Well-known and widely feared ransomware pieces such as TeslaCrypt and CryptoWall are constantly being improved and as a result, new versions are released. According to Bleeping Computer, TeslaCrypt 4.1b has just surfaced the Web, as a user has submitted a sample of the threat. It is too early to say exactly which features of the ransomware were modified.
|Short Description||The ransomware encrypts the victim’s files and demands payment.|
|Symptoms||The user may witness several files beginning with the name “RECOVERY” on his desktop which are the ransom notes.|
|Distribution Method||Not known yet but highly likely via exploit kits.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by TeslaCrypt 4.1b|
|User Experience||Join Our Forum to Discuss TeslaCrypt 4.1b.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
What Do We Know about TeslaCrypt 4.1b?
Even though little is known about this version, some information is available thanks to the ransom note. The ransom note used by this version of TeslaCrypt doesn’t appear to have any big changes. However, two new payment gateway hosts are available at the following locations:
Learn More about TeslaCrypt 4.0
As with other ransomware, once TeslaCrypt is executed on your system and file encryption is initiated, the ransomware will connect to its command and control servers and will send an encrypted post message. The decrypted post message will contain values, one of which is called ‘version’ and contains TeslaCrypt 4.1b.
Researchers at BC also report that this version of TeslaCrypt uses the WMIC utility to delete Shadow Volume copies. The command used by TeslaCrypt 4.1b to delete Shadow Volume copies is the following:
C:\Windows\system32\wbem\WMIC.exe shadowcopy delete /nointeractive.
Here is a list of the files created by the latest version of TeslaCrypt:
Here is a list of the registry entries added by the threat:
→HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] C:\Windows\SYSTEM32\CMD.EXE /C START %UserProfile%\Documents\[random].exe
How Can I Remove TeslaCrypt 4.b1 and Can I Restore My Files?
To remove TeslaCrypt, consider following the steps in the removal instructions below. They include scanning your system for TeslaCrypt 4.1b via a strong anti-malware program. After the threat has been removed, we strongly advise you to use cloud backup or external drive to protect your data from future ransomware and malware attacks.
As for file restoration, you can refer to the alternative methods illustrated in Step 4 in the manual below. Keep in mind that they are not 100% effective, and there is no guarantee that you will restore your files in good condition. The good news is some of our forum users have managed to restore some of their data. If you decide to use the data recovery software method, we advise you NOT to reinstall Windows or format your hard drive because it may wipe every chance of file restoration by clearing the sectors of the drive.