DNZ77

*****_LeChiffre variant

Recommended Posts

Hello, we've found all our servers encrypted by (it seems) a new LeChiffre variant few days ago. I've tried three different decryptors, but noone worked.

I've tried to rename the extension, from .QWERTY_lechiffre to .lechiffre and your decryptor found the infected files and "almost" recovered them, with "almost" i mean i can open them, for example an xlsx, but something is leggible, and something isn't.

I've contacted them via telegram and they sent me the decryptor, but it is in a rar password protected (obviously that password will come after the payment). If it can be of an use for you i can upload few files, the ransom note and the compressed decryptor.

 

Thanks.

Share this post


Link to post
Share on other sites
22 hours ago, chango said:

We have the same problem, how did you solved it?

As far as I am aware, there is no way to decrypt files that have been encrypted by this ransomware.

Share this post


Link to post
Share on other sites

Hi,

we have the same problem. The customer's servers were encrypted today. I attached a message from the attacker and a sample file. We are looking for malware (exe file).

==========================================

Message:

hello.

to recover your 7OMWNW_LeChiffre files, send any message to:

telegram  messenger: 
https://t.me/isres
@isres
or
email: 
[email protected]

reserve method of communication:
email:
[email protected]
usually the answer is 1-10min. If there is no answer,
check the spam folder or write from another email where there is no spam filtering.

super reserve method of communication:
bitmessage messenger: 
BM-2cTTNY8gzaTxEoPDs9P1jaSRPdit9n8G65
download the messenger: https://bitmessage.org/wiki/Main_Page


in the response, you will receive instructions.

Have a nice day!

===========================

Do you have any news for us?

Thank you very much.

7OMWNW_LeChiffre_ReadMe.txt lsasetup.log.7OMWNW_LeChiffre

Share this post


Link to post
Share on other sites

Technically we have a decrypter for older versions of this ransomware, however I am seeing reports that it does not work with newer variants. You can download the decrypter at this link.

Trend Micro also has a ransomware decrypter that may support older versions of this ransomware as well, however I have also heard reports that it doesn't work with newer versions either. More information is available at this link.

Feel free to try the decrypters, however I don't expect either of them will work.

If you know where the ransomware came from, we need a copy of the malicious file that infected the computer and encrypted the files in order to see what has changed so that we know whether or not we can update our decrypter.

Malicious/dangerous files can be uploaded to VirusTotal and the link to the analysis can be posted here. Please don't upload such files to file sharing networks and post the links here, as we don't want others to be able to download the files (mistakes happen and we'd hate for someone to accidentally encrypt their files).

Share this post


Link to post
Share on other sites
On 9/24/2020 at 6:46 AM, GT500 said:

Technically we have a decrypter for older versions of this ransomware, however I am seeing reports that it does not work with newer variants. You can download the decrypter at this link.

Trend Micro also has a ransomware decrypter that may support older versions of this ransomware as well, however I have also heard reports that it doesn't work with newer versions either. More information is available at this link.

Feel free to try the decrypters, however I don't expect either of them will work.

If you know where the ransomware came from, we need a copy of the malicious file that infected the computer and encrypted the files in order to see what has changed so that we know whether or not we can update our decrypter.

Malicious/dangerous files can be uploaded to VirusTotal and the link to the analysis can be posted here. Please don't upload such files to file sharing networks and post the links here, as we don't want others to be able to download the files (mistakes happen and we'd hate for someone to accidentally encrypt their files).

Hello.

We got a decryption tool. Is it useful for you to have a sample of encrypted file and this decryption tool for possible development of your own general decryptor?

Share this post


Link to post
Share on other sites
5 hours ago, Skori said:

Hello.

We got a decryption tool. Is it useful for you to have a sample of encrypted file and this decryption tool for possible development of your own general decryptor?

It won't tell us as much as the ransomware itself would, however it might be worth looking at. Feel free to ZIP the files and attach them to a reply here on the forums.

And yes, it would be best to have at least one file pair (if not two or three) just in case we need them during analysis.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.