- Can't be uninstalled via Control Panel
- Installs itself without permissions
- Connects to the internet without permission
- Shows commercial adverts
- Slow internet connection
- System crashes
- Slow Computer
Telecrypt Ransomware is the name of a newly discovered ransomware-type application whose primary objective is to encrypt your personal files and offer you to purchase a decryption key/software in order to decrypt them. However, we urge you to refrain from paying and remove this infection because there is no guarantee that the cybercriminals behind it will give you the decryption key/software needed to decrypt them. We have acquired a sample of this application and tested it on one of our test computers and in this article we will present you with our findings.
We have found that this ransomware is designed to be distributed in Russian-speaking countries because its ransom note and interface are in the Russian language only. We have also found that it is distributed using email spam. Its secretive developers have set up a dedicated server that sends emails to random users in targeted regions and in an effort to get their computers infected. We do not know what the fake emails look like or what they say, but it is apparent that they masquerade as legitimate and are designed to compel the would-be victims to open them. We have received information that Telecrypt Ransomware’s main executable is included in a file archive and attached to the fake emails. The file archive is most likely set to self-extract when opened and, thus, drop the main executable. Furthermore, it seems that it does not start automatically and requires the victim to launch it.
Testing has shown that the main executable file of this ransomware is named randomly and extracted to the user’s folder of choice. If you were to launch its executable, then it will connect to its Command and Control (C&C) server. It uses https://telegram.org as its server. If there is no Internet connection, then this ransomware will not initiate the encryption. We have discovered that this ransomware uses Telegram API to host the client-server communication. This ransomware’s developers create a Telegram bot via the Telegram API. When the computer is infected, Telecrypt Ransomware is set to ping the Telegram API at https://api.telegram.org/bot/GetMe[token ID] and this is done to validate the link. The API link is hard coded which means that if this ransomware’s developers remove the link, they will have to release a new sample with a new token ID.
Once the link has been validated, this ransomware is set to post a message to the developers Telegram channel that features information about the victim, and this information includes computer name, infection ID, and key seed. This Telegram channel is also hard coded into this ransomware. When everything is in place, Telecrypt Ransomware is set to receive the encryption key and will start searching for encryptable files. We have found that it was designed to encrypt file formats that include .cd, .dbf, .doc, .docx, .dt, .jpeg, .jpg, .pfd, .png, .xls, and .xlsx. In short, this ransomware was designed to target file formats that are more likely to contain personal and, thus, valuable information. In some cases, it might append the files with the .Xcri file extension.
Once the encryption is complete, Telecrypt Ransomware is set to download a text file named База зашифр файлов.txt from a compromised website and also download an executable file named Xhelp.exe that is placed in %TEMP% and then copy it to the desktop and execute it. However, Xhelp.exe is not malicious, but you should delete it regardless. The ransom note demands that you pay 5000 Rubles (an approximate 80 USD) to get your files back, but be warned that the cyber criminals might not decrypt your files after you have paid.
Therefore, we advise that you delete Telecrypt Ransomware from your computer because you cannot trust the developers to keep their end of the bargain. Unfortunately, there is still no free decryption tool that could crack the encryption of this particular ransomware, but it can be developed in the future. So, in the meantime, please consult the removal guide below on how to get rid of this infection. We recommend using SpyHunter to detect the main executable if you cannot find it.
Delete Telecrypt Ransomware