A new ransomware, TeleCrypt appeared recently carrying some new ideas. While most ransomware communicates with their C&C over simple HTTP-based protocols, Telecrypt abuses for this purpose the API of a popular messenger, Telegram. You can read more about it here.
Fortunately, the encryption used was not strong and one of our employees, Nathan Scott, already prepared a decryption tool, allowing the victims to recover their files without paying.
Telecrypt Decryptor screenshot:
The solution requires .NET platform in order to work. You must also have an unencrypted version of the encrypted files, in order to recover the key.
You can download the decryptor from here.
Analyzed sample
3e24d064025ec20d6a8e8bae1d19ecdb – original sample
About the Ransomware
TeleCrypt is distributed through an EXE file through Email, Exploits, and drive by downloads. The executables are coded in Borland Delphi.
Infections with this ransomware can be recognized by the note left on the Desktop named: База зашифр файлов.txt. It contains the list of all the encrypted files.
It also downloads and start another component – executable with GUI, informing about the encryption by the message written in Russian:
The message box which pops:
An Example API call is as follows:
Sample response:”>
It tests if the API is still available by the following call:
“>
After finishing encryption it downloads another component from the remote address:
Fragment of the Wireshark capture, showing that the new PE file is being downloaded:
Encryption algorithm (click on the image to enlarge):
About the decryptor
In order to use the Decryption Application, you will need a good version of one of the encrypted files, so that the application can generate your key.
Instructions to use the Decryption Application:
**REQUIRES .NET 4.0 AND ABOVE** - Every windows above Windows XP comes with this default. - Download the application and place it anywhere on the machine. - Right click and run it as Administrator (It needs Admin Priv. to be able to write to all needed files!) - Read instructions on the first page, THEY ARE IMPORTANT! - One the first page, Select one encrypted file, and a Good Non-Encrypted version of that file. - The application will then verify if you supplied the correct files, and if you are infected with this strain. - If you are, the next page will allow you to use 2 decryption methods, one with the List of Files the Ransomware left, and one simply selecting the folder you want, and it will decrypt EVERYTHING IN THAT FOLDER. - The safest method to use, is to simply select the file list and let the application take it from there. - If a user doesn't have the list, they can use the folder option. The application tells them to move any files they want decrypted into a folder, and select that folder. BACKUPS are made no matter what with this option to keep risk down. - The application will now decrypt the files.