Version 4.2 of the TeslaCrypt Ransomware has been released according to TeslaCrypt researcher BloodDolly. This version was released today and contains quite a few modifications to how the program runs. The most notable change, though, is the revamp of the ransom note.  The ransom note, shown below, has been stripped down to basics with only the necessary info to connect to the payment servers.

TeslaCrypt 4.2 Ransom Note
TeslaCrypt 4.2 Ransom Note

According to BloodDolly the under-the-hood changes are:

  • Compiler changed and code recompiled with optimization.
  • Injects code to svchost.exe in order to delete shadow copies. It does this with the following method:
    • CreateProcessW(C:\Windows\System32\svchost.exe, DEBUG_ONLY_THIS_PROCESS | NORMAL_PRIORITY_CLASS | CREATE_DEFAULT_ERROR_MODE)
    • Inject code to debugged svchost.
    • Injected code executes: vssadmin.exe  "C:\Windows\System32\vssadmin.exe"  delete shadows /all /Quiet
    • Shadow copies are deleted before and after encryption
  • Recovery file is now the data file.
  • Data file renamed to %MyDocuments%\-!recover!-!file!-.txt and it is now encrypted.
  • Data file size changed to 272 B (256B unencrypted)
  • Run key changed to [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] serv[5chars] C:\Windows\SYSTEM32\CMD.EXE /C START "" "[malwarepath].exe"
  • Network request is set only if InternetGetConnectedState returns 1.
  • Text of ransom note changed.

The data file called -!recover!-!file!-.txt is 272bytes when encrypted and 256bytes when unencrypted.) - the content is encrypted (unencrypted data 256B)

------------
offset  size    Description
---------------------------
0x000     8     %IDHEX%
0x008    35     BitcoinAddress
0x02B    13     Padding (0x00)
0x038   128	PublicKeyRandom1_octet|AES_PrivateKeyMaster (97 used)  
0x0B8    65     PublicKeySHA256Master_octet
0x0F9     3     Padding (0x00)
0x0FC     4     ID of distribution path (?)


‚ÄčSHA256: 0dfa2fa3f4a6abdaaba4e42ced179664040bf33f67e9f81a8afb1e2e7c630739
 

Files associated with TeslaCrypt 4.2: 

%UserProfile%\Desktop\!RecoveR!-[5_characters]++.HTML
%UserProfile%\Desktop\!RecoveR!-[5_characters]++.PNG
%UserProfile%\Desktop\!RecoveR!-[5_characters]++.TXT
%UserProfile%\Documents\-!recover!-!file!-.txt
%UserProfile%\Documents\[random].exe

Registry entries associated with TeslaCrypt 4.2

serv[5chars] C:\Windows\SYSTEM32\CMD.EXE /C START "" "%UserProfile%\Documents\[random].exe"