A new version of TeslaCrypt was released on Tuesday that contains some minor changes such as new ransom note names, a new name for the autorun entry, and a slight change to how it removes the Shadow Volume Copies.  The first, and most noticeable, change to victims will be that the ransom note filenames have been changed to Howto_RESTORE_FILES.txt, Howto_RESTORE_FILES.html, and Howto_RESTORE_FILES.bmp. Other than the change of the name, the contents of the ransom note are the same.

Another new feature is how TeslaCrypt attempts to delete the Shadow Volume Copies. In the past, TeslaCrypt would execute the vssadmin.exe to clear the shadows before encrypting your files. According to BloodDolly, the creator of TeslaDecoder, this variant will now execute vssadmin.exe until the program detects that the victim did not cancel the request to run vssadmin.

Last, but not least, the name for the autostart entry in the Windows Registry has changed to Acrndtd.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd C:\Users\\AppData\Roaming\.exe

As always, if it is possible to decrypt this software, we will be sure to post about it.


Related Articles:

Former Microsoft Engineer Gets 18 Months in Prison for Role in Ransomware Scheme

New Cmb Dharma Ransomware Variant Released

The Week in Ransomware - August 10th 2018 - BitPaymer & KeyPass

New KeyPass Ransomware Campaign Underway

The PGA Possibly Infected With the BitPaymer Ransomware