|Short Description||This is unique in relation to the vast majority of the ransomware available these days. Rather than spreading to victim's naturally contaminating their machines, LeChiffre needs be run physically on the infected Device.|
|Encryption||Blowfish key-algorithm, RSA 1024 algorithm.|
|Symptoms||This does not only encrypt the files but it also leaves a backdoor on the victim’s device by replacing the sethc.exe files in the windows. This ransowmare is named in French.|
|Distribution Method||Scans for poorly secured network, vulnerable desktops and then cracks them and enter into the device.|
This ransowmare code is written in Delphi and then packed using UPX. This ransomware working is same as other crypto ransowmare but the mode of infection is totally different from other ransomware, this is where this ransomware stands out from other ransomware of its kind. Lechiffre ransowmare had a high impact on India too. Unlike other ransomware this is not spread through spam emails or exploit kits , instead this ransomware is infiltrated through scanning and once when the weak secured network,vulnearable desktops area found it infiltrates them and attacks them. This demands a ransom of $450 which is a little high for this ransomware. The encrypted files extension are changed into .LeChiffre format and the encrypted files become inaccessible. This uses a special technique for encryption such as blowfish key algorithm. Once this ransomware infiltrates the victims it drops some payload which is done so that the ransomware will be persistent even if the system is rebooted after infection. Once these process are done it scans the victim’s device for specific targeted files and then encrypts them. The extension for the encrypted files are changed in .LeChiffre format. Additionally this ransomware leaves a backdoor on the infected devices too by replacing the setc.exe file in the windows with cmd.exe. when the victim presses SHIFT 5 times the attacker will be able to gain the access to the specific machine without the login credentials. This also grabs the details of the geographical location and displays the countries code on the left side corner of GUI. Then it starts to communicate with the remotre server using a simple HTTP based protocol. This encrypts the files by changing some of the bits that is in the file. The sample of a encrypted file is as shown below.