November 10, 2016

Security researchers from Kaspersky Lab have come across a new ransomware variant that they named Telecrypt, which uses Telegram channels as C&C (command-and-control) servers.

Because it relies on Telegram, Telecrypt needs an Internet connection to start its malicious behavior.

Under the hood, Telecrypt is coded in Delphi, and its binary weighs 3MB in size. Telecrypt activity starts after the user launches this binary.

Telecrypt abuses Telegram API to host client-server communications

Before Telecrypt locks any user files, Telecrypt's operators need to create a Telegram bot via the Telegram API. For each bot, the Telegram API provides a token ID.

When users launch the Telecrypt binary, the ransomware's first action is to ping the Telegram API at "" using the hardcoded Telegram bot token they received.

The purpose of this action is to make sure the Telegram bot still exists and has not been taken down by Telegram admins.

After this, Telecrypt uses the Telegram's protocol to post a message to a Telegram channel, whose ID is also hardcoded in the ransomware. The message's format is:

Telecrypt 1

Breaking down the above API request, Telecrypt will post to the crooks' Telegram channel the name of each infected computer, an ID assigned to each infected computer, and a key seed, a number used to generate the file encryption key.

After this phase, the ransomware starts searching the local computer for files with the following extensions:

Telecrypt 2While it encrypts the user's files, the ransomware also keeps a log of all encrypted files, at:
Telecrypt 3Once the encryption ends, Telecrypt resends the previous API request to the same Telegram channel, but with an extra parameter.
Telecrypt 4Telecrypt ransomware downloads ransom note from hacked websites

After this API request, Telecrypt will download a module named "Informer" ('Информатор' in Russian) as a file named Xhelp.exe, hosted on compromised websites. The purpose of this file is to show the ransom note seen below.

Telecrypt GUI Ransom 1                                                                     Telecrypt ransom note (Source: Kaspersky Lab)

Telecrypt GUI Ransom 2                                   Telecrypt asking for moeny via Qiwi and Yandex.Money (Source: Kasperky Lab)
Telecrypt GUI Ransom 3                             Telecrypt message: "Thank you for helping Young Programmers Fund" (Source: Kaspersky Lab)

The ransom note is written in Russian and asks users to pay 5,000 rubles (around $80) via Yandex.Money and Qiwi payments, two payment systems very popular in Russia.

Analysis of the language used in the ransom note by Kaspersky's Russian employees reveals several mistakes.

The ransom note also includes a text that reads "Thank you for helping Young Programmers Fund," and a method to send a message to the crooks. This message is sent via the same API request the ransomware uses to keep track of victims, and annoyed users can use it to spam Telecrypt's Telegram channel as payback.

Kaspersky researchers said they've seen Telecrypt versions that don't append any extra extension to the user's locked files, but there's also a variant that adds the .Xcri extension at the end of files.

News Courtesy