Decrypt LeChiffre Ransomware for Free

11
1955

Since first discovered in June 2015, the LeChiffre ransomware has been infecting users, encrypting files and demanding payment in return for decryption. It differs in modus operandi from most ransomware by the method it infiltrates – via a manually-hacked server. Also that it is remotely executed by the hacker and encrypts files and available sources (network shares) in an operating system – for this reason it is of particular concern to commercial networks. Already in 2016, it has compromised multiple Indian companies (at least 3 banks in Mumbai) and pharmaceutical companies. The demand was for 1.0 Bitcoin ($430 U.S) per computer. This appears to have been a targeted attack and has so far caused millions of dollars in lost business and damages. The network share capability makes LeChiffre specifically an industrial ransom tool, opposed to other types targeting private users. In May 2015, two (unnamed) Indian conglomerates that were targeted are thought to have paid $5m in similar attacks. In this case, the hackers threatened to release certain sensitive, (undisclosed) data seized to the Indian government. As Indian companies are very secretive about vulnerability, the full extent of exploits carried out is not known. That commerce in this culture is like this perhaps explains hackers’ market expansion in this geographic direction; according to research by Symantec, India is now ranked the 9th most ransomware-targeted country world-wide.

LeChiffre is so named like many other similar system infections after the extension it appends to files after encryption: .LeChiffre. This is also the name of a fictional character (a ruthless financier/master criminal and gambler) appearing in Ian Fleming’s 1953 first James Bond novel, ‘Casino Royale’. He kidnaps Bond’s assistant who is then held hostage for financial gain. Le Chiffre translates in French to the number, or digit but can be loosely translated to mean code (and is linked with the similar-sounding English word cypher). It can also be used in context to a person, where it can mean character, figure, or interestingly – silhouette. Sometimes, the ego or dark humor or arrogance of the malware author can lead to an indication of where the threat originated. Also, a clue can sometimes be found in the grammar and language used in ransom demands and payment instructions sent to the victim. Sometimes this information is only generic copy&paste; sometimes, it can be erroneous purely to provide analytical obfuscation. The features on the GUI (graphic user interface) of LeChiffre are in Russian. Shortly after the Mumbai compromises, a worker in an office in Manlius, N.Y noticed some strange behavior with her terminal and suspected remote interference. She disconnected immediately and a technician was called. A file was found that was recognized as LeChiffre, and later specialists analyzed it to discovered that it originated from Crimea. It had indeed been sent from Russia – though not with love.

decrypt lechiffre

What sets this infection apart from other ransomware is that instead of using a conventional trojan delivery method, LeChiffre enters the machine as a result of a manual hack of a weak server via a terminal or RDP (Remote Desktop Protocol) services. A client (a relay between hacker and victim) is then installed on the server. When a network thought of value to target is found (if the server is not a dedicated company server and was purposely attacked), the task is then to crack a log-on (preferably that of an Administrator), after which the whole system is vulnerable to encryption through network shares. Drives can be scanned and either selected files or whole drives can be encrypted. After which a ransom demand is left in each encrypted file and the hacker withdraws leaving no other trace. It has been described by some commentators as ‘unprofessional’ malware as it doesn’t have any counter-security software defences, though it doesn’t need to have any – it has usually entered and done its work without being discovered. A further point is that the malware also creates a back-door, so potentially it could re-enter a system at any time or introduce other malicious coding. The malware creates this capability by making changes to some system files so that it is possible for the hacker to enter and operate – even if the user is not logged on – as an un-logged presence or user.

The ransomware claims to use ‘strongest military cipher RSA 1024 and AES’ encoding, though this seems unrealistic as if the encryption-decryption process used such high algorithms, it would probably cause most host systems to crash during in the processes and destroy the ransom market. This wouldn’t be the first malware to lie about the algorithm used – it is a usual tactic to further intimidate the hostage when they read the impressive encryption description on Wikipedia, sometimes courtesy of a link on the demand page. LeChiffre does not encrypt a whole file if it is over a certain size, only the beginning and end.

How to decrypt LeChiffre encrypted files?

Please, follow the steps below to decrypt .lechiffre files for free:

Step 1: Download the free LeChiffre decrypter here: https://blogs.mcafee.com/wp-content/uploads/LeChiffreDecryptor.zip
Step 2: Unzip the LeChiffreDecrypt.exe in “C:\
Step 3: Open a Command prompt (if you do not how to do this please read this article: http://pcsupport.about.com/od/commandlinereference/f/open-command-prompt.htm )
Step 4: In the Command prompt type “cd\
Step 5: Type “LeChiffreDecrypt.exe NAME_OF_FOLDER_WITH_ENCRYPTED_FILES
Substitue NAME_OF_FOLDER_WITH_ENCRYPTED_FILES with a folder in your PC, where you have .lechiffre files.
Step 6: Press ENTER. Give it as much time as it needs, since the decryption process can take long (depending on file count and size of encrypted files).

This ransomware is now effectively castrated as far as decryption goes, though the down-time caused to companies if infected could still be very expensive. And after its opening 6 months, LeChiffre has netted enough to surely inspire the authors to update and re-brand their product. That decryption is now available now is not the main point – if this ransomware can enter a server, then much more complicated attacks could infiltrate by the same route. One thing is certain – ransomware will continue to besiege commercial networks, and consumers will continue pick up the cost of that battle.

SHARE
Daniel Stoyanov
Daniel Stoyanov has a Master's degree in Computer Science from the Technical University of Sofia, Bulgaria. He is also a Microsoft Certified Professional. Daniel provides top cyber security news with in-depth coverage of malware, vulnerabilities, PC and Network security, online safety.If you have any questions feel free to ask him right now.

11 COMMENTS

  1. Unfortunately, this decryptor did not work on my server that is currently infected with the Lechiffre malware. Looks like the article states its working for 2.5 and 2.6, im guessing my malware version is higher.. any suggestions?

  2. nothing works for me. emsisoft only renames the files without LeChiffre extension, can any 1 help me with this.
    all my data is encrypted and they ask for 1 bit coin for decryption.

  3. Hey Daniel,
    My computer has been infected by the Lechiffre virus, I have already used the tools Emsisoft, TrendMicro, Avira, none of them could recover my files, the file appears recovered but when I open the file appears the message saying that the files are corrupted. I think I was infected with a new version of Lechiffre because in the rescue file the following email appears: E-mail: lechiffre@india.com
    E-mail: lechiffre@mailchuck.com
    Bitmessage: BM-2cX29XoQx3AduRtttTmqtSC9pZekDffkEy
    If you could help me, I would be very grateful.

    Andreine

    • Hey Andreine,

      Sorry to hear that McAfee decrypter did not worked. In my lab tests it rather quickly decrypted 30 .lechiffre files, but I guess they where encrypted by an earlier version of the ransomware.

      One thing I can suggest is to keep the encrypted files and wait for a decrypter. Usually, the researchers update their work, as we have seen decrypters for Crysis, later for Crysis 2, 3.

      Thanks,
      Daniel

  4. Hey Daniel,
    Thanks for the help.
    We also have the server infected this morning with LeChiffre.

    I will keep an eye open on resolutions from certain sites however so far nothing worked.

    Thanks,
    Nick

  5. Hey Daniel
    thank you very much for your attention. I will follow your suggestion, I have made a copy of the files and I will expect an updated tools to recover my files.

    Thanks,
    Andreine

  6. Hey Guys

    Anyone found an updated decrypter tool for LeChiffre? We were infected last night and have tried Emsisoft, TrendMicro etc but haven’t found anything that works yet?

    Any feedback will be appreciated.
    Thanks
    Eugene

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.