A quick post that version 4.0 of the TeslaCrypt Ransomware has been released. This version was noticed by TeslaCrypt expert BloodDolly on 3/14/16. At this point, TeslaCrypt 4.0 has not been fully analyzed but a brief analysis by BloodDolly shows that it fixes a bug that corrupted files greater than 4GB, contains new ransom note names, and no longer uses an extension for encrypted files.
When TeslaCrypt first begins encrypting your data, it will connect to one of the Command & Control server gateways and send an encrypted POST message. When this message is decrypted, one of the values in the message is called version that displays the current version of TeslaCrypt. You can see an example of a decoded 4.0 request below.
Sub=Ping&dh=[PublicKeyRandom1_octet|AES_PrivateKeyMaster]&addr=[bitcoin_address]&size=0&version=4.0&OS=[build_id]&ID=[?]&inst_id=[victim_id]
In this version, the developers have fixed a bug that was corrupting files greater than 4GB, changed the names of the ransom notes to RECOVER[5_chars].html, and no longer append an extension to encrypted. The lack of an extension makes it difficult for victim's to discover information about TeslaCrypt and what it did to their files. For now, until an extension is used again, victims are going to have to search for strings from the ransom note such as:
NOT YOUR LANGUAGE? USE https://translate.google.com
What's the matter with your files?
Your data was secured using a strong encryption with RSA4096.
Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem)
As new information is discovered about this version, we will post it on the site. For those who wish to ask questions related to this version, feel free to ask in TeslaDecoder topic. Files encrypted by this version cannot be decrypted without purchasing the key. If you have a backup, you should restore your files from that instead.
Updates:
3/17/16 - Updated information about the DH value in the decrypted request.
%UserProfile%\Desktop\RECOVER[5_chars].html
%UserProfile%\Desktop\RECOVER[5_chars].png
%UserProfile%\Desktop\RECOVER[5_chars].txt
%UserProfile%\Documents\[random].exe
%UserProfile%\Documents\recover_file.txt
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_[random] C:\Windows\SYSTEM32\CMD.EXE /C START %UserProfile%\Documents\[random].exe
HKCU\Software\
HKCU\Software\\data
Not a member yet? Register Now
Comments
Demonslay335 - 12 hours ago
The header of encrypted files are the same, it can be identified that way. All files will start with 0x00000000, the victim ID that shows in the ransom note, then 0x00000000 again, then the public ECHD key starting with 0x04...
Grinler - 12 hours ago
Good info! Thanks
BloodDolly - 11 hours ago
offset size Description
--------------------------------------
0x000 8 0x0000000000000000
0x008 8 %IDHEX%
0x010 8 0x0000000000000000
0x018 65 PublicKeyRandom1_octet
0x059 32 AES_PrivateKeyMaster
0x079 31 Padding 0
0x098 65 PublicKeySHA256Master_octet
0x0D9 3 0x000000
0x0DC 65 PublicKeyRandom2_octet
0x11D 32 AES_PrivateKeyFile
0x13D 31 Padding 0
0x15C 16 Initialization vector for AES
0x16C 4 Size of original file
AES 256 CBC
Grinler - 11 hours ago
Thx BD.
Warr10r - 10 hours ago
Hi All, what would the best method of finding encrypted files in a local hard drive for Tesla 4.0 as obviously before we could search by extension, but now that is removed no real clue as to what has been changed.
Thanks Chris
Grinler - 10 hours ago
At this point, a tool could prob be created that will scan the first 24 bytes for an inputted ID. That tool could then scan each file, but this process could take quite a while to complete.
Warr10r - 10 hours ago
so quickest solution at this time is to assume every file is encrypted and restore from backup. thanks Grinler, will keep an eye out for anyone able to create such a tool.
knj - 4 hours ago
Client got hit with Teslacrypt 4.0 and although there are backups for the server, owner's PC did not have a backup. Shadow copies and system restore are empty on the Windows 7 PC. Malwarebytes found ransomware.teslacrypt. Saw a decrypt tool but it is for an earlier version. In case there is any ideas if anything else can be done... he is interested in paying because he really needs the documents but I really hate the idea of paying the criminals.