LeChiffre Ransomware decryption

McAfee labs recently publish a decryption tool for ransomware named LeChiffree. This ransomware is low profile which is spread through spam or downloaded by malware.

McAfee has found two version of this malware where both types use the same algorithm to encrypt their files i.e. Blowfish. This ransomware calculates two MD5s using a computer name, current system date, currently user login name and the constant string. The first MD5 is calculated on a string that is the concatenated output of a constant string, computer name, and system date. The second MD5 is retrieved from the user name and a constant string. These two MD5s are appended with the version string of the malware. Then the malware calculates the SHA1 on the resulted string and appends 12 bytes of FFh to the SHA1 value.

The constant string for the first and the second versions:

  1. LXAi48XxK9ig6gD351BA0ACF3A661B3E3AA
  2. dDcLXlen2Dg0gpuV9XZ4hYBR6wrwe55izm24Id

The algorithm follows:
MD5_1 = MD5(constant string + computer name + current date)
MD5_2 = MD5(user name + constant string)
SHA1_key = SHA1(version string + MD5_1 + MD5_2)
Blowfish_key = SHA1_key + (12 bytes of FFh)

To decrypt the encrypted files without deleting the .LeChiffre files, use the following syntax:

  • LeChiffreDecrypt.exe “directory_path”

To decrypt the encrypted files and delete the .Lechiffre files, use the following syntax:

  • LeChiffreDecrypt.exe /delete “directory_path”

The log file LeChiffreDecryptionLog_{random number}.txt will be generated with the results of the decryption in the same directory where the tool has been run, or in the temp directory of the system if it has no write access in the current directory. The decryption tool can be downloaded here.

Manish Dangol

Leave a Reply

Your email address will not be published. Required fields are marked *