At the end of last week, it became known that systems of three Indian banks and pharmaceutical company were struck by LeChiffre ransomware. At that time experts from Malwarebytes assumed that the ransomware was developed by amateurs. Fabian Wosar, the expert from Emsisoft company, indirectly confirmed this theory by cracking the encryption of LeChiffre in one day.
LeChiffre differs from the other ransomware by one thing – the infection is done manually. January 22, 2016 the experts from Malwarebytes described in their blog that an unknown attacker was forced to manually infiltrate the network of affected companies, increase privileges and gain access to other computers on the network through unprotected ports of Remote Desktop. Once inside on the victim’s computer, the attacker initiated manually download of LeChiffre ransomware from its server and then executed that malware.
Malwarebytes experts reported that the ransomware is written on Delphi and it uses the AES encryption algorithm, and the interface of malware management is in Russian. The experts also noted that LeChiffre is written very unprofessionally and almost not protected from third-party analysis.
Although the malware doesn’t look like a work of a professional, Indian banks have reported that as a result of infection by LeChiffre they suffered losses in amount of tens of millions dollars. In some cases, banks prefer to pay a ransom of 1 Bitcoin (around $400 at current exchange rates) to criminals. Basically a ransom was paid for the restoration of data on the bank managers’ computers.
According to recent data, from the malicious activities of LeChiffre suffered not only the organizations, but also ordinary people in Brazil and Russia.
Fortunately, the malware was noticed by Fabian Wosar, who recently gives a lot of headaches to the developers of ransomware. Expert have created a tool to decrypt the data affected by ransomware and published it on the Emsisoft website. The tool only works for LeChiffre version 2.6. The tool also works only on the infected computer and requires internet connection.
Wosar said that he will gladly analyze other versions of LeChiffre ransomware, but for that he needs a ransomware files. All of the victims of LeChiffre, especially affected by other versions of this malware can make a post on a special topic on the Bleeping Computer forum.
You can find more information about what is ransomware and how to protect yourself from it here.