A new tool is able to decrypt files encrypted by the Telecrypt ransomware.
Telecrypt Decryptor, created by malware analyst Nathan Scott, works only if the affected user has .NET 4.0 and above (every Windows version since Windows XP has it by default), and if the victim has at least one of the encrypted files in unencrypted form.
The decryptor also needs to run from an administrator account.
The tool comes with instructions and a warning: Don’t use it if you haven’t been infected with this particular ransomware, as it could corrupt some of your files.
Telecrypt ended up discovered two weeks ago, targeting Russian-speaking users.
Its specificity is it uses Telegram’s communication protocol to deliver the decryption key to the attackers and to keep in touch with them.
The message puts the ransom at 5,000 rubles (around $78 U.S.), and the bad guys thank the victims for helping the “Young Programmers Fund.”
“Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo, pr, bm, xu, zt, dq,” Malwarebytes researchers said in a blog post.
“[It] encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made.”
Telecrypt goes out in the form of an executable, via spam emails, exploits, and drive-by download schemes.
It encrypts a wide variety of files and, depending on its configuration, it either adds the extension ‘.Xcri’ to the encrypted files or leaves it unchanged.