Friday, December 11, 2015

An update of TeslaCrypt came out this week




It incorporates minimal adjustments to the previous version of TeslaCrypt. In particular, the file name of the ransom note is now called Howto_RESTORE_FILES.txt, it can be also .html and .bmp. With the exception of the change of the name, the wording of the ransom note is similar to the previous version.

Another change is a different name for autorun entry.

Finally, a modest modification of the way ransomware cleans the Shadow Volume Copies. In terms of removing Shadow Volume Copies, new version of TeslaCrypt is now executing vssadmin.exe until the ransomware identifies that the user of the infected machine did not terminate the request to run vssadmin.exe.

More details about TeslaCrypt ransomware as well as removal instructions can be found here: http://soft2secure.com/knowledgebase/teslacrypt