At the beginning of this month, the computer systems of three Indian banks and a pharmaceutical company have been severely infected with crypto-ransomware. The unknown hacker used the LeChiffre ransomware family to encrypt files on the infected virtual machines.
LeChiffre is a hand-cranked ransomware which works only if launched into execution manually. Apparently, the hacker managed to infiltrate the networks of all companies, and after that he escalated the access to other computers via unprotected Remote Desktop ports.
As soon as he gained access to a computer, the hacker would download the ransomware from his server and then double-click it to start the encryption process.
The security experts claim that LeChiffre’s encryption operates by encrypting the first and last 8192 bytes of each file and then appending the encryption key to the file as a 32-byte blob. The encryption is AES. The specialists also says the ransomware is written in Delphi, and that its interface is in Russian.
“LeChiffre looks very unprofessional […] practically, no countermeasures against analysis has been taken,” says Hasherezade.
“It can be justified by the fact, that this ransomware was not intended to be distributed in [a] campaign, only used by attackers after they entered the system,” the analysts stated.
Nevertheless, the poorly implemented encryption and model of communication with users prooves that this malware has been prepared lazily, probably by beginners.
Computer users infected with LeChiffre have to contact the ransomware’s creator via an email address shown in the ransom message. The standard ransom payment is1 Bitcoin (approximately $400 / €370 today’s price) per PC.
According to a post in India Times, the hacker has infected many computers and caused millions in damages. According to the same publication, ransoms were paid only for some top executives.
Last September, two hackers form Middle East breached two Indian companies. They stole data and successfully blackmailed them for $5 million each, threatening to release private files to the government, which would have involved the companies in illegal activities.