Since first discovered in June 2015, the LeChiffre ransomware has been infecting users, encrypting files and demanding payment in return for decryption. It differs in modus operandi from most ransomware by the method it infiltrates – via a manually-hacked server. Also that it is remotely executed by the hacker and encrypts files and available sources (network shares) in an operating system – for this reason it is of particular concern to commercial networks. Already in 2016, it has compromised multiple Indian companies (at least 3 banks in Mumbai) and pharmaceutical companies. The demand was for 1.0 Bitcoin ($430 U.S) per computer. This appears to have been a targeted attack and has so far caused millions of dollars in lost business and damages. The network share capability makes LeChiffre specifically an industrial ransom tool, opposed to other types targeting private users. In May 2015, two (unnamed) Indian conglomerates that were targeted are thought to have paid $5m in similar attacks. In this case, the hackers threatened to release certain sensitive, (undisclosed) data seized to the Indian government. As Indian companies are very secretive about vulnerability, the full extent of exploits carried out is not known. That commerce in this culture is like this perhaps explains hackers’ market expansion in this geographic direction; according to research by Symantec, India is now ranked the 9th most ransomware-targeted country world-wide.
LeChiffre is so named like many other similar system infections after the extension it appends to files after encryption: .LeChiffre. This is also the name of a fictional character (a ruthless financier/master criminal and gambler) appearing in Ian Fleming’s 1953 first James Bond novel, ‘Casino Royale’. He kidnaps Bond’s assistant who is then held hostage for financial gain. Le Chiffre translates in French to the number, or digit but can be loosely translated to mean code (and is linked with the similar-sounding English word cypher). It can also be used in context to a person, where it can mean character, figure, or interestingly – silhouette. Sometimes, the ego or dark humor or arrogance of the malware author can lead to an indication of where the threat originated. Also, a clue can sometimes be found in the grammar and language used in ransom demands and payment instructions sent to the victim. Sometimes this information is only generic copy&paste; sometimes, it can be erroneous purely to provide analytical obfuscation. The features on the GUI (graphic user interface) of LeChiffre are in Russian. Shortly after the Mumbai compromises, a worker in an office in Manlius, N.Y noticed some strange behavior with her terminal and suspected remote interference. She disconnected immediately and a technician was called. A file was found that was recognized as LeChiffre, and later specialists analyzed it to discovered that it originated from Crimea. It had indeed been sent from Russia – though not with love.
What sets this infection apart from other ransomware is that instead of using a conventional trojan delivery method, LeChiffre enters the machine as a result of a manual hack of a weak server via a terminal or RDP (Remote Desktop Protocol) services. A client (a relay between hacker and victim) is then installed on the server. When a network thought of value to target is found (if the server is not a dedicated company server and was purposely attacked), the task is then to crack a log-on (preferably that of an Administrator), after which the whole system is vulnerable to encryption through network shares. Drives can be scanned and either selected files or whole drives can be encrypted. After which a ransom demand is left in each encrypted file and the hacker withdraws leaving no other trace. It has been described by some commentators as ‘unprofessional’ malware as it doesn’t have any counter-security software defences, though it doesn’t need to have any – it has usually entered and done its work without being discovered. A further point is that the malware also creates a back-door, so potentially it could re-enter a system at any time or introduce other malicious coding. The malware creates this capability by making changes to some system files so that it is possible for the hacker to enter and operate – even if the user is not logged on – as an un-logged presence or user.
The ransomware claims to use ‘strongest military cipher RSA 1024 and AES’ encoding, though this seems unrealistic as if the encryption-decryption process used such high algorithms, it would probably cause most host systems to crash during in the processes and destroy the ransom market. This wouldn’t be the first malware to lie about the algorithm used – it is a usual tactic to further intimidate the hostage when they read the impressive encryption description on Wikipedia, sometimes courtesy of a link on the demand page. LeChiffre does not encrypt a whole file if it is over a certain size, only the beginning and end.
How to decrypt LeChiffre encrypted files?
Please, follow the steps below to decrypt .lechiffre files for free:
Step 1: Download the free LeChiffre decrypter here: https://blogs.mcafee.com/wp-content/uploads/LeChiffreDecryptor.zip
Step 2: Unzip the LeChiffreDecrypt.exe in “C:\”
Step 3: Open a Command prompt (if you do not how to do this please read this article: http://pcsupport.about.com/od/commandlinereference/f/open-command-prompt.htm )
Step 4: In the Command prompt type “cd\”
Step 5: Type “LeChiffreDecrypt.exe NAME_OF_FOLDER_WITH_ENCRYPTED_FILES”
Substitue NAME_OF_FOLDER_WITH_ENCRYPTED_FILES with a folder in your PC, where you have .lechiffre files.
Step 6: Press ENTER. Give it as much time as it needs, since the decryption process can take long (depending on file count and size of encrypted files).
This ransomware is now effectively castrated as far as decryption goes, though the down-time caused to companies if infected could still be very expensive. And after its opening 6 months, LeChiffre has netted enough to surely inspire the authors to update and re-brand their product. That decryption is now available now is not the main point – if this ransomware can enter a server, then much more complicated attacks could infiltrate by the same route. One thing is certain – ransomware will continue to besiege commercial networks, and consumers will continue pick up the cost of that battle.