LeChiffre Ransomware Removal Guide

It seems that ransomware infections are all the rage nowadays. Here comes the newest addition to the group that is called LeChiffre Ransomware. This new infection can also be classified as Trojan because it functions as one. To put it simply, the malicious program enters your computer pretending to be something else and then wrecks havoc, demanding to pay a ransom fee. There may not be a way to remove LeChiffre Ransomware from your computer because the infection is said to delete itself once the payload is unleashed. Therefore, the best way to deal with this severe security threat is prevention.

Normally, ransomware applications are distributed via spam email attachments, and this is when we emphasize that users should never open unfamiliar attachments from unknown senders. After all, opening a malicious attachment leads to automatic malware installation. This is where LeChiffre Ransomware is slightly different from its predecessors. This is a manual ransomware application, which means that it needs to be installed and run on the target computer manually. It is possible to do that via a remote desktop connection, so if your system employs one, you are at a risk of becoming the next victim of the cyber criminals who have created this program.

Seeing how a remote connection is important in the process of delivering the payload, we can make an assumption that LeChiffre Ransomware mostly attacks compromised servers that can be easily accessed from the outside. Thus, it is far more likely that the infection will manifest itself on a corporate, rather than a personal computer, although there can always be exceptions!

When your computer’s security has been compromised, the cyber criminal behind this infection needs to run LeChiffre.exe file automatically. The ransomware even has a graphic user interface that appears once the file is run. Since the interface is entirely in Russian, it is easy to see that it is a Russian infection. What’s more, the program is meticulously detailed to the point that the person who controls it can even use a function in the GUI that allows them to select one particular file to encrypt.

Encryption is the main payload of this infection. It comes with a list of file extensions it recognizes and encrypts. Just like most of the ransomware programs, LeChiffre Ransomware adds its own extension to the file once it has been modified. For example, a picture.jpeg file after the encryption would look like picture.jpeg.LeChiffre.

Unlike many other ransomware applications, LeChiffre Ransomware does not lock you out of your computer or display a notification on your desktop. Instead, it places a _How to decrypt LeChiffre files.html file into encrypted locations, and once you open it, you find the following message:

Your important files (photos, documents, archives, databases, backups, etc.) which were crypted with the strongest military cipher RSA1024 and AES. No one can’t help you restore files without our decoder. Photorec, RannohDecryptor, etc repair tools are useless and can destroy your files irreversibly.

The interesting thing is that the infection also claims that your files can get decrypted for free within six months if you send its creators a sample of encrypted files and the secret code provided in the message. Therefore, the way this program functions is highly peculiar.

It has been mentioned that LeChiffre Ransomware deletes itself after the encryption, but there is something else you should be worried about. This ransomware program leaves a backdoor in your system by changing the sethc.exe file in the C:\Windows\system32 directory with cmd.exe. This allows a remote attacker to access your system and perform modifications on it under the administrator privileges.

That is definitely something you should be worried about, but there is a way to prevent hackers from gaining system administrator rights. The backdoor gains access when the Shift key on the affected computer is pressed five times. Thus, if you disable the sticky keys, you may buy yourself some time. Then you should run the Command Prompt with administrator rights to scan your system for any system file errors. Please follow the instructions we have provided to do that.

Finally, scan your computer with a powerful antispyware application to be absolutely sure that you have no other malicious programs on-board. Should you have any further questions or comments, you are always welcome to contact us.

How to Disable Sticky Keys

1. Press Win+R and type Control Panel.
2. Press Enter and click Ease of Access.
3. Under Ease of Access Center click Change how your keyboard works.
4. Under Make it easier to type uncheck Turn on Sticky Keys.
5. Also uncheck Turn on Filter Keys.
6. Press OK.

Repair System Files

1. Open the Start menu and go to All Programs.
2. Click Accessories and right-click Command Prompt.
3. Select Run as administrator on the drop-down menu.
4. Type sfc /scannow and press Enter.
5. Close the Command Prompt when the scan is complete.