Posted 11 May 2015 - 02:19 PM

A new variant of TeslaCrypt has been released last week that has a few minor changes, but for the most part is the same as Alpha Crypt . The main differences are that this new version has a different graphical user interface, which is shown below, some file name and location changes, and uses the .EXX extension when encrypting your files.



New TeslaCrypt version

TeslaCrypt versions do not include the name of the ransomware in the application itself. It is only till you go to the decryption site that you will see the namw of the particular version. With this new version the ransomware no longer has an identifying name associated with it. My guess for not naming this new version is to make it harder for people to search for help topics, like on our forums for example, to receive help. You can see the header of the decryption service site where the name usually appears below.



Decryption Service site header with lack of distinguishing name.

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Just like Alpha Crypt, it will search out files with the following extensions, encrypt them, but now uses theextension.When it is done it will change your wallpaper to theransom note and also display a text note found hereFinally, there are some file name and file location changes with this new version. In the past encryption information was stored in the %AppData%\key.dat file. In this version the information is stored in %LocalAppData%\storage.bin.At this point there is no way to decrypt your files and TeslaDecrypt will not work with this infection. As more information is discovered, we will be sure to post it here. As always the best way to get the most up-to-date information on the TeslaCrypt family can be found in this guide:

TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

%LocalAppData%\<random>.exe %LocalAppData%\log.html %LocalAppData%\storage.bin %Desktop%\Save_Files.lnk %Desktop%\HELP_RESTORE_FILES.bmp %Desktop%\HELP_RESTORE_FILES.txt %Documents%\RECOVERY_FILE.TXT

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AVrSvc %LocalAppData%\<random>.exe HKCU\Control Panel\Desktop\Wallpaper "%Desktop%\HELP_RESTORE_FILES.bmp"