LeChiffre Ransomware

What is LeChiffre Ransomware?

LeChiffre Ransomware is a recently discovered ransomware-type Trojan that has the ability to encrypt your personal files and obtain full control of your computer. It should automatically remove itself after encrypting your files, but the person who is in control of it might decide to leave it. Thus, you should delete its executable if it were to remain after the encryption was completed. The goal here is to extort money from you by offering a decryption key that you can only get after paying the ransom. This ransomware uses the most robust encryption algorithm that is impossible to crack using third-party software. However, we urge you not to pay the ransom as these hackers will only continue to make money of infecting users with ransomware.

Where does LeChiffre Ransomware come from?

LeChiffre is a Russian-made ransomware but is not distributed using fictitious advertisements, via email spam or any other commonly used method. Usually, ransomware is put into a self-extracting archive that kicks in once you try to open it, but LeChiffre Ransomware is different. It is a simple executable file that is manually run by the hacker after gaining access to the computer using some other method. The cyber criminals may use a backdoor to place this ransomware onto your PC or upload it by physically being at your computer’s controls. Regardless of how it infects your computer, you will be in much trouble if it does, so let us elaborate on that.

What does LeChiffre Ransomware work?

As mentioned at the beginning, this ransomware is set to encrypt your personal files. For example, it will affect file formats, such as *.doc *.xls, and *.jpg. During the encryption process, this malware will add an extension to the files (.LeChiffre) and drop two additional files in each directory where a file has been encrypted. These two files are titled _How to decrypt LeChiffre files.html and _secret_code.txt. The file _How to decrypt LeChiffre files.html reads:

Your important files (photos, videos, documents, archives, databases, backups, etc.) which were crypted with the strongest military cipher RSA1024 and AES. No one can`t help you to restore files without our decoder. Photorec, RannohDecryptor, etc repair tools are useless and can destroy your files irreversibly. If you want to restore files - send e-mail to decrypt.my.files@gmail.com with the file "_secret_code.txt" and 1-2 encrypted files less than 5 MB as *.doc *.xls *.jpg, but not database (*.900 *.001 etc). Please use public mail yahoo or gmail.

Unfortunately, the truth is that the RSA 1024 and AES 256 ciphers are impossible to decrypt using third-party software because they require a decryption key. This decryption key is likely to be generated locally since the whole encryption process does not require an Internet connection. The other file titled _secret_code.txt contains a code that you have to send to get correct decryption key.

It must be mentioned that LeChiffre Ransomware also creates a backdoor to secretly control your computer from a remote location. It replaces the sethc.exe file found in C:\Windows\system32\ with cmd.exe. Thus, by pressing the SHIFT key five times, the hacker will gain instant access to your computer. Furthermore, this ransomware connects to a remote server: http://184.107.251.146/sipvoice.php once the encryption process has been initiated, and it will obtain your current geographical location by querying it in api.sypexgeo.net.

How to remove LeChiffre Ransomware?

All in all, LeChiffre Ransomware is a poorly-made ransomware that does not have a robust distribution method that would make it profitable. However, its RSA and AES encryption algorithms are the real deal, and they can do irreversible damage to your personal files. Paying the ransom in not a viable option since you might not receive the decryption key at all. Therefore, we recommend scanning your computer using SpyHunter to detect LeChiffre’s executable provided that it did not self-remove after the encryption. However, you will have to fix the backdoor manually by running the built-in file repair program, so please consult the instructions provided below.

Repair damaged system files

1. Press Ctrl+Shift+Esc to open Task Manager.
2. Click File and select Run new task.
3. Type cmd in the Create New Task window.
4. Check the Create this task with administrative privileges.
5. Once the Command Prompt window is open type sfc /scannow.
6. System File Checker will verify the integrity of all system files.
7. Restart the computer if sfc /scannow repaired the corrupted file.

Download Removal Tool100% FREE spyware scan and
tested removal of LeChiffre Ransomware*