LeChiffre is one of the latest ransomware cases that has already affected the systems of three banks and a pharmaceutical company in Mumbai, India. Even though LeChiffre is far from sophisticated, the damages it has caused amount to millions of dollars. According to The Economic Times, the attacks took place in the beginning of January. The ransom demanded by the cyber criminals behind the ransomware operations was 1 Bitcoin (approximately $400).
|Short Description||LeChiffre is not sophisticated but is still damaging to a system.|
|Symptoms||Files are encrypted and a .LeChiffre is appended|
|Distribution Method||Not known yet.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by LeChiffre|
|User Experience||Join our forum to discuss LeChiffre.|
LeChiffre Ransomware: Details about the Attacks
Several Indian companies and banks were targeted by cybercriminals. As pointed out by experts, because of economic progress, attacks on Indian businesses are about to increase in frequency.
Only in some of the attacks was a ransom paid. To be more precise, extortion money were sent to the hackers for only 15 computers which possibly belonged to company executives. The police authorities weren’t contacted in any of the cases (three banks and a pharma company). As to why such authorities weren’t informed, experts say that Indian companies are usually secretive when it comes to cyber attacks.
LeChiffre Ransomware: Technical Resume
Security experts at Malwarebytes have analyzed the threat successfully, without experiencing any countermeasures on behalf of hackers, and have concluded that the ransomware is far from sophisticated. It’s written in Delphi. One of the more curious features in LeChiffre is that the ransomware requires manual activation. That is one of the primary differences between LeChiffre and other recently detected cases of ransomware.
This particular ransomware should be executed manually, by hand. Experts have observed LeChiffre’s operators scan networks in search of weak and unprotected Remote Desktops ports. Once such are found, the ransomware authors will crack them, then they will log in remotely and run LeChiffre manually by double-clicking it to set the encryption process off.
As with other ransomware families, LeChiffre will encrypt the victim’s files and append an extension to them – .LeChiffre. The name – LeChiffre may have been inspired by the French word for number and may be translated ‘The Number’. Another possible explanation for the name is a reference to a character from the James Bond movies.
As revealed by Malwarebytes, LeChiffre also leaves a backdoor on the infected system. The ransomware replaces the sethc.exe file with cmd.exe. The file is activated on Windows after the Shift button is pressed 5 times. The file can be launched even when the user isn’t logged. By doing so and replacing the file, malicious attackers obtain access to the system command line without needing a password.
What about LeChiffre’s Encryption?
Malwarebytes’ analysis shows that LeChiffre’s encryption which is AES is not refined at all. The ransomware only encrypts the first and last 8192 bytes of every file. Once this is done, an encryption key will be added to every file in the form of a 32-byte droplet.
LeChiffre not only encrypts local files, but also all available resources on the system, such as the ones shared in a local network.
The way the ransomware was built speaks volumes about the experience of the malicious actors that created it. Security experts believe that LeChiffre has been created by ‘beginners’ and wasn’t meant to be involved in campaign attacks. The ransomware was employed after the criminals entered targeted systems. Moreover, the communication with the victims was done via emails, a fact that also supports the beginner level of the hackers.
This is the ransom message displayed to victims:
This is what the message reads:
Your important files (photos, videos, documents, archives, databases, backups, etc.) which were crypted with the strongest military cipher RSA1024 and AES. No one can`t help you to restore files without our decoder. Photorec, RannohDecryptor, etc repair tools are useless and can destroy your files irreversibly. If you want to restore files – send email to ‘xxxxx’ with the file “_secret_code.txt” and 1-2 encrypted files less than 5 MB as *.doc *.xls *.jpg, but not database (*.900 *.001 etc). Please use public mail yahoo or gmail.
You will receive decrypted samples and our conditions how you`ll get the decoder. Follow the instructions to send payment.
P.S. Remember, we are not scammers. We don`t need your files. If you want, you can get a decryptor for free after 6 month. Just send a request immediately after infection. All data will be restored absolutelly. Your warranty – decrypted samples.
As visible, the message wasn’t written by someone who is very fluent in English. Experts suspect that the cyber criminals are of Russian origin, since some of the files in its executable (LeChifrre.exe) had labels in Russian.
Overall, LeChiffre is not made by professional cyber criminals. Nonetheless, it still damaged many computers and cost several businesses lots of money and resources.
LeChiffre Ransomware: Removal
For now, LeChiffre has only been registered in India. However, its attacks could easily go mainstream and its authors could also evolve from beginners to professionals. Affected users should consider removing the threat completely via running an anti-malware tool or acquiring professional assistance. As with decryption, the ransomware creators claim that well-known decryptor tools would not do the work and will only destroy their files. We believe this claim to be untrue.
UPDATE: А Decrypter Has Been Released
(Jan 27 2016)
UPDATE: А Decrypter Has Been Released
(Jan 27 2016)
Luckily for users infected by the LeChiffre ransomware, a decrypter has been released by Emsisoft’s Fabian Wosar. As we already wrote, LeChiffre is not a sophisticated piece of ransomware, and not surprisingly, the security researcher (or shall we call him a reverse engineer?) succeeded in breaking its code in less than a day.
Not surprisingly, LeChiffre did not only affect several Indian businesses but also victims in other countries. For now, reported victims are located in Brazil and Russia.
How to use LeChiffre’s decrypter
The first and most important condition is to run the decrypt tool on the same computer where the ransomware infection took place. Additionally, the decrypter needs Internet access in order to work.
Unfortunately, for now only files encrypted by LeChiffre’s version 2.6 can be restored. Users affected by other versions of LeChiffre are encouraged to contact Fabian Wosar or other security engineers that could help them.
Here is the decrypter for LeChiffre.