Version 4.2 of the TeslaCrypt Ransomware has been released according to TeslaCrypt researcher BloodDolly. This version was released today and contains quite a few modifications to how the program runs. The most notable change, though, is the revamp of the ransom note.  The ransom note, shown below, has been stripped down to basics with only the necessary info to connect to the payment servers.

TeslaCrypt 4.2 Ransom Note
TeslaCrypt 4.2 Ransom Note

According to BloodDolly the under-the-hood changes are:

  • Compiler changed and code recompiled with optimization.
  • Injects code to svchost.exe in order to delete shadow copies. It does this with the following method:
    • Inject code to debugged svchost.
    • Injected code executes: vssadmin.exe  "C:\Windows\System32\vssadmin.exe"  delete shadows /all /Quiet
    • Shadow copies are deleted before and after encryption
  • Recovery file is now the data file.
  • Data file renamed to %MyDocuments%\-!recover!-!file!-.txt and it is now encrypted.
  • Data file size changed to 272 B (256B unencrypted)
  • Run key changed to [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] serv[5chars] C:\Windows\SYSTEM32\CMD.EXE /C START "" "[malwarepath].exe"
  • Network request is set only if InternetGetConnectedState returns 1.
  • Text of ransom note changed.

The data file called -!recover!-!file!-.txt is 272bytes when encrypted and 256bytes when unencrypted.) - the content is encrypted (unencrypted data 256B)

offset  size    Description
0x000     8     %IDHEX%
0x008    35     BitcoinAddress
0x02B    13     Padding (0x00)
0x038   128	PublicKeyRandom1_octet|AES_PrivateKeyMaster (97 used)  
0x0B8    65     PublicKeySHA256Master_octet
0x0F9     3     Padding (0x00)
0x0FC     4     ID of distribution path (?)

SHA256: 0dfa2fa3f4a6abdaaba4e42ced179664040bf33f67e9f81a8afb1e2e7c630739

Files associated with TeslaCrypt 4.2: 


Registry entries associated with TeslaCrypt 4.2

serv[5chars] C:\Windows\SYSTEM32\CMD.EXE /C START "" "%UserProfile%\Documents\[random].exe"

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files