A new version of the TeslaCrypt Ransomware has been discovered by BloodDolly, the creator of TeslaDecoder, that was built on January 12, 2016 @ 09:39:43.  This release calls itself version 3.0 and uses a different encryption key exchange algorithm. Furthermore, all encrypted files will now have the new .XXX, .TTT, .MICRO extensions appended to them.

The major and most problematic change, though, is key exchange being modified. In the past there were ways to recover the private key from an encrypted file.  Now with this modification, this is longer possible for new victims. BloodDolly is currently analyzing the new algorithm and as more information is available, we will post it at BC.

TeslaCrypt 3.0 Ransom Note
TeslaCrypt 3.0 Ransom Note. Click to Enlarge

Maybe I am reading too much into the time of the year and trying to find sneaky things left by malware developers, but I find the autorun key to be interesting. The autorun key used by the TeslaCrypt installer is called meryHmas. The fact that we are around the holidays, leads me to believe that the developer is having a little fun at the victim's expense. Then again, I could be reading something from nothing.


Update 1/13/16: Updated the article to reflect that TeslaCrypt is not using a different encryption algorithm, but rather a different protection/key exchange algorithm.

Update 1/14/16: TeslaCrypt 3.0 has been updated to use the .TTT extension for encrypted files.

Update 1/15/16: TeslaCrypt 3.0 has been updated to use the .Micro Extension


Related Files:

C:\Users\User\Desktop\Howto_Restore_FILES.BMP
C:\Users\User\Desktop\Howto_Restore_FILES.HTM
C:\Users\User\Desktop\Howto_Restore_FILES.TXT
C:\Users\User\Documents\recover_file_[random].txt
C:\Users\[username]\AppData\Roaming\[random].exe

Related Registry Keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\meryHmas    C:\Users\[username]\AppData\Roaming\[random].exe
HKCU\Software\[random]
HKCU\Software\xxxsys