Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

LeChiffre Ransomware Hits Indian Banks, Pharma Company

Three banks and a pharmaceutical company in India were hit by a malicious attack recently, resulting in their networks being compromised by actors behind the “LeChiffre” ransomware.

Three banks and a pharmaceutical company in India were hit by a malicious attack recently, resulting in their networks being compromised by actors behind the “LeChiffre” ransomware.

LeChiffre is rather new to the threat landscape and quite different from other familes of ransomware that have made it to the headlines recently, such as CryptoWall, TeslaCryptMagic, or Ransom32. What sets the new malware apart is the fact that it needs to be run manually on the compromised system to encrypt the user files.

Ransomware is often spread via spam campaigns or exploit kits, but LeChiffre takes a different approach.  LeChiffre developers scan networks for poorly secured, vulnerable Remote Desktops, log in remotely after cracking them, and then manually run an instance of the malware to encrypt files and append the extension “.LeChiffre” to them, Malwarebytes explains in a blog post.

The cybercriminals behind the malware managed to compromise the networks of companies in India and seized control of their computers, demanding a Bitcoin ransom for the decryption keys. According to The Economic Times, the attackers managed to compromise the computers of IT administrators which was used to spread the malware onto other systems.

The LeChiffre ransomware was used in all four cases and attackers demanded a 1 Bitcoin (about $450) ransom for each infected machine, which could translate into a total financial loss of several million dollars for the affected organizations.

Malwarebytes explains that the malware is distributed as a typical Windows executable and that it drops a copy of itself in Recycle Bin, disguised as .jpg file. The ransomware developers have a high level of control over operations, being able to scan drives and encrypt all files or choose only specific files to be encrypted, and that the malware encrypts all available resources, not only local files.

Additionally, the malware leaves a backdoor on the infected systems by replacing sethc.exe (C:Windowssystem32sethc.exe) with cmd.exe. By replacing the sethc.exe file, which is launched when the user presses SHIFT 5 times and can be deployed even on the login screen, attackers can gain access to the machine even without log in credentials, as they simply call cmd.exe and run commands in it remotely.

LeChiffre also grabs data about computer’s geolocation, displays the country code in the left corner of the GUI, and starts communication with a remote server using a simple, HTTP based protocol. In addition to encrypting all data shared in the local network or mapped by RDP or virtual environments, the malware also enumerates all available users and sends data to the Command and Control server.

Advertisement. Scroll to continue reading.

According to Malwarebytes, LeChiffre “looks very unprofessional,” being written in Delphi and packed by UPX, without countermeasures against analysis, most probably because it was used only after the attackers breached a system. To decrypt their files, victims need to email the attackers some encrypted files and the secret code (that is 128 byte long – base64 encoded) to receive the decryption key.

Security researchers at Emsisoft already managed to come up with a LeChiffre decrypter, after discovering that the malware encrypts only the first 8192 bytes of a file and if the file is bigger than 16999 bytes, and also the last 8192 of the file, using Blowfish. The decryption tool is free to download and will not delete the encrypted files for security reasons, Emsisoft’s Fabian Wosar explains.

Although badly implemented, the ransomware did manage to cause damage and is further proof that ransomware is not going anywhere, just as Wade Williamson, Director of Product Marketing at Vectra Networks, explained in a SecurityWeek column.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.