TeleCrypt, the file encryption ransomware that abuses Telegram API for communication, has had its encryption cracked just two weeks after the threat was originally detailed.
The ransomware abuses the instant messaging service Telegram for command and control (C&C) communications. What’s more, victims can send messages to the attackers using the same service. Immediately after infection, the malware creates a Telegram bot beacon to the C&C server to send various details about the compromised machine.
After installation, TeleCrypt searches the hard drive for specific files, then encrypts them and appends the .Xcri extension to them. However, security researchers say that some variations of the malware don’t change the file extension.
The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills.
According to Malwarebytes Labs researchers, the encryption TeleCrypt uses isn’t very strong indeed. The security researchers have already managed to create a decryption tool that allows victims to recover their files without paying the attackers. The utility requires .NET to work and for users to provide the unencrypted version of one of the encrypted files.
“Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq. Telecrypt encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made,” Malwarebytes Labs explains.
Written in Delphi, the ransomware is being distributed via spam emails, exploits, and drive-by downloads, and targets only users in Russia at the moment. Both the ransom note and an executable with GUI that is downloaded and dropped onto the infected machines, are written in Russian.
Kaspersky Lab security researchers also managed to crack the ransomware’s encryption to help victims recover their files using a free decryption tool. Involved in the NoMoreRansom initiative, Kaspersky actually helps the victims of numerous other ransomware families decrypt their files.