Ransomware which abuses the Telegram app API has been stopped in its tracks only weeks after discovery.
In this case, victims are faced with a demand for 5,000 rubles ($77) for the “Young Programmers Fund.”
However, the malware also has unusual aspects, such as the use and abuse of Telegram Messenger’s communication protocol to send decryption keys to the threat actor, which, according to Secure List, appears to be the “first cryptor to use the Telegram protocol in an encryption malware case.”
To circumvent these costs, TeleCrypt abuses the publicly available Telegram Bot API by operating as a bot which generates unique tokens that are inserted into the malware’s body so the Trojan can use the Telegram API.
“TeleCrypt uses the TeleGram API to send the information on its victims to the ransomware creator and to send information back,” Malwarebytes researcher Nathan Scott says. “This way of communication is very unique — it is one of the first to use a mainstream messaging client’s API, instead of a C&C server, to send commands and get information.”
However, the ransomware also contains a major flaw. TeleCrypt encrypts files by looping through them a single byte at a time, and then simply adding a byte from the key in order, as noted by Scott, and as such, this simple encryption method made the task of creating a decryption application easier for researchers.
More security news
- Imgur confirms email addresses, passwords stolen in 2014 hack
- Open source’s big weak spot? Flawed libraries lurking in key apps
- After WannaCry ransomware attack, the NHS is toughening its cyber defenses
- Uber concealed hack of 57 million accounts for more than a year