At the beginning of September 2015, we discovered a new version of TeslaCrypt - 2.1 in the customer's network. The sample (MD5: b10d45335b8de97e6bc1d5cc9449c323) was loosely detected by the majority of AV signature engines on the Virustotal. The detection rate was 4/57 and can be explained by using code obfuscation, which proved its efficiency. The previous TeslaCrypt 2.0 was already well described by Kaspersky Lab, so we will use the same naming convention for encryption keys as on the Securelist for this post.
Now, TeslaCrypt 2.1 sends extra information in the C&C request in an encrypted way. The list of domains used as “gates” will be presented below with corresponding Yara rule, as well as a mechanism used to encrypt data sent to the remote server, which has not been yet explained anywhere.