A quick post that version 4.1b of the TeslaCrypt Ransomware has been released. According to TeslaCrypt research BloodDolly, the first 4.1b sample that he has is dated 4/19/16.  After a quick analysis, the changes that were made are:

  • Data file renamed to %MyDocuments%\desctop._ini
  • Size of recovery file changed to 252 from 264.
  • Name of the Run Registry value is now hostslert[6chars]

The ransom notes are still the same with the filenames being in the format -!RecOveR!-[random_chars]++.Png-!RecOveR!-[random_chars]++.Htm, and -!RecOveR!-[random_chars]++.Txt.  There are two new payment gateway hosts, though, located at p23cb.bobodawn.at and y4bxj.adozeuds.com.  

TeslaCrypt 4.1b HTML Ransom Note
TeslaCrypt 4.1b HTML Ransom Note

When TeslaCrypt first begins encrypting your data, it will connect to one of the Command & Control server gateways and send an encrypted POST message. When this message is decrypted, one of the values in the message is called version and contains the current version of TeslaCrypt. You can see an example of a decoded 4.1b request below.

Sub=Ping&dh=[PublicKeyRandom1_octet|AES_PrivateKeyMaster]&addr=[bitcoin_address]&size=0&version=4.1b&OS=[build_id]&ID=[?]&inst_id=[victim_id]

It also appears that TeslaCrypt is only using WMIC to delete Shadow Volume Copies, though this may have also been the case in earlier version. The command used is C:\Windows\system32\wbem\WMIC.exe shadowcopy delete /nointeractive.

WMIC Shadow Copy Deletion
WMIC Shadow Copy Deletion

If any new info comes out, I will be sure to update this post.

Updated 4/21/16 - Added analysis by BloodDolly.

TeslaCrypt 4.1b Files

%UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Txt
%UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Htm
%UserProfile%\Desktop\-!RecOveR!-[random_chars]++.Png
%UserProfile%\Documents\[random].exe
%UserProfile%\Documents\-!recover!-!file!-.txt
%UserProfile%\Documents\desctop._ini

TeslaCrypt 4.1b Registry Entries

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random]	C:\Windows\SYSTEM32\CMD.EXE /C START %UserProfile%\Documents\[random].exe
HKCU\Software\[victim_id]
HKCU\Software\[victim_id]\data