Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

LeChiffre Ransomware Hits Indian Banks, Pharma Company

Three banks and a pharmaceutical company in India were hit by a malicious attack recently, resulting in their networks being compromised by actors behind the “LeChiffre” ransomware.

Three banks and a pharmaceutical company in India were hit by a malicious attack recently, resulting in their networks being compromised by actors behind the “LeChiffre” ransomware.

LeChiffre is rather new to the threat landscape and quite different from other familes of ransomware that have made it to the headlines recently, such as CryptoWall, TeslaCryptMagic, or Ransom32. What sets the new malware apart is the fact that it needs to be run manually on the compromised system to encrypt the user files.

Ransomware is often spread via spam campaigns or exploit kits, but LeChiffre takes a different approach.  LeChiffre developers scan networks for poorly secured, vulnerable Remote Desktops, log in remotely after cracking them, and then manually run an instance of the malware to encrypt files and append the extension “.LeChiffre” to them, Malwarebytes explains in a blog post.

The cybercriminals behind the malware managed to compromise the networks of companies in India and seized control of their computers, demanding a Bitcoin ransom for the decryption keys. According to The Economic Times, the attackers managed to compromise the computers of IT administrators which was used to spread the malware onto other systems.

The LeChiffre ransomware was used in all four cases and attackers demanded a 1 Bitcoin (about $450) ransom for each infected machine, which could translate into a total financial loss of several million dollars for the affected organizations.

Malwarebytes explains that the malware is distributed as a typical Windows executable and that it drops a copy of itself in Recycle Bin, disguised as .jpg file. The ransomware developers have a high level of control over operations, being able to scan drives and encrypt all files or choose only specific files to be encrypted, and that the malware encrypts all available resources, not only local files.

Additionally, the malware leaves a backdoor on the infected systems by replacing sethc.exe (C:Windowssystem32sethc.exe) with cmd.exe. By replacing the sethc.exe file, which is launched when the user presses SHIFT 5 times and can be deployed even on the login screen, attackers can gain access to the machine even without log in credentials, as they simply call cmd.exe and run commands in it remotely.

LeChiffre also grabs data about computer’s geolocation, displays the country code in the left corner of the GUI, and starts communication with a remote server using a simple, HTTP based protocol. In addition to encrypting all data shared in the local network or mapped by RDP or virtual environments, the malware also enumerates all available users and sends data to the Command and Control server.

According to Malwarebytes, LeChiffre “looks very unprofessional,” being written in Delphi and packed by UPX, without countermeasures against analysis, most probably because it was used only after the attackers breached a system. To decrypt their files, victims need to email the attackers some encrypted files and the secret code (that is 128 byte long – base64 encoded) to receive the decryption key.

Security researchers at Emsisoft already managed to come up with a LeChiffre decrypter, after discovering that the malware encrypts only the first 8192 bytes of a file and if the file is bigger than 16999 bytes, and also the last 8192 of the file, using Blowfish. The decryption tool is free to download and will not delete the encrypted files for security reasons, Emsisoft’s Fabian Wosar explains.

Although badly implemented, the ransomware did manage to cause damage and is further proof that ransomware is not going anywhere, just as Wade Williamson, Director of Product Marketing at Vectra Networks, explained in a SecurityWeek column.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.