The Kaspersky Lab experts have just discovered a brand new version of ransomware which they called Telecrypt. The newly-found infection uses Telegram channels for hosting C&C (command-and-control) servers.
Due to the fact that Telecrypt relies on Telegram, the new ransomware needs an Internet connection in order to start its malicious behavior.
The researchers found that Telecrypt is coded in Delphi, and its binary size is 3MB. Once the PC user launchesthis binary, Telecrypt activity starts immediately.
Before locking any user files, the developers of Telecrypt should make a Telegram bot via the Telegram API. For each bot, the Telegram API provides a token ID.
As soon as users launch the Telecrypt binary, the ransomware pings the Telegram API at “https://api.telegram.org/bot/GetMe” using the hardcoded Telegram bot token they received. The main purpose of this action is to make sure that the Telegram bot still exists and it has not been taken down by the Telegram admins.
Then, Telecrypt uses the Telegram’s protocol to post a message to a Telegram channel, whose ID is also hardcoded in the ransomware. The format of the message is as it follows:
After breaking down the above API request, Telecrypt will post to the criminals’ Telegram channel the name of each infected computer, an ID assigned to each infected computer, and a key seed, a number used to generate the file encryption key. Then, Telecrypt ransomware starts searching the local computer for files with the following extensions:
DOC, DOCX, XLS, XLSX, JPG, JPEG, PNG, DT, DBF, CD, PDF
While encrypting the user’s files, Telecrypt also keeps a log of all encrypted files, at:
%USERPROFILE%\Desktop\База зашифр файлов.txt
After the encryption ends, Telecrypt resends the previous API request to the same Telegram channel, but with an extra parameter:
After the API request, Telecrypt will download a module named “Informer” (‘Информатор’ in Russian) as a file named Xhelp.exe, hosted on compromised websites.
The ransom note, which is written in Russian, demands users to pay 5,000 rubles (around $80) via Yandex.Money and Qiwi payments, two payment systems very popular in Russia. When analyzing the language of the ransom note, the Kaspersky’s Russian employees found several mistakes.
The ransom note includes a text that reads “Thank you for helping Young Programmers Fund,” and a method to send a message to the attackers. This message is sent via the same API request the ransomware uses to keep track of victims, and annoyed users can use it to spam Telecrypt’s Telegram channel as payback.
According to Kaspersky experts, some versions of Telecrypt don’t append any extra extension to the user’s locked files, however, there’s a ransomware variant which adds the .Xcri extension at the end of the infected files.