Fabian Wosar does it again, breaks another ransomware piece

Jan 25, 2016 19:23 GMT  ·  By

The LeChiffre ransomware, which infected the computers of three Indian banks and a pharmaceutical company, causing millions in damages, has been cracked, and a decrypter is now available.

Guilty as always is Emsisoft's Fabian Wosar, who took a closer look at the LeChiffre code after security researchers from Malwarebytes published an initial analysis last Friday.

As Malwarebytes correctly assumed over the weekend, this ransomware family was the work of beginners, and Mr. Wosar, secretly nicknamed "the scourge of all ransomware authors," managed to crack it in less than a day.

More victims around the world, not just three Indian banks

As more information surfaced, it began apparent that the malware wasn't only used in attacks against Indian companies, as initially reported, and some other victims were also unfortunate to have had a close encounter with LeChiffre in Brazil and Russia.

While you may have something to be happy about if you're one of LeChiffre's victims, there are some things to keep in mind when using Mr. Wosar's LeChiffre decrypter.

First and foremost, the decrypter needs to be run on the same computer on which the ransomware encrypted the files. Secondly, the decrypter needs Internet access.

The reasons for these conditions is that the ransomware used local system parameters to encrypt the files, along with an Internet-based API for some other encryption key details.

For the decrypter to properly work, the conditions to generate the encryption key also need to be present and satisfied when running the decrypter.

Only LeChiffre ransomware v2.6 can be unlocked (for now)

There's one more catch. The decrypter currently works for the LeChiffre ransomware version 2.6 alone. Users that had their files locked with other ransomware versions will probably need to ask for support.

Fortunately for everyone, Mr. Wosar is willing to help: "I only looked into that one yet. If there are more versions out there, chances are the decrypter needs to be adjusted for them. I can and will do that, but I will need the malware file."

You can download the decrypter application for version 2.6 of the LeChiffre ransomware from Emsisoft's website, and if you need any help running it, or you're infected with another version of the ransomware, you can ask for assistance on this Bleeping Computer support topic for LeChiffre victims.

The decrypter for LeChiffre ransomware victims
The decrypter for LeChiffre ransomware victims

Photo Gallery (2 Images)

LeChiffre ransom note
The decrypter for LeChiffre ransomware victims
Open gallery