Version 4.2 of the TeslaCrypt Ransomware has been released according to TeslaCrypt researcher BloodDolly. This version was released today and contains quite a few modifications to how the program runs. The most notable change, though, is the revamp of the ransom note. The ransom note, shown below, has been stripped down to basics with only the necessary info to connect to the payment servers.
According to BloodDolly the under-the-hood changes are:
The data file called -!recover!-!file!-.txt is 272bytes when encrypted and 256bytes when unencrypted.) - the content is encrypted (unencrypted data 256B)
------------ offset size Description --------------------------- 0x000 8 %IDHEX% 0x008 35 BitcoinAddress 0x02B 13 Padding (0x00) 0x038 128 PublicKeyRandom1_octet|AES_PrivateKeyMaster (97 used) 0x0B8 65 PublicKeySHA256Master_octet 0x0F9 3 Padding (0x00) 0x0FC 4 ID of distribution path (?)
%UserProfile%\Desktop\!RecoveR!-[5_characters]++.HTML %UserProfile%\Desktop\!RecoveR!-[5_characters]++.PNG %UserProfile%\Desktop\!RecoveR!-[5_characters]++.TXT %UserProfile%\Documents\-!recover!-!file!-.txt %UserProfile%\Documents\[random].exe
serv[5chars] C:\Windows\SYSTEM32\CMD.EXE /C START "" "%UserProfile%\Documents\[random].exe"