LeChiffre Ransomware Support & Help Topic (.lechiffre extension)

Hello everyone, 
 
There is some attacks occurring in Brazil and the "hackers" are using an ransomware software to crypt and change the file extensions, the file extensions are being changed to .LeChiffre, the "hackers" are requesting bitcoins in order to send a password to unzip an .exe that will uncrypt the files.
 
A person have payed the bitcoin and he has shared the .exe that uncrypt the files, i will attach the files for someone that want try to make a reverse engineering on it to try to make a generic uncrypt for this kind of situation.
 
Inside the attached file:
_secret_code.txt -> is the code that the victim receive
DeLeChiffre.rar -> Is the uncrypt protect by a password that requires a password
DSC_7926.JPG.LeChiffre -> a encrypted file
password SC SRL.txt -> password sent to the victim that have payed 
 
 

 
 
I was not infected by this Trojan but I friend was 
 
Thanks

Thank you for the sample. Does your friend know how they became infected? If they have the sample that infected them, please have them submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=3

I have deleted the attachment that was on your post to protect others.

The BC staff has advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Hello, 

 

His server got hacked, unfortunately we do not have the infected files..

 

Thank you guys

I just today came across a ransomware infection with the extension .lechiffre appended to the files.  I have been searching for some info on this variant and am not finding anything.  Does anyone on here know anything about the ransomware variant?

I found this topic from June of someone reporting this: http://www.bleepingcomputer.com/forums/t/578220/ransomware-lechiffre/

Not finding anything about a way to decrypt it yet.

 

I would submit a sample to the malware channel with a link to this topic. An encrypted file and if you have a dropper or malicious file would probably be handy.

I haven't found a dropper or malicious file yet.  Ran Malwarebytes on two computers with encrypted files and came up empty.  Ran Autoruns looking for suspicious activity and came up empty there too.  I thought I had the entry point computer for the infection narrowed down, but like I said Malwarebytes came up empty.  Any other thoughts on tools to use to find the source?  I run a rebranded version of Bit Defender across my networks and it didn't catch it initially and so far hasn't found it in a rescan of the environment.  Where do I submit the encrypted file sample?  I would be happy to do that.

http://www.bleepingcomputer.com/submit-malware.php?channel=3

 

Any ransom notes? I'm not finding a whole lot of reputable information on it either, so I can't point you to any particular spots to check other than the usual %TEMP%, %APPDATA%, and %LOCALAPPDATA% for any suspicious-looking files, usually random in name.

 

How many computers are connected, and were they mapped to each other? You should be able to see the owner of the modified files to see who got hit with the actual malware.

Well, what got hit was a file share on a server.  That server is a VM and I currently have it shut down.  I am copying all of the VM files off of the host server.  I want to protect the ones that aren't encrypted yet.  Once I get those copied off I will fire up that file server again and look around and see if I can find any of the things you mentioned above.  I scanned that files server with Malwarebytes hoping to find and infected file or something but it came back clean after the scan.  I also scanned the Hyper-V host server but it came back clean too.  Hopefully, I will find something that I can submit.

I have merged this topic with the one where this infection was first reported to make it easier for our staff to provide any possible assistance. There is very little information available on this particular ransomware and only a few reports.

I would mount the virtual hard disk (.vhd file) to safely inspect the files without booting the VM. You should be able to use Disk Management and attach a VHD, and it'll show up as any regular drive in Explorer. It will be totally harmless as long as you don't double-click any executable files.

 

 

Thanks quietman7. I was confused when I was denied permission to the topic, then saw it disappear. I saw you looking at the topic and figured you were doing your magic.

a client got hit with this over the weekend.  seems like it was able to find other shared folders on other servers that were not mapped.  running malwarebytes now on it.

They must have made a push this weekend. Got hit on one of our servers as well. None of the usual scanners are picking much up at this time.

They must have made a push this weekend. Got hit on one of our servers as well. None of the usual scanners are picking much up at this time.

 

Same issue here. Had an old Windows Server 2003 (I know I know) get infected. Few client machines have a mapped drive from that server. Oddly, it only infected ONE FOLDER within that entire share. I've ran all types of scans on the server itself but haven't found anything. I've restored the files from a backup and deleted the infected folder.

 

Anyone got additional information on this? Really hope I'm not going thru this effort of restoring the files if it's going to happen again. Having a hard time finding the originating party.

no malware was found on pc.  working on restoring files