Did TeslaCrypt kill its ransomware so it could launch a new product?

Last week saw an unusual development in the field of ransomware: The cybercriminal group that operates the TeslaCrypt malware published a universal decryption key for their software. Any victim can download and use it – and repair files encrypted by TeslaCrypt – so this threat is technically disarmed.

This malware appeared about a year ago. It used the Adobe Flash Angler exploit to infect machines and targeted mostly gamers (using a list of files that are used to save game progress). Once infected, a ransom demand was sent to the machine (usually about $500-$1,000 in Bitcoin). Why would the creators decide to kill their brainchild?

Some might theorize that the reason the TeslaCrypt team shut down the operation is because they knew the authorities were hot on their trails. This could very well be true. However, there is an underlying motivation that could be playing a bigger part than we acknowledge: Cybercrime is a business and, as such, follows business logic.

It’s a question of manipulating supply and demand: If Apple created an iPhone that answered the public’s needs for more than five years, consumers would have no motivation to upgrade and buy a new device every year. This is why your iPhone will become more sluggish with each new version of iOS. So that after about two years with your device, you’ll upgrade to a new iPhone, helping Apple’s revenue climb.

But life is harder for a vendor that sells malware. As long as the malware remains effective, TeslaCrypt’s customers don’t provide any repeat business or recurring revenue. But TeslaCrypt’s creators can generate new business if they release a universal decryption key, making their product ineffective, and then try to sell their customers something new — a tool with better encryption that can target more types of users, or a more flexible platform.

Cybercriminals might be forced to switch “vendors” temporarily until their brand of choice releases something newer and better. But TeslaCrypt’s makers may hope to swiftly recapture marketshare.

The tactic may not prove effective, of course. About a year ago, the creator of the Locky ransomware published a decryption key, but cybercriminals keep using Locky anyway. Time will tell if TeslaCrypt’s makers release a viable replacement — one as successful as the original — and what new challenges such a release would pose to the security industry.

Nitsan Saddan is advanced threat researcher at Cymmetria.