Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

LeChiffre Ransomware Support & Help Topic (.lechiffre extension)


  • Please log in to reply
284 replies to this topic

#1 Nando182

Nando182

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 02 June 2015 - 05:31 PM

Hello everyone, 
 
There is some attacks occurring in Brazil and the "hackers" are using an ransomware software to crypt and change the file extensions, the file extensions are being changed to .LeChiffre, the "hackers" are requesting bitcoins in order to send a password to unzip an .exe that will uncrypt the files.
 
A person have payed the bitcoin and he has shared the .exe that uncrypt the files, i will attach the files for someone that want try to make a reverse engineering on it to try to make a generic uncrypt for this kind of situation.
 
Inside the attached file:
_secret_code.txt -> is the code that the victim receive
DeLeChiffre.rar -> Is the uncrypt protect by a password that requires a password
DSC_7926.JPG.LeChiffre -> a encrypted file
password SC SRL.txt -> password sent to the victim that have payed 
 
 

 
 
I was not infected by this Trojan but I friend was 
 
Thanks

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:27 PM

Posted 03 June 2015 - 02:12 PM

Thank you for the sample. Does your friend know how they became infected? If they have the sample that infected them, please have them submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=3

I have deleted the attachment that was on your post to protect others.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:27 PM

Posted 03 June 2015 - 02:13 PM

The BC staff has advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Nando182

Nando182
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 05 June 2015 - 09:37 PM

Hello, 

 

His server got hacked, unfortunately we do not have the infected files.. :(

 

Thank you guys



#5 lross94

lross94

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 15 January 2016 - 05:40 PM

I just today came across a ransomware infection with the extension .lechiffre appended to the files.  I have been searching for some info on this variant and am not finding anything.  Does anyone on here know anything about the ransomware variant?



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:27 PM

Posted 15 January 2016 - 05:43 PM

I found this topic from June of someone reporting this: http://www.bleepingcomputer.com/forums/t/578220/ransomware-lechiffre/

Not finding anything about a way to decrypt it yet.

 

I would submit a sample to the malware channel with a link to this topic. An encrypted file and if you have a dropper or malicious file would probably be handy.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 lross94

lross94

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 15 January 2016 - 05:52 PM

I haven't found a dropper or malicious file yet.  Ran Malwarebytes on two computers with encrypted files and came up empty.  Ran Autoruns looking for suspicious activity and came up empty there too.  I thought I had the entry point computer for the infection narrowed down, but like I said Malwarebytes came up empty.  Any other thoughts on tools to use to find the source?  I run a rebranded version of Bit Defender across my networks and it didn't catch it initially and so far hasn't found it in a rescan of the environment.  Where do I submit the encrypted file sample?  I would be happy to do that.



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:27 PM

Posted 15 January 2016 - 05:57 PM

http://www.bleepingcomputer.com/submit-malware.php?channel=3

 

Any ransom notes? I'm not finding a whole lot of reputable information on it either, so I can't point you to any particular spots to check other than the usual %TEMP%, %APPDATA%, and %LOCALAPPDATA% for any suspicious-looking files, usually random in name.

 

How many computers are connected, and were they mapped to each other? You should be able to see the owner of the modified files to see who got hit with the actual malware.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 lross94

lross94

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 15 January 2016 - 06:10 PM

Well, what got hit was a file share on a server.  That server is a VM and I currently have it shut down.  I am copying all of the VM files off of the host server.  I want to protect the ones that aren't encrypted yet.  Once I get those copied off I will fire up that file server again and look around and see if I can find any of the things you mentioned above.  I scanned that files server with Malwarebytes hoping to find and infected file or something but it came back clean after the scan.  I also scanned the Hyper-V host server but it came back clean too.  Hopefully, I will find something that I can submit.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:27 PM

Posted 15 January 2016 - 06:17 PM

I have merged this topic with the one where this infection was first reported to make it easier for our staff to provide any possible assistance. There is very little information available on this particular ransomware and only a few reports.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:27 PM

Posted 15 January 2016 - 06:21 PM

I would mount the virtual hard disk (.vhd file) to safely inspect the files without booting the VM. You should be able to use Disk Management and attach a VHD, and it'll show up as any regular drive in Explorer. It will be totally harmless as long as you don't double-click any executable files.

 

 

Thanks quietman7. I was confused when I was denied permission to the topic, then saw it disappear. I saw you looking at the topic and figured you were doing your magic. :P


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 wcutler

wcutler

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 18 January 2016 - 11:04 AM

a client got hit with this over the weekend.  seems like it was able to find other shared folders on other servers that were not mapped.  running malwarebytes now on it.



#13 ScubaSteve3

ScubaSteve3

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 18 January 2016 - 12:14 PM

They must have made a push this weekend. Got hit on one of our servers as well. None of the usual scanners are picking much up at this time.



#14 dr2i4ve

dr2i4ve

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 18 January 2016 - 12:49 PM

They must have made a push this weekend. Got hit on one of our servers as well. None of the usual scanners are picking much up at this time.

 

Same issue here. Had an old Windows Server 2003 (I know I know) get infected. Few client machines have a mapped drive from that server. Oddly, it only infected ONE FOLDER within that entire share. I've ran all types of scans on the server itself but haven't found anything. I've restored the files from a backup and deleted the infected folder.

 

Anyone got additional information on this? Really hope I'm not going thru this effort of restoring the files if it's going to happen again. Having a hard time finding the originating party.



#15 wcutler

wcutler

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 18 January 2016 - 12:50 PM

no malware was found on pc.  working on restoring files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users