A brand new version of TeslaCrypt 4.0 has just been released. The latest of the ransomware version was noticed by a security expert on 3/14/2016.
Currently, the analysis of TeslaCrypt 4.0 has not been completed yet, though the researcher claims that it fixes a bug which corrupted files greater than 4GB, contains new ransom note names, and does not use an extension for encrypted files anymore.
First, TeslaCrypt ransomware begins encrypting your data, then it connects to one of the Command & Control server gateways and sends an encrypted POST message.
After this message is decrypted, one of the values in the message is called version and is displays the latest version of TeslaCrypt.
An example of a decoded 4.0 request is provided below:
Sub=Ping&dh=[PublicKeyRandom1_octet|AES_PrivateKeyMaster]&addr=[bitcoin_address]&size=0&version=4.0&OS=[build_id]&ID=[?]&inst_id=[victim_id]
In the latest version of TeslaCrypt, the developers have fixed a bug which was corrupting files greater than 4GB, changed the names of the ransom notes to RECOVER[5_chars].html, and stopped appending an extension to encrypted files.
The lack of an extension makes it difficult for victim’s to discover information about TeslaCrypt and what it did to their files. Until an extension is used again, victims will have to search for strings from the ransom note such as:
“NOT YOUR LANGUAGE? USE https://translate.google.com
What’s the matter with your files?
Your data was secured using a strong encryption with RSA4096.
Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem)”
The files encrypted by TeslaCrypt 4.0 cannot be decrypted without purchasing the key (at least for this moment).
