TeslaCrypt 4.2 Released! Remove It and Try to Restore Your Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

TeslaCrypt 4.2 Released! Remove It and Try to Restore Your Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by TeslaCrypt 4.2 and other threats.
Threats such as TeslaCrypt 4.2 may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

teslacrypt-4-2-version-sensorstechforum

It’s official! A new TeslaCrypt version has been just detected by security researcher BloodDolly, who has dedicated his time investigating the ransomware and searching for decryption methods.

NameTeslaCrypt 4.2
TypeRansomware
Short DescriptionThe ransom note of TeslaCrypt has been simplified, other changes are made, too.
SymptomsFiles are encrypted, Shadow Volume Copies are deleted.
Distribution MethodNot known yet, but possibly via malicious attachments and exploit kits.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by TeslaCrypt 4.2
User Experience Join our forum to discuss TeslaCrypt 4.2.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

TeslaCrypt Version 4.2 Analysis and Description

TeslaCrypt Version 4.2 has some changes in its code, compared to previous releases. The most distinguished change is the renovation of the ransomware’s ransom note. It has been deprived from its detailed explanations, and only the basics have been left. In fact, only the needed details to connect to the payment servers are visible.

TeslaCrypt Previous Versions:
TeslaCrypt .vvv Extension
TeslaCrypt 4.0 without Extensions
TeslaCrypt 3.0 .micro Extension
TeslaCrypt 3.0 .ttt and .xxx Extensions

However, the alteration of the ransom note is not the only change. BloodDolly has outlined the following changes in TeslaCrypt’s code, as reported by Bleeping Computer:

  • The compiler has been changed and the code is recompiled with optimization;
  • The ransomware injects code to svchost.exe so that Shadow Volume Copies are deleted, as a result, the copies are deleted before and after encryption;
  • Data file has been set as recovery file;
  • Data file has been renamed to %MyDocuments%\-!recover!-!file!-.txt and is also encrypted;
  • Data file size is altered to 272 B, 256 B in an unencrypted state;
  • Run key is changed to [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] serv[5chars] C:\Windows\SYSTEM32\CMD.EXE /C START “” “[malwarepath].exe”;
  • Network request is established only in case InternetGetConnectedState returns 1.

Here is a list of the files belonging to TeslaCrypt 4.2:

%UserProfile%\Desktop\!RecoveR!-[5_characters]++.HTML
%UserProfile%\Desktop\!RecoveR!-[5_characters]++.PNG
%UserProfile%\Desktop\!RecoveR!-[5_characters]++.TXT
%UserProfile%\Documents\-!recover!-!file!-.txt
%UserProfile%\Documents\[random].exe

Here is a list of the Registry entries created by TeslaCrypt 4.2:

serv[5chars] C:\Windows\SYSTEM32\CMD.EXE /C START “”
“%UserProfile%\Documents\[random].exe”

TeslaCrypt 4.2 Removal. Decryption of Files

As already mentioned, TeslaCrypt 4.2 deletes Shadow Volume Copies. There is still no information as to what extension is appended to the files, and if a decryption method is available. However, decryption of files encrypted by later versions of TeslaCrypt is close to impossible. There are still alternative methods to be tried. Have a look at section 4 of the removal manual below.

Keep in mind that the most effective way to remove all traces of TeslaCrypt 4.2 from your system is via anti-malware software.

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt 4.2
2. Remove TeslaCrypt 4.2 with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by TeslaCrypt 4.2 in the future
4. Restore files encrypted by TeslaCrypt 4.2
Optional: Using Alternative Anti-Malware Tools

Note! Substantial notification about the TeslaCrypt 4.2 threat: Manual removal of TeslaCrypt 4.2 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...