LeChiffre ransomware has been wandering around since June 2015. What is interesting about this ransomware is that it is not distributed via ordinary means like Trojan downloads, exploit kits, or email, but rather by being manually installed in hacked servers.
Usually, the malware creators hack a server via remote desktop or terminal services, manually run the executable to encrypt the data, and remove all traces of the program when they leave.
Recently, a security researcher named Hasherezade acquired a sample and managed to analyze it. According to the analysis, this ransomware was not very sophisticated but rather a simple client that the malware creators would run on a hacked server to encrypt the data files and leave a ransom note.
As soon as the hackers were done encrypting the drives, they would clean up behind themselves and wait for the payment to come in.
Computer users should know that when the program encrypted a data file it would append the .lechiffre extension to the filename and generate a ransom note called _How to decrypt LeChiffre files.html in the encrypted file’s folder.
The above-mentioned notes contain information about what happened to the user’s data and the firstname.lastname@example.org email address that can be used to get payment instructions. A curious offer in the ransom note is that if a victim does not need their files immediately, they can wait 6 months and get them back for free.
The good news is that Hasherezade shared a sample with the security community. After being analyzed by Emsisoft’ Fabian Wosar, a vulnerability was discovered, which could let Wosar build a free decrypter for the ransomeware.