A new version of TeslaCrypt was released on Tuesday that contains some minor changes such as new ransom note names, a new name for the autorun entry, and a slight change to how it removes the Shadow Volume Copies.  The first, and most noticeable, change to victims will be that the ransom note filenames have been changed to Howto_RESTORE_FILES.txt, Howto_RESTORE_FILES.html, and Howto_RESTORE_FILES.bmp. Other than the change of the name, the contents of the ransom note are the same.

Another new feature is how TeslaCrypt attempts to delete the Shadow Volume Copies. In the past, TeslaCrypt would execute the vssadmin.exe to clear the shadows before encrypting your files. According to BloodDolly, the creator of TeslaDecoder, this variant will now execute vssadmin.exe until the program detects that the victim did not cancel the request to run vssadmin.

Last, but not least, the name for the autostart entry in the Windows Registry has changed to Acrndtd.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd C:\Users\\AppData\Roaming\.exe

As always, if it is possible to decrypt this software, we will be sure to post about it.


Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens