A quick post that version 4.1b of the TeslaCrypt Ransomware has been released. According to TeslaCrypt research BloodDolly, the first 4.1b sample that he has is dated 4/19/16. After a quick analysis, the changes that were made are:
The ransom notes are still the same with the filenames being in the format -!RecOveR!-[random_chars]++.Png, -!RecOveR!-[random_chars]++.Htm, and -!RecOveR!-[random_chars]++.Txt. There are two new payment gateway hosts, though, located at p23cb.bobodawn.at and y4bxj.adozeuds.com.
When TeslaCrypt first begins encrypting your data, it will connect to one of the Command & Control server gateways and send an encrypted POST message. When this message is decrypted, one of the values in the message is called version and contains the current version of TeslaCrypt. You can see an example of a decoded 4.1b request below.
It also appears that TeslaCrypt is only using WMIC to delete Shadow Volume Copies, though this may have also been the case in earlier version. The command used is C:\Windows\system32\wbem\WMIC.exe shadowcopy delete /nointeractive.
If any new info comes out, I will be sure to update this post.
Updated 4/21/16 - Added analysis by BloodDolly.
%UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Txt %UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Htm %UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Png %UserProfile%\Documents\[random].exe %UserProfile%\Documents\-!recover!-!file!-.txt %UserProfile%\Documents\desctop._ini
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] C:\Windows\SYSTEM32\CMD.EXE /C START %UserProfile%\Documents\[random].exe HKCU\Software\[victim_id] HKCU\Software\[victim_id]\data