It incorporates
minimal adjustments to the previous version of TeslaCrypt. In particular, the
file name of the ransom note is now called Howto_RESTORE_FILES.txt, it can be
also .html and .bmp. With the exception of the change of the name, the wording
of the ransom note is similar to the previous version.
Another change is a
different name for autorun entry.
Finally, a modest
modification of the way ransomware cleans the Shadow Volume Copies. In terms of
removing Shadow Volume Copies, new version of TeslaCrypt is now executing vssadmin.exe
until the ransomware identifies that the user of the infected machine did not
terminate the request to run vssadmin.exe.
More details about TeslaCrypt ransomware as well as removal instructions can be found here: http://soft2secure.com/knowledgebase/teslacrypt
