Monday, 25 January 2016

LeChiffre: A Ransomware That Hits Three Indian Banks


LeChiffre: A Ransomware That Hits Three Indian Banks

LeChiffre: A ransomware which can easily invades your computer silently and completely encrypt all your files such as (.doc, .docx, .docm, .wps, .xls, .xlsx, .ppt, .pptx, .pptm, .pdd, .pdf, .eps, .ai, .indd, .cdr, .dng, .mp3, .lnk, .jpg, .png, .jfif, .jpeg, .gif, .bmp, .exif, .txt.) and appends to their names an extension “.LeChiffre”. 

Nowadays so many ransomware are present but this ransomware is totally different among them. LeChiffre doesn't execute automatically and infects the files of users, it needs to be run manually on the target system. Attackers scanned the network in search of poorly secured remote desktops, crack them and once they logged on they can easily enable to run an instance of LeChiffre manually.

An unknown Russian hacker attacked three Indian banks and caused millions of attacks by using this ransomware.

An anonymous reader writes:

Ransomware has locked computers in three major Indian banks and one pharmaceutical company. While the ransom note asks for 1 Bitcoin, so many computers have been infected that damages racked up millions of dollars. According to an antivirus company that analyzed the ransomware, it's not even that complex, and seems the work of some amateur Russians.

Hasherezade, security analyst for Malwarebytes said that

"LeChiffre looks very unprofessional [...] practically, no countermeasures against analysis has been taken,"
"It can be justified by the fact, that this ransomware was not intended to be distributed in [a] campaign, only used by attackers after they entered the system," the analyst also added. "However, poorly implemented encryption and model of communication with victims (via e-mail), shows that this malware has been prepared lazily, probably by beginners."

Behavioral analysis

It is distributed as a typical Windows executable:

When we run it what appears is a GUI with labels in Russian:

Drops it’s copy in Recycle Bin, disguised as jpg:

File encryption

Once we run it manually File encryption process starts. First button from the top scans all the available disks and encrypts files with given extensions. Sample result:

And the information about ransom demand:

How can we remove LeCchiffre ransomware?

So, many methods are there but the simplest way to do this are:

1. Remove LeChiffre with automatic cleaner:

Download and install LeChiffre Virus removal software and hit start computer scan button. After that, it detects the malware and then select the fix threats option to remove all the infections that were found

2. Go to the control panel click uninstall programs then find the programs related to LeChiffre and the right click and uninstall it.


Post a Comment

Toggle Footer