Fjern LeChiffre Ransomware og Restore Files .LeChiffre - Hvordan, Teknologi og pc-sikkerhed Forum |

Fjern LeChiffre Ransomware og Restore Files .LeChiffre

LeChiffre er en af ​​de nyeste ransomware sager, der allerede påvirket systemer tre banker og et medicinalfirma i Mumbai, Indien. Selvom LeChiffre er langt fra sofistikerede, the damages it has caused amount to millions of dollars. Ifølge The Economic Times, the attacks took place in the beginning of January. The ransom demanded by the cyber criminals behind the ransomware operations was 1 Bitcoin (rundt regnet $400).

Kort beskrivelseLeChiffre is not sophisticated but is still damaging to a system.
SymptomerFiles are encrypted and a .LeChiffre is appended
DistributionsmetodeIkke kendt endnu.
Værktøj DetectionHent Malware Removal Tool, to See If Your System Has Been Affected by LeChiffre
BrugererfaringTilmeld dig vores forum til follow the discussion about LeChiffre.
Data Recovery ToolWindows Data Recovery af Stellar Phoenix Varsel! Dette produkt scanner dine drev sektorer til at gendanne mistede filer, og det kan ikke komme sig 100% af de krypterede filer, men kun få af dem, afhængigt af situationen og uanset om du har omformateret drevet.
Data Recovery ToolWindows Data Recovery af Stellar Phoenix Varsel! Dette produkt scanner dine drev sektorer til at gendanne mistede filer, og det kan ikke komme sig 100% af de krypterede filer, men kun få af dem, afhængigt af situationen og uanset om du har omformateret drevet.

LeChiffre Ransomware: Details about the Attacks

Several Indian companies and banks were targeted by cybercriminals. Som påpeget af eksperter, because of economic progress, attacks on Indian businesses are about to increase in frequency.

Only in some of the attacks was a ransom paid. For at være mere præcis, extortion money were sent to the hackers for only 15 computers which possibly belonged to company executives. The police authorities weren’t contacted in any of the cases (three banks and a pharma company). As to why such authorities weren’t informed, experts say that Indian companies are usually secretive when it comes to cyber attacks.

LeChiffre Ransomware: Teknisk Genoptag

Security experts at Malwarebytes have analyzed the threat successfully, without experiencing any countermeasures on behalf of hackers, and have concluded that the ransomware is far from sophisticated. It’s written in Delphi. One of the more curious features in LeChiffre is that the ransomware requires manual activation. That is one of the primary differences between LeChiffre and other recently detected cases of ransomware.

This particular ransomware should be executed manually, by hand. Experts have observed LeChiffre’s operators scan networks in search of weak and unprotected Remote Desktops ports. Once such are found, the ransomware authors will crack them, then they will log in remotely and run LeChiffre manually by double-clicking it to set the encryption process off.

As with other ransomware families, LeChiffre will encrypt the victim’s files and append an extension to them – .LeChiffre. Navnet – LeChiffre may have been inspired by the French word for number and may be translated ‘The Number’. Another possible explanation for the name is a reference to a character from the James Bond movies.

Den Backdoor

As revealed by Malwarebytes, LeChiffre also leaves a backdoor on the infected system. The ransomware replaces the sethc.exe file with cmd.exe. The file is activated on Windows after the Shift button is pressed 5 gange. The file can be launched even when the user isn’t logged. By doing so and replacing the file, malicious attackers obtain access to the system command line without needing a password.

What about LeChiffre’s Encryption?

Malwarebytes’ analysis shows that LeChiffre’s encryption which is AES is not refined at all. The ransomware only encrypts the first and last 8192 bytes of every file. Når dette er gjort, an encryption key will be added to every file in the form of a 32-byte droplet.

LeChiffre not only encrypts local files, but also all available resources on the system, such as the ones shared in a local network.

The way the ransomware was built speaks volumes about the experience of the malicious actors that created it. Security experts believe that LeChiffre has been created by ‘beginners’ and wasn’t meant to be involved in campaign attacks. The ransomware was employed after the criminals entered targeted systems. Desuden, the communication with the victims was done via emails, a fact that also supports the beginner level of the hackers.

This is the ransom message displayed to victims:


Dette er, hvad budskabet læser:

Dine vigtige filer (billeder, videoer, dokumenter, arkiv, databaser, sikkerhedskopier, etc.) which were crypted with the strongest military cipher RSA1024 and AES. No one can`t help you to restore files without our decoder. PhotoRec, RannohDecryptor, etc repair tools are useless and can destroy your files irreversibly. If you want to restore files – send email to ‘xxxxx’ with the file “_secret_code.txt” and 1-2 encrypted files less than 5 MB as *.doc *.xls *.jpg, but not database (*.900 *.001 etc). Please use public mail yahoo or gmail.
Du vil modtage krypterede prøver og vores betingelser hvordan du `ll får dekoderen. Følg vejledningen for at sende betaling.
P.S. Huske, vi ikke er svindlere. Vi don `t har brug for dine filer. Hvis du vil, you can get a decryptor for free after 6 måned. Bare send en anmodning umiddelbart efter infektion. Alle data vil blive genoprettet absolutelly. Your warranty – decrypted samples.

Så synlig, the message wasn’t written by someone who is very fluent in English. Experts suspect that the cyber criminals are of Russian origin, since some of the files in its executable (LeChifrre.exe) had labels in Russian.

Samlet, LeChiffre is not made by professional cyber criminals. Ikke desto mindre, it still damaged many computers and cost several businesses lots of money and resources.

LeChiffre Ransomware: Fjernelse

For nu, LeChiffre has only been registered in India. Men, its attacks could easily go mainstream and its authors could also evolve from beginners to professionals. Affected users should consider removing the threat completely via running an anti-malware tool or acquiring professional assistance. As with decryption, the ransomware creators claim that well-known decryptor tools would not do the work and will only destroy their files. We believe this claim to be untrue.

UPDATE: А Decrypter Has Been Released

(jan 27 2016)

Luckily for users infected by the LeChiffre ransomware, a decrypter has been released by Emsisoft’s Fabian Wosar. Som vi allerede skrev, LeChiffre is not a sophisticated piece of ransomware, and not surprisingly, the security researcher (or shall we call him a reverse engineer?) succeeded in breaking its code in less than a day.

Ikke overraskende, LeChiffre did not only affect several Indian businesses but also victims in other countries. For nu, reported victims are located in Brazil and Russia.

How to use LeChiffre’s decrypter

The first and most important condition is to run the decrypt tool on the same computer where the ransomware infection took place. Derudover, the decrypter needs Internet access in order to work.

Desværre, for now only files encrypted by LeChiffre’s version 2.6 can be restored. Users affected by other versions of LeChiffre are encouraged to contact Fabian Wosar or other security engineers that could help them.

Here is the decrypter for LeChiffre.

1. Boot Your PC In Safe Mode to isolate and remove LeChiffre
2. Remove LeChiffre with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by LeChiffre in the future
4. Restore files encrypted by LeChiffre
Valgfri: Brug Alternativ Anti-Malware værktøjer

Milena Dimitrova

En inspireret forfatter, fokuseret på brugernes privatliv og skadeligt software. Enjoys ‘Mr. Robot’ and fears ‘1984’.

Flere indlæg - Websted

1 Kommentar

  1. kai kiing

    I need help on the LeChiffre ransomware. Please anyone to reply.


Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...