A new version of TeslaCrypt was released on Tuesday that contains some minor changes such as new ransom note names, a new name for the autorun entry, and a slight change to how it removes the Shadow Volume Copies.  The first, and most noticeable, change to victims will be that the ransom note filenames have been changed to Howto_RESTORE_FILES.txt, Howto_RESTORE_FILES.html, and Howto_RESTORE_FILES.bmp. Other than the change of the name, the contents of the ransom note are the same.

Another new feature is how TeslaCrypt attempts to delete the Shadow Volume Copies. In the past, TeslaCrypt would execute the vssadmin.exe to clear the shadows before encrypting your files. According to BloodDolly, the creator of TeslaDecoder, this variant will now execute vssadmin.exe until the program detects that the victim did not cancel the request to run vssadmin.

Last, but not least, the name for the autostart entry in the Windows Registry has changed to Acrndtd.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd C:\Users\\AppData\Roaming\.exe

As always, if it is possible to decrypt this software, we will be sure to post about it.


Related Articles:

Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More