Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

LeChiffre Ransomware Support & Help Topic (.lechiffre extension)


  • Please log in to reply
284 replies to this topic

#46 Nando182

Nando182
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 24 January 2016 - 11:02 AM

Nice guys :)



BC AdBot (Login to Remove)

 


m

#47 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:52 PM

Posted 24 January 2016 - 11:35 AM

The two variants I looked into are definitely decryptable. Will provide a decrypter sometime later today or tomorrow.


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#48 chaospinhead

chaospinhead

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 24 January 2016 - 12:02 PM

That is great news.  Can't wait to try it out on the data I saved from my client.



#49 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:52 PM

Posted 24 January 2016 - 12:14 PM

That is great news.  Can't wait to try it out on the data I saved from my client.

 

You will have to run the decrypter on the same system that was originally infected. The key depends on a couple of system parameters like computer name, user name and the system's location according to http://api.sypexgeo.net/xml


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#50 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:52 PM

Posted 25 January 2016 - 11:11 AM

I finished the LeChiffre decrypter today. Since the way the decrypter works is not based on some oversight or flaw, you will get some extra information for a change:
 
LeChiffre encrypts files using Blowfish. It will encrypt the first 8192 bytes of a file and if the file is bigger than 16999 bytes also the last 8192 of the file. The key for the encryption is generated based on a hardcoded string as well as various system information. A key for version 2.6, which is the only version that the decrypter officially supports right now, will look like this:
 
V2.6DE:7258EB949705F8F9B9205DD285496E18574EC6DE1812E1BDA37FC868C5055284
 
The first part is a hardcoded string indicating the version of the malware. This is followed by the ISO code of the country the victim's machine is located in. This ISO code is extracted from http://api.sypexgeo.net/xml. The malware will take the last ISO code listed, which usually is the one in the <country> section. If for some reason the malware could get an ISO code, it will fallback to EN. Next follows a colon and a MD5 hash over a string that is made up of a static part "dDcLXlen2Dg0gpuV9XZ4hYBR6wrwe55izm24Id", followed by the computer's name as well as the current date in the format dd.mm.yy. The last part is again a MD5 hash over a string that is made up of the current user's name followed by the static string "dDcLXlen2Dg0gpuV9XZ4hYBR6wrwe55izm24Id".
 
To encrypt a file, the malware will hash the generated key string using SHA-1. The first 16 bytes of the resulting SHA-1 hash are then used as a Blowfish key. Encryption is performed using CBC mode with 8 zero bytes as the initial IV. Before the actual blocks are being encrypted however, the malware will encrypt the generated SHA-1 digest buffer. This will essentially change the state of the IV used for the rest of the encryption based on the generated password.
 
For you as a victim this means the following:

  • Since the encryption is based on system parameters, you have to perform the decryption on the same system and the same user. You can't decrypt files encrypted on one system on a different system, unless you make sure both username and computer name of both systems are identical.
     
  • The decrypter will need internet access in order perform the same query as the malware to obtain the ISO code. I usually try not to do any network connections in my decrypters, but in this case it's unavoidable. So if your firewall screams about the decrypter trying to access the internet, it is not because I try to steal your hidden porn stash, but because it has to get part of the decryption key from an online service. The communication is not encrypted. So feel free to check the communication out using Wireshark.
     
  • The V2.6 suggestions there are more versions out there. I only looked into that one yet. If there are more versions out there, chances are the decrypter needs to be adjusted for them. I can and will do that, but I will need the malware file. You can usually find a copy of the malware file under "C:\$Recycle.Bin\sunset.jpg". Without that file, there is nothing I can do for you and you will have to wait until I eventually get a hold on it from another victim.

You can download the LeChiffre decrypter for version 2.6 here:
 
http://emsi.at/DecryptLeChiffre
 
The decrypter will keep encrypted files it attempted to decrypt for safety reasons. So you will need enough free storage for all the extra copies. If you don't have enough storage capacity, you can disable that behaviour in the options.
 
In all circumstances I strongly advise you to test it on a couple of sample files first before letting it run on your entire drive.
 
As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful.   :wink:
 
As always, please ask if you run into any issues. Keep in mind that I do have a rather busy day job, so I may not reply right away. So please be patient. 


Edited by Fabian Wosar, 28 January 2016 - 05:46 AM.

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#51 Nando182

Nando182
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 25 January 2016 - 01:02 PM

Thank you Fabian for you enforce on this, I will share the link over the Brazilian forums.

 

Thank you for all bleeping team :)



#52 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:52 PM

Posted 25 January 2016 - 01:05 PM

Would you mind sharing the link to the thread in the Brazilian forums?


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#53 Nando182

Nando182
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 25 January 2016 - 01:09 PM

Would you mind sharing the link to the thread in the Brazilian forums?

There is:

 

http://www.linhadefensiva.org/forum/topic/162346-v%C3%ADrus-de-criptografia-lechiffre-estilo-ransomware/

 

and 

 

http://forum.kaspersky.com/index.php?showtopic=324376&st=0&gopid=2538776&#entry2538776



#54 Nando182

Nando182
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 25 January 2016 - 01:34 PM

WOW, seems that the Kaspersky guys have removed my topic... LOL



#55 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:52 PM

Posted 25 January 2016 - 03:17 PM

WOW, seems that the Kaspersky guys have removed my topic... LOL

 

That's unfortunately not a big surprise.


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#56 chaospinhead

chaospinhead

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 25 January 2016 - 08:36 PM

I finished the LeChiffre decrypter today. Since the way the decrypter works is not based on some oversight or flaw, you will get some extra information for a change:
 
LeChiffre encrypts files using Blowfish. It will encrypt the first 8192 bytes of a file and if the file is bigger than 16999 bytes also the last 8192 of the file. The key for the encryption is generated based on a hardcoded string as well as various system information. A key for version 2.6, which is the only version that the decrypter officially supports right now, will look like this:
 
V2.6DE:7258EB949705F8F9B9205DD285496E18574EC6DE1812E1BDA37FC868C5055284
 
The first part is a hardcoded string indicating the version of the malware. This is followed by the ISO code of the country the victim's machine is located in. This ISO code is extracted from http://api.sypexgeo.net/xml. The malware will take the last ISO code listed, which usually is the one in the <country> section. If for some reason the malware could get an ISO code, it will fallback to EN. Next follows a colon and a MD5 hash over a string that is made up of a static part "dDcLXlen2Dg0gpuV9XZ4hYBR6wrwe55izm24Id", followed by the computer's name as well as the current date in the format dd.mm.yy. The last part is again a MD5 hash over a string that is made up of the current user's name followed by the static string "dDcLXlen2Dg0gpuV9XZ4hYBR6wrwe55izm24Id".

 

To encrypt a file, the malware will hash the generated key string using SHA-1. The first 16 bytes of the resulting SHA-1 hash are then used as a Blowfish key. Encryption is performed using CBC mode with 8 zero bytes as the initial IV. Before the actual blocks are being encrypted however, the malware will encrypt the generated SHA-1 digest buffer. This will essentially change the state of the IV used for the rest of the encryption based on the generated password.

 

For you as a victim this means the following:

  • Since the encryption is based on system parameters, you have to perform the decryption on the same system. You can't decrypt files encrypted on one system on a different system, unless you make sure both username and computer name of both systems are identical.
     
  • The decrypter will need internet access in order perform the same query as the malware to obtain the ISO code. I usually try not to do any network connections in my decrypters, but in this case it's unavoidable. So if your firewall screams about the decrypter trying to access the internet, it is not because I try to steal your hidden porn stash, but because it has to get part of the decryption key from an online service. The communication is not encrypted. So feel free to check the communication out using Wireshark.
     
  • The V2.6 suggestions there are more versions out there. I only looked into that one yet. If there are more versions out there, chances are the decrypter needs to be adjusted for them. I can and will do that, but I will need the malware file. You can usually find a copy of the malware file under "C:\$Recycle.Bin\sunset.jpg". Without that file, there is nothing I can do for you and you will have to wait until I eventually get a hold on it from another victim.

You can download the LeChiffre decrypter for version 2.6 here:

 
http://emsi.at/DecryptLeChiffre
 
The decrypter will keep encrypted files it attempted to decrypt for safety reasons. So you will need enough free storage for all the extra copies. If you don't have enough storage capacity, you can disable that behaviour in the options.
 
In all circumstances I strongly advise you to test it on a couple of sample files first before letting it run on your entire drive.
 
As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful.   :wink:
 
As always, please ask if you run into any issues. Keep in mind that I do have a rather busy day job, so I may not reply right away. So please be patient. 

 

So out of sheer curiosity.  The version my client got hit with, I am unable to tell the version.  There is a file called Sercret_Code.txt which has a long string 

O7tyYGG+3aswAiyFiA50NOz5m/wMJWCXcpCXkVDi+Az08uaUJhhn/cq4jHmjAy0r6/0o3TSlQd8l78poibCaTUPdhD+fXUXgTlS+tI5cNaKDVjSaCJcRZMH8fK/mmiXjlzGWWaiKS0xEK0nfINZVAw/S8TIvB9QEPyIWuVXY74f8zIb2CL5X5eJ3kgjIusGszLF12pttRLhtIO2bsNnF3R/QN9+X+CCSCUykp65/4G7LlquZreHizFmdNgA3yzoz

Does this essentially mean that the version my client had is NOT 2.6 since it doesnt say 2.6 in the first couple digits?  I will check for the sunset.jpg in the recycle bin tomorrow on the very small off chance it is still in there.  I tried creating a VM (Win 7, same computer name and same username/pw that was on the server that was hit and when i ran the decrypter it didnt even show the files unless I picked "All Files" and when I ran it it said unsuccessfull skipping for all of them, so I'm guessing this is a different version :(



#57 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:52 PM

Posted 26 January 2016 - 06:29 AM

So out of sheer curiosity.  The version my client got hit with, I am unable to tell the version.

There are no markers or anything that would allow you to determine the version unfortunately.

There is a file called Sercret_Code.txt which has a long string 

O7tyYGG+3aswAiyFiA50NOz5m/wMJWCXcpCXkVDi+Az08uaUJhhn/cq4jHmjAy0r6/0o3TSlQd8l78poibCaTUPdhD+fXUXgTlS+tI5cNaKDVjSaCJcRZMH8fK/mmiXjlzGWWaiKS0xEK0nfINZVAw/S8TIvB9QEPyIWuVXY74f8zIb2CL5X5eJ3kgjIusGszLF12pttRLhtIO2bsNnF3R/QN9+X+CCSCUykp65/4G7LlquZreHizFmdNgA3yzoz

That is the password generated by the malware encrypted with RSA and converted to Base64. Essentially that file is there so you can send it to the malware author so he can decrypt the password for your system. It's not the password I was referring to.

Does this essentially mean that the version my client had is NOT 2.6 since it doesnt say 2.6 in the first couple digits?  I will check for the sunset.jpg in the recycle bin tomorrow on the very small off chance it is still in there.  I tried creating a VM (Win 7, same computer name and same username/pw that was on the server that was hit and when i ran the decrypter it didnt even show the files unless I picked "All Files" and when I ran it it said unsuccessfull skipping for all of them, so I'm guessing this is a different version :(

Did you possibly download the wrong decrypter? I think for a couple of minutes I had the KeyBTC decrypter linked instead of the LeChiffre decrypter. If that was the case, just redownload the decrypter again from here:

http://emsi.at/DecryptLeChiffre
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#58 wcutler

wcutler

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 26 January 2016 - 08:32 AM

what do you do about the sethc.exe hack?  do we just remove the sethc.exe file?

 

Leaving a backdoor

Apart from encrypting files on the system, LeChiffre also leaves a backdoor, by replacing a file sethc.exe (C:\Windows\system32\sethc.exe) by cmd.exe. Windows runs sethc.exe when user presses SHIFT 5 times. It can be deployed even if user is not logged in in the system (on log-in screen). By replacing it by any other application, we are getting ability to deploy that replacement application from the level of not-logged user. By replacing it with cmd.exe, attackers gets access to the system command line without knowing a password or even gains ability to change the password.



#59 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:52 PM

Posted 26 January 2016 - 08:36 AM

Running SFC /ScanNow should take care of it.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#60 NickBurnsIT

NickBurnsIT

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 26 January 2016 - 10:55 AM

Little question on this.  Fighting this issue on a server I have.  I have run the decrypt program on it, and the files are corrupted when it completes.  I think, the issue is the user account that was used to encrypt them.  This is an AD box, so there are multiple accounts that could have been used.  I tried to look at the owner of the secret.txt file and how to decrypt files, and logged in as them.  Still not working.  Any advice on how to figure out what user name might have been used?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users