LeChiffre Ransomware Hits Indian Banks, Pharma Company

Three banks and a pharmaceutical company in India were hit by a malicious attack recently, resulting in their networks being compromised by actors behind the “LeChiffre” ransomware.

LeChiffre is rather new to the threat landscape and quite different from other familes of ransomware that have made it to the headlines recently, such as CryptoWall, TeslaCrypt, Magic, or Ransom32. What sets the new malware apart is the fact that it needs to be run manually on the compromised system to encrypt the user files.

Ransomware is often spread via spam campaigns or exploit kits, but LeChiffre takes a different approach.  LeChiffre developers scan networks for poorly secured, vulnerable Remote Desktops, log in remotely after cracking them, and then manually run an instance of the malware to encrypt files and append the extension “.LeChiffre” to them, Malwarebytes explains in a blog post.

The cybercriminals behind the malware managed to compromise the networks of companies in India and seized control of their computers, demanding a Bitcoin ransom for the decryption keys. According to The Economic Times, the attackers managed to compromise the computers of IT administrators which was used to spread the malware onto other systems.

The LeChiffre ransomware was used in all four cases and attackers demanded a 1 Bitcoin (about $450) ransom for each infected machine, which could translate into a total financial loss of several million dollars for the affected organizations.

Malwarebytes explains that the malware is distributed as a typical Windows executable and that it drops a copy of itself in Recycle Bin, disguised as .jpg file. The ransomware developers have a high level of control over operations, being able to scan drives and encrypt all files or choose only specific files to be encrypted, and that the malware encrypts all available resources, not only local files.

Additionally, the malware leaves a backdoor on the infected systems by replacing sethc.exe (C:Windowssystem32sethc.exe) with cmd.exe. By replacing the sethc.exe file, which is launched when the user presses SHIFT 5 times and can be deployed even on the login screen, attackers can gain access to the machine even without log in credentials, as they simply call cmd.exe and run commands in it remotely.

LeChiffre also grabs data about computer’s geolocation, displays the country code in the left corner of the GUI, and starts communication with a remote server using a simple, HTTP based protocol. In addition to encrypting all data shared in the local network or mapped by RDP or virtual environments, the malware also enumerates all available users and sends data to the Command and Control server.

According to Malwarebytes, LeChiffre “looks very unprofessional,” being written in Delphi and packed by UPX, without countermeasures against analysis, most probably because it was used only after the attackers breached a system. To decrypt their files, victims need to email the attackers some encrypted files and the secret code (that is 128 byte long – base64 encoded) to receive the decryption key.

Security researchers at Emsisoft already managed to come up with a LeChiffre decrypter, after discovering that the malware encrypts only the first 8192 bytes of a file and if the file is bigger than 16999 bytes, and also the last 8192 of the file, using Blowfish. The decryption tool is free to download and will not delete the encrypted files for security reasons, Emsisoft’s Fabian Wosar explains.

Although badly implemented, the ransomware did manage to cause damage and is further proof that ransomware is not going anywhere, just as Wade Williamson, Director of Product Marketing at Vectra Networks, explained in a SecurityWeek column.