Telecrypt Decryptor foils ransomware’s simple encryption method

The recently spotted Telecrypt ransomware can be thwarted: malware analyst Nathan Scott has created a tool that decrypts the encrypted files.

Telecrypt Decryptor

Telecrypt Decryptor works only if the affected user has .NET 4.0 and above (every Windows version since Windows XP has it by default), and if he or she has at least one of the encrypted files in unencrypted form. It also needs to be run from an Administrator account.

The tool comes with instructions and a warning: don’t use it if you haven’t been infected with this particular ransomware, as it could corrupt some of your files.

About Telecrypt

Telecrypt was first spotted a few weeks ago, targeting Russian-speaking users.

Its specificity is that it uses Telegram’s communication protocol to deliver the decryption key to the crooks and, in general, to keep in touch with them.

The message it shows puts the ransom at 5,000 rubles (around 78 USD), and the crooks thank the victims for helping the “Young Programmers Fund.”

“Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo, pr, bm, xu, zt, dq,” Malwarebytes explained.

“[It] encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made.”

Telecrypt is distributed in the form of an executable, via spam emails, exploits, and drive-by download schemes.

It encrypts a wide variety of files and, depending on its configuration, it either adds the extension ‘.Xcri’ to the encrypted files or leaves it unchanged.

from Help Net Security – News http://bit.ly/2geVHxk
via IFTTT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s