Telecrypt Ransomware

Posted: November 10, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	5

First Seen:	November 10, 2016
Last Seen:	December 18, 2020
OS(es) Affected:	Windows

The Telecrypt Ransomware is a Trojan that encrypts your files with the support of a Telegram-based C&C infrastructure, and then, loads a module that delivers a graphical ransom message demanding payment. These attacks are most preventable by PC users keeping backups and having anti-malware products able to block the threat's early infection vectors. PC users failing to prevent an infection should remove the Telecrypt Ransomware with a dedicated anti-malware program and employ alternatives to its ransom offer, such as seeking help from trustworthy malware researchers.

A Telegram from Russia No One Wants to Hear

The puzzle of building reliable network communications with a minimal symptomatic footprint, for as little work as possible, is one of the recurring problems threat authors face when designing new Trojans. At least one threat actor, most likely based in Russia, has chosen the inventive method of using the Telegram Messenger app for ferrying instructions and critical information. The Telecrypt Ransomware encrypts files via a simple algorithm and, then, loads decryption-selling messages to take money from the victim.

The Telecrypt Ransomware is a Delphi-based threat of only several megabytes in size. Once it compromises a PC with network access, the Trojan pings a Telegram-based bot and transfers information such as the encryption seed and a unique identification number. The Telecrypt Ransomware encrypts a handful of formats including Word documents, XLS spreadsheets, several formats of images (such as JPEG) and PDF documents.

The threat also places a text list of the affected content on the user's desktop. Since the Telecrypt Ransomware includes an option to refrain from modifying an encrypted file's name, that database can be the simplest way of identifying the encoded content. When it does change the name, the Telecrypt Ransomware appends the '.xcri' extension.

As its last action, the Telecrypt Ransomware loads an 'Informer' module that downloads and displays a graphical pop-up asking for ransom money.

Trimming Down the Cost of Keeping Your Files Safe

The Telecrypt Ransomware's module offers victims an easily-navigable interface for paying its five thousand rubles (equal to roughly eighty USD) fee for recovering content, but no special protection for the decryption service. The Trojan's encryption algorithm is a simple formula that adds each file byte to the bytes of the key and may be open to a third party's decoding efforts. When no other alternatives are available, malware experts recommend contacting security researchers or organizations historically willing to assist with Trojan decryption scenarios.

The Telecrypt Ransomware requires an Internet connection to access its Telegram Command & Control server. If you suspect the presence of a the Telecrypt Ransomware infection on your PC, disconnect your machine from the Internet and restart in Safe Mode. Running anti-malware solutions and removing the Telecrypt Ransomware immediately may counter it before it encrypts all vulnerable files. Worst cases may require backups or face the permanent loss of all encrypted data.

Since the authorities could, in theory, use Telegram to trace this campaign back to its administrator or close the affected servers, the Telecrypt Ransomware's innovation may be ill-chosen. However, for the moment, the Trojan's expensive messages represent a costly risk to any Russian-speaking PC users.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%SYSTEMDRIVE%\Users\<username>\Desktop\sssssssssssssssssssssssssssssssssssssssssssss\3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567

File name: 3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567
Size: 3.22 MB (3227136 bytes)
MD5: 3e24d064025ec20d6a8e8bae1d19ecdb
Detection count: 48
Path: %SYSTEMDRIVE%\Users\<username>\Desktop\sssssssssssssssssssssssssssssssssssssssssssss\3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567
Group: Malware file
Last Updated: December 18, 2020

Xhelp.exe

File name: Xhelp.exe
Size: 7.57 MB (7576064 bytes)
MD5: 14d4bc13a12f8243383756de92529d6d
Detection count: 47
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 10, 2016