Earlier this month, the ransomware infected three Indian banks and a pharmaceutical company, demanding one bitcoin per compromised computer and reportedly causing millions of dollars in damage.
LeChiffre is not your typical ransomware and works only if launched into execution manually. The hacker managed to infiltrate the networks of all companies, and then escalated his access to other computers via unprotected Remote Desktop ports.
Once he gained access to a computer, the hacker would download the ransomware from his server and then double-click it to start the encryption process.
LeChiffre’s encryption operates by encrypting the first and last 8192 bytes of each file and then appending the encryption key to the file as a 32-byte blob. The encryption is AES. This ransomware is written in Delphi, and that its interface is in Russian.
“LeChiffre looks very unprofessional , practically, no countermeasures against analysis has been taken, but still it has managed to damage.
Here is LeChiffre message after files are infected: