor file encryption. Before it begins execution, it searches for “key.dat” in its original location (the user’s\r\nApplication Data directory), or in the current directory. If it isn’t able to find and correctly parse the “key.dat” file,\r\nit will return an error and exit.\r\nhttps://blogs.cisco.com/security/talos/teslacrypt\r\nPage 6 of 9\n\nClick for Larger Image\r\nTo use this tool, just copy the “key.dat” file into the tool’s directory and then specify either the encrypted file or a\r\ndirectory containing encrypted files. That’s it! Files should be decrypted and returned to their original content.\r\nHere is the list of command line options:\r\n/help – Show the help message\r\n/key – Manually specify the master key for the decryption (32 bytes/64 digits)\r\n/keyfile – Specify the path of the “key.dat” file used to recover the master key.\r\n/file – Decrypt an encrypted file\r\n/dir – Decrypt all the “.ecc” files in the target directory and its subdirs\r\n/scanEntirePc – Decrypt “.ecc” files on the entire computer\r\n/KeepOriginal – Keep the original file(s) in the encryption process\r\n/deleteTeslaCrypt – Automatically kill and delete the TeslaCrypt dropper (if found active in the target\r\nsystem)\r\nBack up your encrypted files before you use this utility. Provided without any guarantees.\r\nLink to the Tool\r\nThe TeslaCrypt Decryption Tool is provide as-is and is not officially supported.  The user assumes all liability for\r\nthe use of the tool.\r\nWindows binary: https://github.com/vrtadmin/TeslaDecrypt/tree/master/Windows\r\nIOCs\r\nHashes:\r\n3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\r\n6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4\r\nIP Addresses:\r\nhttps://blogs.cisco.com/security/talos/teslacrypt\r\nPage 7 of 9\n\n38.229.70.4\r\n82.130.26.27\r\n192.251.226.206\r\nDomains Contacted:\r\n7tno4hib47vlep5o.63ghdye17.com\r\n7tno4hib47vlep5o.79fhdm16.com\r\n7tno4hib47vlep5o.tor2web.blutmagie.de\r\n7tno4hib47vlep5o.tor2web.fi\r\nThreatGrid has also added a behavioral indicator to identify TeslaCrypt.\r\nClick for Larger Image\r\nConclusion\r\nAnalysing TeslaCrypt ransomware was a challenge. All the encryption and hashing algorithms in the dropper\r\nmade the analysis pretty difficult. As we have seen, sometimes the threat actors authors even lie. Nevertheless,\r\nransomware continues to plague users. Incorporating a layered defense is critical to combating this type of threat\r\nbefore it has the chance to encrypt files. A good system backup policy is the best way to recover files that have\r\nbeen hijacked.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nThe Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network\r\nactivity by threat actors.\r\nhttps://blogs.cisco.com/security/talos/teslacrypt\r\nPage 8 of 9\n\nESA can block malicious emails including phishing and malicious attachments sent by threat actors as part of their\r\ncampaign.\r\nSource: https://blogs.cisco.com/security/talos/teslacrypt\r\nhttps://blogs.cisco.com/security/talos/teslacrypt\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.cisco.com/security/talos/teslacrypt"
	],
	"report_names": [
		"teslacrypt"
	],
	"threat_actors": [],
	"ts_created_at": 1775434660,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2fd389a6195222d2a8338c9fadb7731221d36bd2.pdf",
		"text": "https://archive.orkl.eu/2fd389a6195222d2a8338c9fadb7731221d36bd2.txt",
		"img": "https://archive.orkl.eu/2fd389a6195222d2a8338c9fadb7731221d36bd2.jpg"
	}
}