TELEGRAM Ransomware

The TELEGRAM Ransomware is a brand-new data-locker. This file-encrypting Trojan is designed to infiltrate a system, encrypt the data present on it, and then extort the user for cash. However, the TELEGRAM Ransomware is part of a new generation of file-lockers that not only encrypt the files present on the compromised host but also obtain copies of them and then threaten to leak them online unless the ransom fee is paid in full.

Propagation and Encryption

The TELEGRAM Ransomware appears to carry some resemblance to the NEFILIM Ransomware, which was identified in June 2020. Both file-lockers threaten to leak the victims’ data on the same websites – a Tor-based website on the Deep Web and ‘hxxp://corpleaks.net.’ The TELEGRAM Ransomware is likely going after businesses and organizations rather than regular users. This way, the attackers may obtain some classified documents and compromise data. The targeted businesses may not want to be leaked online at any cost, which increases the odds of them paying the ransom fee. Malware researchers believe that the TELEGRAM Ransomware may be propagated via specially crafted phishing emails. It is likely that the authors of the TELEGRAM Ransomware also may use poorly secured RDP (Remote Desktop Protocol) services to distribute this file-locker. Upon infecting a targeted system, the TELEGRAM Ransomware will scan its contents and determine the data that will be locked. Before triggering the encryption process, the TELEGRAM Ransomware will collect the data present on the compromised host and transfer it to the C&C (Command & Control) server of the attackers. Then, the TELEGRAM Ransomware will begin the encryption process and lock all the targeted files. The locked files would receive an additional extension – ‘.TELEGRAM.’ This means that a file called ‘earthy-scent.pdf’ will be renamed to ‘earthy-scent.pdf.TELEGRAM.’

The Ransom Note

The TELEGRAM Ransomware would drop a ransom note on the compromised system. The name of the file containing the ransom message of the conmen is ‘TELEGRAM-RECOVER.txt.’ In the ransom note, the attackers state that they demand to be contacted via email – ‘edsonepsok@protonmail.com,’ ‘alfredhormund@protonmail.com’ and ‘timothymandock@tutanota.com.’ The authors of the TELEGRAM Ransomware claim that unless the victim contacts them, they will begin leaking their files online periodically. They offer to decrypt two files free of charge to prove that they have a working decryption tool.

It is not a good idea to negotiate or pay cybercriminals. There is no guarantee that they will provide you with the decryptor you need to recover your data even if you pay. This is why you should consider obtaining a legitimate anti-malware solution that will remove the TELEGRAM Ransomware from your system swiftly and safely.