Remove LeChiffre Ransomware and Restore .LeChiffre Files - How to, Technology and PC Security Forum |

Remove LeChiffre Ransomware and Restore .LeChiffre Files

LeChiffre is one of the latest ransomware cases that has already affected the systems of three banks and a pharmaceutical company in Mumbai, India. Even though LeChiffre is far from sophisticated, the damages it has caused amount to millions of dollars. According to The Economic Times, the attacks took place in the beginning of January. The ransom demanded by the cyber criminals behind the ransomware operations was 1 Bitcoin (approximately $400).

Short DescriptionLeChiffre is not sophisticated but is still damaging to a system.
SymptomsFiles are encrypted and a .LeChiffre is appended
Distribution MethodNot known yet.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by LeChiffre
User ExperienceJoin our forum to follow the discussion about LeChiffre.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

LeChiffre Ransomware: Details about the Attacks

Several Indian companies and banks were targeted by cybercriminals. As pointed out by experts, because of economic progress, attacks on Indian businesses are about to increase in frequency.

Only in some of the attacks was a ransom paid. To be more precise, extortion money were sent to the hackers for only 15 computers which possibly belonged to company executives. The police authorities weren’t contacted in any of the cases (three banks and a pharma company). As to why such authorities weren’t informed, experts say that Indian companies are usually secretive when it comes to cyber attacks.

LeChiffre Ransomware: Technical Resume

Security experts at Malwarebytes have analyzed the threat successfully, without experiencing any countermeasures on behalf of hackers, and have concluded that the ransomware is far from sophisticated. It’s written in Delphi. One of the more curious features in LeChiffre is that the ransomware requires manual activation. That is one of the primary differences between LeChiffre and other recently detected cases of ransomware.

This particular ransomware should be executed manually, by hand. Experts have observed LeChiffre’s operators scan networks in search of weak and unprotected Remote Desktops ports. Once such are found, the ransomware authors will crack them, then they will log in remotely and run LeChiffre manually by double-clicking it to set the encryption process off.

As with other ransomware families, LeChiffre will encrypt the victim’s files and append an extension to them – .LeChiffre. The name – LeChiffre may have been inspired by the French word for number and may be translated ‘The Number’. Another possible explanation for the name is a reference to a character from the James Bond movies.

The Backdoor

As revealed by Malwarebytes, LeChiffre also leaves a backdoor on the infected system. The ransomware replaces the sethc.exe file with cmd.exe. The file is activated on Windows after the Shift button is pressed 5 times. The file can be launched even when the user isn’t logged. By doing so and replacing the file, malicious attackers obtain access to the system command line without needing a password.

What about LeChiffre’s Encryption?

Malwarebytes’ analysis shows that LeChiffre’s encryption which is AES is not refined at all. The ransomware only encrypts the first and last 8192 bytes of every file. Once this is done, an encryption key will be added to every file in the form of a 32-byte droplet.

LeChiffre not only encrypts local files, but also all available resources on the system, such as the ones shared in a local network.

The way the ransomware was built speaks volumes about the experience of the malicious actors that created it. Security experts believe that LeChiffre has been created by ‘beginners’ and wasn’t meant to be involved in campaign attacks. The ransomware was employed after the criminals entered targeted systems. Moreover, the communication with the victims was done via emails, a fact that also supports the beginner level of the hackers.

This is the ransom message displayed to victims:


This is what the message reads:

Your important files (photos, videos, documents, archives, databases, backups, etc.) which were crypted with the strongest military cipher RSA1024 and AES. No one can`t help you to restore files without our decoder. Photorec, RannohDecryptor, etc repair tools are useless and can destroy your files irreversibly. If you want to restore files – send email to ‘xxxxx’ with the file “_secret_code.txt” and 1-2 encrypted files less than 5 MB as *.doc *.xls *.jpg, but not database (*.900 *.001 etc). Please use public mail yahoo or gmail.
You will receive decrypted samples and our conditions how you`ll get the decoder. Follow the instructions to send payment.
P.S. Remember, we are not scammers. We don`t need your files. If you want, you can get a decryptor for free after 6 month. Just send a request immediately after infection. All data will be restored absolutelly. Your warranty – decrypted samples.

As visible, the message wasn’t written by someone who is very fluent in English. Experts suspect that the cyber criminals are of Russian origin, since some of the files in its executable (LeChifrre.exe) had labels in Russian.

Overall, LeChiffre is not made by professional cyber criminals. Nonetheless, it still damaged many computers and cost several businesses lots of money and resources.

LeChiffre Ransomware: Removal

For now, LeChiffre has only been registered in India. However, its attacks could easily go mainstream and its authors could also evolve from beginners to professionals. Affected users should consider removing the threat completely via running an anti-malware tool or acquiring professional assistance. As with decryption, the ransomware creators claim that well-known decryptor tools would not do the work and will only destroy their files. We believe this claim to be untrue.

UPDATE: А Decrypter Has Been Released

(Jan 27 2016)

Luckily for users infected by the LeChiffre ransomware, a decrypter has been released by Emsisoft’s Fabian Wosar. As we already wrote, LeChiffre is not a sophisticated piece of ransomware, and not surprisingly, the security researcher (or shall we call him a reverse engineer?) succeeded in breaking its code in less than a day.

Not surprisingly, LeChiffre did not only affect several Indian businesses but also victims in other countries. For now, reported victims are located in Brazil and Russia.

How to use LeChiffre’s decrypter

The first and most important condition is to run the decrypt tool on the same computer where the ransomware infection took place. Additionally, the decrypter needs Internet access in order to work.

Unfortunately, for now only files encrypted by LeChiffre’s version 2.6 can be restored. Users affected by other versions of LeChiffre are encouraged to contact Fabian Wosar or other security engineers that could help them.

Here is the decrypter for LeChiffre.

1. Boot Your PC In Safe Mode to isolate and remove LeChiffre
2. Remove LeChiffre with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by LeChiffre in the future
4. Restore files encrypted by LeChiffre
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

1 Comment

  1. kai kiing

    I need help on the LeChiffre ransomware. Please anyone to reply.


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share