Malwarebytes releases free decryptor for Telecrypt ransomware


Radu Tyrsina
by Radu Tyrsina
Founder & Editor-in-Chief
Loading Comments

The unusual ransomware TeleCrypt, known for hijacking the messaging app Telegram to communicate with attackers rather than simple HTTP-based protocols, is no longer a threat to users. Thanks to malware analyst for Malwarebytes Nathan Scott along with his team at the Kaspersky Lab, the strain of ransomware has been cracked just weeks after its release.

They were able to uncover a major flaw in the ransomware by revealing the weakness of the encryption algorithm used by the infected TeleCrypt. It encrypted files by looping through them a single byte at a time and then adding a byte from the key in order. This simple method of encryption allowed security researchers a way to crack through the malicious code.

What made this ransomware uncommon was its command and control (C&C) client-server communications channel, which is why the operators chose to co-opt the Telegram protocol instead of HTTP/HTTPS like most ransomware do these days — even though the vector was noticeably low and targeted Russian users with its first version. Reports suggest that Russian users who unintentionally downloaded infected files and installed them after falling prey to phishing attacks were shown a warning page blackmailing the user into paying a ransom to retrieve their files. In this case, victims are demanded to pay 5,000 rubles ($77) for the so-called “Young Programmers Fund.”

The ransomware targets over hundred different file types including jpg, xlsx, docx, mp3, 7z, torrent or ppt.

The decryption tool, Malwarebytes, allows victims to recover their files without paying. However, you need an unencrypted version of a locked file to act as a sample to generate a working decryption key. You can do so by logging-in to your email accounts, file syncing services (Dropbox, Box), or from older system backups if you made any.

After the decryptor finds the encryption key, it will then present the user with the option to decrypt a list of all encrypted files or from one specific folder.

The process works as such: The decrypting program verifies the files you provide. If the files match and are encrypted by the encryption scheme Telecrypt uses, you are then navigated to the second page of the program interface. Telecrypt keeps a list of all encrypted files at “%USERPROFILE%\Desktop\База зашифр файлов.txt”

You can get the Telecrypt ransomware decryptor created by Malwarebytes from this Box link.