Connect with us

Hi, what are you looking for?


Malware & Threats

File-Encrypting Ransomware “Telecrypt” Abuses Telegram

A new file-encrypting ransomware dubbed by researchers “Telecrypt” abuses the instant messaging service Telegram for command and control (C&C) communications and to allow victims to send messages to the attackers.

A new file-encrypting ransomware dubbed by researchers “Telecrypt” abuses the instant messaging service Telegram for command and control (C&C) communications and to allow victims to send messages to the attackers.

The malware, detected by Kaspersky Lab as Trojan-Ransom.Win32.Telecrypt, only targets users in Russia. In order to avoid having to create their own service for communications between the malware and its server, Telecrypt creators decided to abuse Telegram’s communication protocol.

When first launched, the Delphi-written Trojan generates a file encryption key and an infection ID. The malware creates a Telegram bot and uses the Telegram API to inform cybercriminals that the infection has been successful and provide them some information about the infected system, including a chat number, computer name, infection ID, and the seed for the encryption key.

After collecting information on the infected device, the ransomware searches the hard drive for specific files and encrypts them. In some cases, the malware adds the .Xcri extension to encrypted files, but researchers also found a sample that does not change the original extension.

Once the files have been encrypted, the malware downloads an executable file from a compromised WordPress website. This module, dubbed by the cybercriminals “Informer,” displays the ransom note and informs victims that they have to pay 5,000 RUB ($77) to recover their files. The ransom can be paid via the Russian payment services Qiwi or Yandex.Money.

The ransom screen also includes a text field that victims can use to communicate with the cybercriminals. This feature also abuses the Telegram service.

Judging by the poorly written ransom note and other aspects, experts believe Telecrypt developers are not very skilled. Furthermore, the ransomware uses a simple encryption algorithm, which Kaspersky researchers have managed to crack. The security firm has advised Telecrypt victims not to pay the ransom and instead contact its support team for help in decrypting the files.

Advertisement. Scroll to continue reading.

Kaspersky Lab, one of the security firms involved in the NoMoreRansom initiative, offers free tools designed to decrypt files affected by several ransomware families.

Related: CryPy Ransomware Uses Unique Key for Each File

Related: DXXD Ransomware Encrypts Files on Unmapped Network Shares

Related: Locky Ransomware Drops Offline Mode

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.