Teslacrypt ransomware, the variant of notorious CryptoLocker ransomware that targets game files and personal data.
Let’s decrypt the files!
Note: Before decrypting the files, please backup the encrypted files.
STEP 1: Download Talos TeslaCrypt Decryption Tool.
Windows binary:
http://labs.snort.org/files/TeslaDecrypt_exe.zip
Python script:
https://labs.snort.org/files/TeslaDecrypt_python.zip
Source code to Windows binary:
https://labs.snort.org/files/TeslaDecrypt_cpp.zip
STEP 3: Extract the zip file.
STEP 4: Open Explorer and type %appdata%. Find “key.dat” file in the application data directory. Then Copy the “key.dat” file into the tool’s directory.
STEP 5: Open Talos Teslacrypt decryption tool.
STEP 6: Enter the encrypted file or a directory containing encrypted files and then hit the enterkey.
The tool will decrypt the specified files and restore the original content.
Here is list of useful command line options:
/help – Show the help message.
/key – Manually specify the master key for the decryption (32 bytes/64 digits).
/keyfile – Specify the path of the “key.dat” file used to recover the master key.
/file – Decrypt an encrypted file.
/dir – Decrypt all the “.ecc” files in the target directory and its subdirs.
/scanEntirePc – Decrypt “.ecc” files on the entire computer.
/KeepOriginal – Keep the original file(s) in the encryption process.
/deleteTeslaCrypt – Automatically kill and delete the TeslaCrypt dropper (if found active in the target system).
At time of writing this article, the decryption utility is a test tool which is in development. So, if the tool is not working for you, please put it in the comment section below.
We will update this guide as soon as CISCO releases an update.
If you find this article worthy, share this to your friends and followers.
00rules 