SCF Advanced Search

  • Total Posts: 37701
  • Total Topics: 12392
  • Online Today: 2726
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: The Talos TeslaCrypt Decryption Tool - FREE DOWNLOAD!  (Read 7699 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7516
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum

Some users whose computers have been infected with a ransomware program called TeslaCrypt might be in luck: security researchers from Cisco Systems have developed a tool to recover their encrypted files.

TeslaCrypt appeared earlier this year and masquerades as a variant of the notorious CryptoLocker ransomware. However, its authors seemed intent on targeting gamers in particular:

Once installed on a system, the program encrypts files with 185 different extensions, over 50 of which are associated with computer games and related software, including user-generated content like game saves, maps, profiles, replays and mods.

In the ransom note displayed on infected computers, TeslaCrypt claims to be using asymmetric encryption based on the RSA public-key cryptosystem. If true, this would mean that the data is encrypted with a public key stored on the system and can only be decrypted with a private key held by the attackers.

However, after analyzing the malicious program, researchers from Cisco’s Talos Group found that it actually uses a symmetric encryption algorithm called AES. This algorithm uses the same key for both encryption and decryption.

Some versions of TeslaCrypt store the encryption key in a file called key.dat on infected systems, but others delete it after they finish encrypting files and store an encrypted version of it in a different file called RECOVERY_KEY.TXT, the Cisco researchers said Monday in a blog post:

The researchers developed a tool that can decrypt files affected by TeslaCrypt if the master encryption key is still found in key.dat. Users should save a copy of this file as soon as they realize that their computers have been infected with TeslaCrypt so they can later use it with the Cisco tool.

The Cisco researchers are still working on reverse-engineering the algorithm used by attackers to restore the master encryption key based on the recovery key. If successful, this will allow them to also decrypt files from versions of TeslaCrypt that delete the master key from the key.dat file when the encryption operation is done.


Samker's Computer Forum -


  • SCF Administrator
  • *****
  • Posts: 7516
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Re: The Talos TeslaCrypt Decryption Tool - FREE DOWNLOAD!
« Reply #1 on: 02. May 2015., 08:42:19 »
The Talos TeslaCrypt Decryption Tool

Our decryption utility is a command line utility. It needs the “key.dat” file to properly recover the master key used for file encryption. Before it begins execution, it searches for “key.dat” in its original location (the user’s Application Data directory), or in the current directory. If it isn’t able to find and correctly parse the “key.dat” file, it will return an error and exit.

To use this tool, just copy the “key.dat” file into the tool’s directory and then specify either the encrypted file or a directory containing encrypted files. That’s it! Files should be decrypted and returned to their original content.

Here is the list of command line options:

/help – Show the help message
/key – Manually specify the master key for the decryption (32 bytes/64 digits)
/keyfile – Specify the path of the “key.dat” file used to recover the master key.
/file – Decrypt an encrypted file
/dir – Decrypt all the “.ecc” files in the target directory and its subdirs
/scanEntirePc – Decrypt “.ecc” files on the entire computer
/KeepOriginal – Keep the original file(s) in the encryption process
/deleteTeslaCrypt – Automatically kill and delete the TeslaCrypt dropper (if found active in the target system)

Back up your encrypted files before you use this utility. Provided without any guarantees.

Here are the tool links:

Windows binary:
ZIP SHA256: 74f57d7f6a34440fd4e9ddb3b47b04e96a9927199565de5bfbc015cceb17bccc

* Updated 4/28 recompiled with backward compatibility in Visual Studio 2008

Python script:
ZIP SHA256: ea58c2dd975ed42b5a30729ca7a8bc50b6edf5d8f251884cb3b3d3ceef32bd4e

Source code to Windows binary:
ZIP SHA256: fec7bd84258408fcb80b80ed55bea0bdd982900bee1ce57ad3818bff13d0cf2b

* Updated 4/28 recompiled with backward compatibility in Visual Studio 2008


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising