TeleCrypt ransomware rapidly defanged thanks to weak encryption

News by Rene Millman

Security researchers at Malwarebytes have worked out how to extract the encryption key from TeleCrypt ransomware and build a tool for recovering scrambled files.

A new strain of ransomware, controlled via a popular messaging app, has been cracked just weeks after its release.

The TeleCrypt ransomware is unusual because it uses the popular messaging app Telegram to communicate with the attackers rather than simple HTTP-based protocols like other strains of ransomware.

Researchers from Malwarebytes discovered that the encryption used by the ransomware was weak and this allowed security researcher Nathan Scott to create a decryption tool, allowing the victims to recover their files without paying.

“TeleCrypt is distributed through an EXE file through email, exploits, and drive-by-downloads. The executables are coded in Borland Delphi,” said the firm in a blog post.

“Infections with this ransomware can be recognized by the note left on the Desktop named: ???? ?????? ??????.txt. It contains the list of all the encrypted files.”

Scott said that using the Telegram API to send information on victims to the ransomware creator was “unique”.

“It is one of the first to use a mainstream messaging client's API, instead of a command and control server, to send commands and get information.

"Telecrypt encrypts files by looping through them a single byte at a time, and then simply adding a byte from the key in order - this simple encryption method allows a decryption application to be made."

Tony Rowan, chief security consultant at SentinelOne, told that if hackers created their own custom C&C channel, then it is less likely to be detected or blocked by tools such as firewalls.

“By using messaging tools commonly in use, they can masquerade as normal traffic and create covert C&C channels within these messaging tools.  Additionally, it means that those parts of the malware associated with the C&C are much less likely to be discovered as malware because they're using ‘known-good' applications.  Essentially, they're keeping their footprint as small as possible and hiding their communications within ‘trusted' channels,” he said.

TeleCrypt joins a growing list of ransomware that can be decrypted with help from cyber-security experts. The industry, in cooperation with Europol has even set up a website,, which hosts a number of tools for decrypting some types of ransomware, and additional software packages are available from the websites of other anti-malware companies.

However, Ondrej Kubovic, IT security specialist at ESET, told SC that the growing number of decryptors doesn't necessarily mean that ransomware is in decline.

“On the contrary. As the number of ransomware families grows, the number of variants and families that are not designed properly grows as well – leading to situations where security vendors are able to help ransomware victims,” he said.

“However, we need to stress, there are still many dangerous and advanced ransomware families active in the wild that are at this point impossible to decrypt. Users should therefore keep their systems and software up-to-date, use reliable and multi-layered security software and have functional backups stored in a place that is disconnected from their network.”

The decryptor can be downloaded from here. To use the app, a victim will need both an unencrypted and encrypted version of the same file in order to reveal the encryption key. When the key is found, the app then present the user with the choice of decrypting a list of all encrypted files, or from one specific folder.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews