November 24, 2016
A new ransomware, TeleCrypt appeared recently carrying some new ideas. While most ransomware communicates with their C&C over simple HTTP-based protocols, Telecrypt abuses for this purpose the API of a popular messenger, Telegram. You can read more about it here.
Fortunately, the encryption used was not strong and one of our employees, Nathan Scott, already prepared a decryption tool, allowing the victims to recover their files without paying.
Telecrypt Decryptor screenshot:
The solution requires .NET platform in order to work. You must also have an unencrypted version of the encrypted files, in order to recover the key.
You can download the decryptor from here.
3e24d064025ec20d6a8e8bae1d19ecdb – original sample
About the Ransomware
TeleCrypt is distributed through an EXE file through Email, Exploits, and drive by downloads. The executables are coded in Borland Delphi.
Infections with this ransomware can be recognized by the note left on the Desktop named: База зашифр файлов.txt. It contains the list of all the encrypted files.
It also downloads and start another component – executable with GUI, informing about the encryption by the message written in Russian:
The message box which pops:
Communications with CnC
TeleCrypt uses the TeleGram API to send the information on its victims straight to the Ransomware creator and to send information back.
This way of the communication is very unique – it is one of the first to use a Main stream Messaging Client’s API instead of a C2 Server to send commands and get information.
An Example API call is as follows:
It tests if the API is still available by the following call:
After finishing encryption it downloads another component from the remote address:
Fragment of the Wireshark capture, showing that the new PE file is being downloaded:
Telecrypt encrypts the following files:
Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.
Telecrypt encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made.
Encryption algorithm (click on the image to enlarge):
About the decryptor
In order to use the Decryption Application, you will need a good version of one of the encrypted files, so that the application can generate your key.
Instructions to use the Decryption Application:
News Courtesy : https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/