Rewards were paid for the banks' top managers

Jan 24, 2016 22:33 GMT  ·  By

An unknown hacker has breached the computer systems of three banks and a pharmaceutical company and infected most of their computers with crypto-ransomware.

The incident took place at the start of January, all companies were located in India, and the hacker(s) used the LeChiffre ransomware family to encrypt files on the infected computers.

LeChiffre is a hand-cranked ransomware

LeChiffre is not your typical ransomware and works only if launched into execution manually. The hacker managed to infiltrate the networks of all companies, and then escalated his access to other computers via unprotected Remote Desktop ports.

Once he gained access to a computer, the hacker would download the ransomware from his server and then double-click it to start the encryption process.

According to Malwarebytes, a cyber-security vendor who took a closer look at how the ransomware works, LeChiffre's encryption operates by encrypting the first and last 8192 bytes of each file and then appending the encryption key to the file as a 32-byte blob. The encryption is AES.

Malwarebytes also says the ransomware is written in Delphi, and that its interface is in Russian.

"LeChiffre looks very unprofessional [...] practically, no countermeasures against analysis has been taken," says Hasherezade, security analyst for Malwarebytes.

"It can be justified by the fact, that this ransomware was not intended to be distributed in [a] campaign, only used by attackers after they entered the system," the analyst also added. "However, poorly implemented encryption and model of communication with victims (via e-mail), shows that this malware has been prepared lazily, probably by beginners."

LeChiffre caused millions in damages

Victims infected with LeChiffre have to contact the ransomware's author via an email address shown in the ransom message. The standard ransom payment is 1 Bitcoin (approximately $400 / €370 today's price) per computer.

As India Times reports, the hacker managed to infect so many computers that total damages are running into millions of dollars. At this moment, the same publication reports that ransoms were paid only for some top executives.

In September 2015, two Middle East hackers also breached two Indian companies, stole data, and then successfully blackmailed them for $5 million each, threatening to release private files to the government, files which would have involved the companies in illegal activities.

UPDATE: A decrypter has been made available. Victims of this ransomware can decode their files.

LeChiffre ransom note
LeChiffre ransom note

Photo Gallery (2 Images)

Crypto-ransomware affects three Indian banks
LeChiffre ransom note
Open gallery