Telecrypt ransomware uses Telegram for command and control

Telecrypt, a newly spotted piece of crypto ransomware that uses Telegram’s communication protocol to deliver the decryption key to the crooks, is targeting Russian-speaking users.

Telecrypt ransomware's informer module shows the ransom demand, and provides a way for victims to communicate with the cybercriminals

The malware encrypts Word and Excel files, JPG, JPEG and PNG image files, database files (DBF), and PDFs.

“Depending on its configuration, the Trojan may add the extension ‘.Xcri’ to the encrypted files, or leave the extension unchanged,” Kaspersky Lab researchers explained. “A list of encrypted files is saved to the text file ‘%USERPROFILE%\Desktop\База зашифр файлов.txt’.”

The most interesting thing about Telecrypt is that it uses Telegram channels to “keep in touch” with its creators.

The researchers don’t mention how the malware is delivered to end users, but the infection process goes like this:

  • Before the infection, the cybercriminals create a “Telegram bot”
  • Victim launches the malicious binary
  • The ransomware creates a file encryption key and an infection ID
  • It then checks whether the aforementioned Telegram bot has been created (it does so by using the Telegram bot’s unique ID that has been placed in the Trojan’s body).
  • After “finding” the bot, the Trojan sends the following information to it through the Telegram Bot API: the number of the chat with the cybercriminal, the name of the infected computer, the infection ID, and the number used as a basis to generate the file encryption key.
  • Only then it starts searching for and encrypting files located in the victim’s computer’s hard drives.
  • Once the encryption process is done, it informs the crooks (through the bot)
  • It downloads a module with a graphical interface that shows the ransom note (the crooks ask for 5,000 rubles, to be delivered via Qiwi or Yandex.Money) and provides the option to get in touch with the crooks (also via Telegram).

Kaspersky Lab says that victims should not pay the ransom, but contact their support team for help to decrypt the files.