A quick post that version 4.0 of the TeslaCrypt Ransomware has been released. This version was noticed by TeslaCrypt expert BloodDolly on 3/14/16. At this point, TeslaCrypt 4.0 has not been fully analyzed but a brief analysis by BloodDolly shows that it fixes a bug that corrupted files greater than 4GB, contains new ransom note names, and no longer uses an extension for encrypted files. 

TeslaCrypt 4.0 PNG Ransom Note
TeslaCrypt 4.0 PNG Ransom Note

When TeslaCrypt first begins encrypting your data, it will connect to one of the Command & Control server gateways and send an encrypted POST message. When this message is decrypted, one of the values in the message is called version that displays the current version of TeslaCrypt. You can see an example of a decoded 4.0 request below.


In this version, the developers have fixed a bug that was corrupting files greater than 4GB, changed the names of the ransom notes to RECOVER[5_chars].html, and no longer appends an extension to encrypted files. The lack of an extension makes it difficult for victim's to discover information about TeslaCrypt and what it did to their files.  For now, until an extension is used again, victims are going to have to search for strings from the ransom note such as:

NOT YOUR LANGUAGE? USE https://translate.google.com

What's the matter with your files?

Your data was secured using a strong encryption with RSA4096.
Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) 

As new information is discovered about this version, we will post it on the site. For those who wish to ask questions related to this version, feel free to ask in TeslaDecoder topic. Files encrypted by this version cannot be decrypted without purchasing the key. If you have a backup, you should restore your files from that instead.


3/17/16 - Updated information about the DH value in the decrypted request.


TeslaCrypt 4.0 Files


TeslaCrypt 4.0 Registry Entries

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_[random]	C:\Windows\SYSTEM32\CMD.EXE /C START %UserProfile%\Documents\[random].exe

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files