Telecrypt targets Windows OS and exploits Telegram, the encrypted chat service, in order to infect victims. Telecrypt is written in the Delphi programming language and uses Telegram channel bots as its C2 servers. After infection, Telecrypt pings the Telegram API at hxxp:// using a hardcoded bot token. It then posts a message to its associated Telegram channel that includes the name of the infected system, a victim ID, and a key seed which is used to generate the encryption key. Telecrypt then scans the system for specific file extensions, encrypts them, and generates a log of encrypted files. Afterwards, it downloads a module named Informer that arrives in a file named Xhelp.exe, used to display a ransom note to the victim which provides instructions on how to pay the attackers. Some versions append .Xcri to encrypted files while others do not append any extension.

  • Kaspersky Lab provides more information about Telecrypt here.
  • Malwarebytes provides a free decryption tool for Telecrypt here. More information about the tool and its requirements can be found here.