Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

TeslaCrypt 4.2 Released! Remove It and Try to Restore Your Files


It’s official! A new TeslaCrypt version has been just detected by security researcher BloodDolly, who has dedicated his time investigating the ransomware and searching for decryption methods.

Name TeslaCrypt 4.2
Type Ransomware
Short Description The ransom note of TeslaCrypt has been simplified, other changes are made, too.
Symptoms Files are encrypted, Shadow Volume Copies are deleted.
Distribution Method Not known yet, but possibly via malicious attachments and exploit kits.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by TeslaCrypt 4.2
User Experience Join our forum to discuss TeslaCrypt 4.2.

TeslaCrypt Version 4.2 Analysis and Description

TeslaCrypt Version 4.2 has some changes in its code, compared to previous releases. The most distinguished change is the renovation of the ransomware’s ransom note. It has been deprived from its detailed explanations, and only the basics have been left. In fact, only the needed details to connect to the payment servers are visible.

TeslaCrypt Previous Versions:
TeslaCrypt .vvv Extension
TeslaCrypt 4.0 without Extensions
TeslaCrypt 3.0 .micro Extension
TeslaCrypt 3.0 .ttt and .xxx Extensions

However, the alteration of the ransom note is not the only change. BloodDolly has outlined the following changes in TeslaCrypt’s code, as reported by Bleeping Computer:

  • The compiler has been changed and the code is recompiled with optimization;
  • The ransomware injects code to svchost.exe so that Shadow Volume Copies are deleted, as a result, the copies are deleted before and after encryption;
  • Data file has been set as recovery file;
  • Data file has been renamed to %MyDocuments%\-!recover!-!file!-.txt and is also encrypted;
  • Data file size is altered to 272 B, 256 B in an unencrypted state;
  • Run key is changed to [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] serv[5chars] C:\Windows\SYSTEM32\CMD.EXE /C START “” “[malwarepath].exe”;
  • Network request is established only in case InternetGetConnectedState returns 1.

Here is a list of the files belonging to TeslaCrypt 4.2:


Here is a list of the Registry entries created by TeslaCrypt 4.2:

serv[5chars] C:\Windows\SYSTEM32\CMD.EXE /C START “”

TeslaCrypt 4.2 Removal. Decryption of Files

As already mentioned, TeslaCrypt 4.2 deletes Shadow Volume Copies. There is still no information as to what extension is appended to the files, and if a decryption method is available. However, decryption of files encrypted by later versions of TeslaCrypt is close to impossible. There are still alternative methods to be tried. Have a look at section 4 of the removal manual below.

Keep in mind that the most effective way to remove all traces of TeslaCrypt 4.2 from your system is via anti-malware software.

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt 4.2
2. Remove TeslaCrypt 4.2 with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by TeslaCrypt 4.2 in the future
4. Restore files encrypted by TeslaCrypt 4.2
Optional: Using Alternative Anti-Malware Tools

Note! Substantial notification about the TeslaCrypt 4.2 threat: Manual removal of TeslaCrypt 4.2 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.