Telecrypt Decryptor foils ransomware’s simple encryption method

The recently spotted Telecrypt ransomware can be thwarted: malware analyst Nathan Scott has created a tool that decrypts the encrypted files.

Telecrypt Decryptor works only if the affected user has .NET 4.0 and above (every Windows version since Windows XP has it by default), and if he or she has at least one of the encrypted files in unencrypted form. It also needs to be run from an Administrator account.

The tool comes with instructions and a warning: don’t use it if you haven’t been infected with this particular ransomware, as it could corrupt some of your files.

About Telecrypt

Telecrypt was first spotted a few weeks ago, targeting Russian-speaking users.

Its specificity is that it uses Telegram’s communication protocol to deliver the decryption key to the crooks and, in general, to keep in touch with them.

The message it shows puts the ransom at 5,000 rubles (around 78 USD), and the crooks thank the victims for helping the “Young Programmers Fund.”

“Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo, pr, bm, xu, zt, dq,” Malwarebytes explained.

“[It] encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made.”

Telecrypt is distributed in the form of an executable, via spam emails, exploits, and drive-by download schemes.

It encrypts a wide variety of files and, depending on its configuration, it either adds the extension ‘.Xcri’ to the encrypted files or leaves it unchanged.