A quick post that version 4.1b of the TeslaCrypt Ransomware has been released. According to TeslaCrypt research BloodDolly, the first 4.1b sample that he has is dated 4/19/16.  After a quick analysis, the changes that were made are:

  • Data file renamed to %MyDocuments%\desctop._ini
  • Size of recovery file changed to 252 from 264.
  • Name of the Run Registry value is now hostslert[6chars]

The ransom notes are still the same with the filenames being in the format -!RecOveR!-[random_chars]++.Png-!RecOveR!-[random_chars]++.Htm, and -!RecOveR!-[random_chars]++.Txt.  There are two new payment gateway hosts, though, located at p23cb.bobodawn.at and y4bxj.adozeuds.com.  

TeslaCrypt 4.1b HTML Ransom Note
TeslaCrypt 4.1b HTML Ransom Note

When TeslaCrypt first begins encrypting your data, it will connect to one of the Command & Control server gateways and send an encrypted POST message. When this message is decrypted, one of the values in the message is called version and contains the current version of TeslaCrypt. You can see an example of a decoded 4.1b request below.


It also appears that TeslaCrypt is only using WMIC to delete Shadow Volume Copies, though this may have also been the case in earlier version. The command used is C:\Windows\system32\wbem\WMIC.exe shadowcopy delete /nointeractive.

WMIC Shadow Copy Deletion
WMIC Shadow Copy Deletion

If any new info comes out, I will be sure to update this post.

Updated 4/21/16 - Added analysis by BloodDolly.

TeslaCrypt 4.1b Files


TeslaCrypt 4.1b Registry Entries

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random]	C:\Windows\SYSTEM32\CMD.EXE /C START %UserProfile%\Documents\[random].exe

Related Articles:

The Week in Ransomware - July 20th 2018 - Developer's Vent, Ransomware Attacks, and More

King Ouroboros Ransomware Dev Vents to Researchers on Twitter

Vaccine Available for GandCrab Ransomware v4.1.2

The Week in Ransomware - July 13th 2018 - CoinVault Court Case & More

Magniber Ransomware Expands From South Korea to Target Other Asian Countries