Telecrypt ransomware is a new peculiar ransomware virus discovered by the researchers of Kaspersky Lab, namely, Anton Ivanov and Fedor Sinitsyn, at the beginning of November, 2016. This new ransomware virus has been called Telecrypt because it uses Telegram instead of the C&C (Command and Control) server to send the generated decryption key to the coder/-s. It is the first ransomware, which utilizes Telegram Messenger’s communication protocol. Telecrypt targets Russian users, it is written in Delphi and its size is more than 3MB. It was detected as Trojan-Ransom.Win32.Telecrypt and PDM:Trojan.Win32.Generic.
On the Technical Side of Telecrypt Ransomware
A Telegram bot, using Telegram API (Application Programming Interface), needs to be created first. The code of this bot is, then, incorporated into the code of Telecrypt ransomware. Once the binary file of the virus has been launched, a request to https://api.telegram.org/bot/GetMe is sent. This request is sent to verify whether the Telegram bot has not been removed by the administrators of the Telegram API. Then, the following message is sent to the developer/-s of Telecrypt, which confirms that the ransomware has successfully infected the computer:
https://api.telegram.org/bot< token >/sendmessage?chat_id=< chat >&text=< computer_name >_< infection_id >_< key_seed >
As you can observe from the message, it contains the valuable information regarding the specific infection case: the number of the chat, the name of the infected computer, the unique identification number of the infection and the number, which is used for the generation of the encryption key. After the communication has been set and verified, Telegram crypto-malware will start the system scan with the aim of finding and encrypting the files, bearing the following extensions:
.doc, .docx, .xls, .xlsx, .jpg, .jpeg, .png, .dt, .dbf, .cd, .pdf
Telegram file encrypter either appends .Xcri additional extension to the encrypted files of the latter type or it can leave their names the way they are. In the first case the example of the name of the encrypted file could be Document.doc.Xcri, if the original file was the Word file named Document. База зашифр файлов.txt Notepad file is created and placed on the Desktop. This text file contains the list of the encrypted files.
After the encryption of the data, Telegram crypto-virus downloads Xhelp.exe file from the compromised Russian WordPress website. The file is, then, launched and the program, named Информатор (in English – Informer), operating as a graphical interface, displays the ransom note in the following pop-up windows:
The messages are written in Russian. The hacker/-s of Telegram encryption malware demands for 5,000 RUB (rubles – the Russian currency), which is 78.77 USD, to be payed in the unusual way, as concerns the method of the ransom payment suggested by the developers of ransomware viruses, which is typically the BTC (bitcoin) transfer. This unusual payment method is the transfer through either Yandex.Money or Qiwi payment system, which, by the way, are both quite popular in Russia. Apart from this concrete information, the pop-ups also contain a number of mistakes, as regards their grammar. Additionally, their interface includes the feature which enables the victims to contact the developers of Telegram crypto-ransomware, thus, no contact e-mails are provided.
If Telecrypt Ransomware Has Infected Your Machine
If you have become the victim of Telecrypt ransomware, you need to take the following actions in the respective order. First, you need to copy the infected files, folders or drives. This action is important because it provides you with the infected files, which could be used on the decryptor-to-be to extract the decryption key. Why to copy them, when you already have them? The next, not the less important step, rather the most important, is the removal of the ransomware from your computer. We recommend using reliable security software such as Spyhunter or Malwarebytes. After you have done this, there will be not a slightest trace of the infection left on your PC. We do also supply you with the manual instructions, which cover the rest of the page.
For data recovery download the decryptor by the security researcher Nathan Scott here. The download contains two files: one is the actual decryption tool and the other is the instructions on how to use it. Read the instructions, even if the decryptor seems clear enough to be used without reading the guide. You need to run it having the rights of the Administrator. If you use the latest versions of Windows, right click the file and choose Run as Administrator. In the earlier versions you need to right click the file and choose Properties, then go to the Compatibility tab and opt for Run this program as an Administrator selection. Your encrypted files are stored at the Desktop folder of the %USERPROFILE%.
There is still not clear how Telegram encryption virus infects the computers. It can be supposed that it arrives at the device through spam e-mails, since this method of ransomware distribution is the most common.
Update: the decrypter is now available at here: link. You can download it for free and successfully decrypt your files.