It took experts only three weeks to break the code of TeleCrypt, the ransomware which exploits the chat app Telegram messenger. The virus uses a simple cryptosystem which was easy to figure out.
TeleCrypt was discovered in early November by the malware research team of Kaspersky Lab. The ransomware targets users from Russian-speaking countries. It asks people to pay a sum of 5000 ruble which is equivalent to about $78 USD. The developers of the virus thank users for contributing to the “Young Programmers Fund”.
To their credit, the developers of TeleCrypt were bold in their endeavor. Their program is one of the first encryption viruses to use an established messenger application for extracting information on the victims and communicating with them.
Nathan Scott, the researcher who is credited for decrypting TeleCrypt, addressed the ransomware and its antics. “TeleCrypt uses the Telegram API to send the information on its victims to the ransomware creator,” explained Mr. Scott in a blog post.
“This way of the communication is very unique – it is one of the first to use a mainstream messaging client’s API, instead of a command and control server, to send commands and get information.”
The ransomware was easy to decrypt because it uses a simple encryption algorithm, as Nathan Scott elaborated: “TeleCrypt encrypts files by looping through them a single byte at a time, and then simply adding a byte from the key in order – this simple encryption method allows a decryption application to be made.”
The TeleCrypt Decryptor exploits weaknesses in the ransomware’s encryption process. To be able to decrypt their files, users need to have a normal format copy of at least one encrypted file.
TeleCrypt is the next from a long line of ransomware programs which have fallen victim to security experts. A more sophisticated infection in CrySiS was decrypted about a week ago. The keys were published for people to use. About a week later, ESET boffins released a decryption tool for the virus. The solution often lies in encryption implementation errors which can be exploited by developers.
An organization called NoMoreRansom Alliance has been established to unify the efforts of malware experts. The initiative has sped up the process of producing decryptors. The association is credited for creating decryption tools for CryptXXX and several versions of CryptoWall.
Ransomware programs keep appearing on a daily basis which makes sense. The branch is profitable. According to research, conducted by Trustwave, cyber criminals can score a net income of $84,000 USD a month for an investment of $6000 USD. This makes for a profit margin of 1425 %.
