News

November 24, 2016

A new ransomware, TeleCrypt appeared recently carrying some new ideas. While most ransomware communicates with their C&C over simple HTTP-based protocols, Telecrypt abuses for this purpose the API of a popular messenger, Telegram. You can read more about it here.

Fortunately, the encryption used was not strong and one of our employees, Nathan Scott, already prepared a decryption tool, allowing the victims to recover their files without paying.

Telecrypt Decryptor screenshot:
decryptor1 1The solution requires .NET platform in order to work. You must also have an unencrypted version of the encrypted files, in order to recover the key.

You can download the decryptor from here.

Analyzed sample

3e24d064025ec20d6a8e8bae1d19ecdb – original sample

About the Ransomware

TeleCrypt is distributed through an EXE file through Email, Exploits, and drive by downloads. The executables are coded in Borland Delphi.

Infections with this ransomware can be recognized by the note left on the Desktop named: База зашифр файлов.txt. It contains the list of all the encrypted files.encrypted

It also downloads and start another component – executable with GUI, informing about the encryption by the message written in Russian:

GUI1The message box which pops:

info2
Communications with CnC

TeleCrypt uses the TeleGram API to send the information on its victims straight to the Ransomware creator and to send information back.
This way of the communication is very unique – it is one of the first to use a Main stream Messaging Client’s API instead of a C2 Server to send commands and get information.

An Example API call is as follows:

send botidsample responseSample response:

CallSendText RESPONSE
It tests if the API is still available by the following call:

get me
sample response1Sample response:

CallGetBot RESPONSEAfter finishing encryption it downloads another component from the remote address:

download bot
Fragment of the Wireshark capture, showing that the new PE file is being downloaded:

download app

Attacked targets

Telecrypt encrypts the following files:
sample response3

Encryption

Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.
GenerateKey

Telecrypt encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made.

Encryption algorithm (click on the image to enlarge):

EncryptFile

About the decryptor

In order to use the Decryption Application, you will need a good version of one of the encrypted files, so that the application can generate your key.

Instructions to use the Decryption Application:
decryptordecryptor1
News Courtesy : https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/