Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

TeleCrypt Ransomware’s Encryption Cracked

TeleCrypt, the file encryption ransomware that abuses Telegram API for communication, has had its encryption cracked just two weeks after the threat was originally detailed.

TeleCrypt, the file encryption ransomware that abuses Telegram API for communication, has had its encryption cracked just two weeks after the threat was originally detailed.

The ransomware abuses the instant messaging service Telegram for command and control (C&C) communications. What’s more, victims can send messages to the attackers using the same service. Immediately after infection, the malware creates a Telegram bot beacon to the C&C server to send various details about the compromised machine.

After installation, TeleCrypt searches the hard drive for specific files, then encrypts them and appends the .Xcri extension to them. However, security researchers say that some variations of the malware don’t change the file extension.

The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills.

According to Malwarebytes Labs researchers, the encryption TeleCrypt uses isn’t very strong indeed. The security researchers have already managed to create a decryption tool that allows victims to recover their files without paying the attackers. The utility requires .NET to work and for users to provide the unencrypted version of one of the encrypted files.

“Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq. Telecrypt encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made,” Malwarebytes Labs explains.

Written in Delphi, the ransomware is being distributed via spam emails, exploits, and drive-by downloads, and targets only users in Russia at the moment. Both the ransom note and an executable with GUI that is downloaded and dropped onto the infected machines, are written in Russian.

Kaspersky Lab security researchers also managed to crack the ransomware’s encryption to help victims recover their files using a free decryption tool. Involved in the NoMoreRansom initiative, Kaspersky actually helps the victims of numerous other ransomware families decrypt their files.

Related: Fake ISP Complaint Emails Distribute Locky Ransomware Variant

Related: Ransoc Ransomware Blackmails Victims

Related: CryPy Ransomware Uses Unique Key for Each File

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.