LeChiffre is a ransomware that we have been seeing in our forums since June 2015, but have been unable to acquire a sample until recently. This is because the LeChiffre ransomware is not distributed via normal means such as Trojan downloads, exploit kits, or email, but rather by being manually installed in hacked servers. When the malware developers hack a server via remote desktop or terminal services, they manually run the executable to encrypt the data and then remove all traces of the program when they leave.
It wasn't until recently that Hasherezade of Malwarebytes was able to acquire a sample and perform an analysis of it. This analysis showed that the ransomware was not very sophisticated but rather a simple client that the malware developers would run on a hacked server to encrypt the data files and leave a ransom note.
Once the hackers were done encrypting the drives, they would clean up behind themselves and wait for the payment to come in.
When the program encrypted a data file it would append the .lechiffre extension to the filename and generate a ransom note called _How to decrypt LeChiffre files.html in the encrypted file's folder. These ransom notes contain information about what happened to the victim's data and the firstname.lastname@example.org email address that can be used to get payment instructions. An interesting offer in the ransom note is that if a victim does not need their files immediately, they can wait 6 months and get them back for free.
Hasherezade was gracious enough to share a sample with the security community and when Fabian Wosar of Emsisoft analyzed it he discovered a vulnerability that could allow him to build a free decryptor for it. More information about this vulnerability can be found in this post and instructions on how to use the decryptor can be found below.
If you are infected with the LeChiffre ransomware, simple download download decrypt_lechiffre.exe from the following link and save it on your desktop:
Once you have downloaded the executable, double-click on it to launch the program. When the program starts, you will be presented with a UAC prompt as shown below. Please click on Yes button to proceed.
You will then be presented with a license agreement that you must click on Yes to continue. You will now see the main LeChiffre Decrypter screen.
To decrypt the C:\ drive click on the Decrypt button. If there are other drives or folder you wish to decrypt that are not listed, you can click on the Add Folder button to add other folders that contain encrypted files. Once you have added all the folders you wish to decrypt, click on the Decrypt button to begin the decryption process. Once you click Decrypt, the LeChiffre Decrypter will decrypt all the encrypted files and display the decryption status in a results screen like the one below.
Most of your files should now be decrypted. If you need any help using this tool, you can ask in the LeChiffre Ransomware Support Topic.