SanyaW

QLZWVR_LeChiffre decryption

Recommended Posts

Hi,

Last week I'm facing the Ransomware issue, It's very similar to the existing LeChiffre but it cannot decrypt by the provided tool.

 

And the below is the virus noted.

 

hello.

to recover your files, send any message to:

telegram  messenger: 
https://t.me/isres
@isres
or
email: 
[email protected]

reserve method of communication:
email:
[email protected]
usually the answer is 1-10min. If there is no answer,
check the spam folder or write from another email where there is no spam filtering.

super reserve method of communication:
bitmessage messenger: 
BM-2cTTNY8gzaTxEoPDs9P1jaSRPdit9n8G65
download the messenger: https://bitmessage.org/wiki/Main_Page


in the response, you will receive instructions.

Have a nice day!

 

Share this post


Link to post
Share on other sites

Main question:
When were the files encrypted?  (the exact date can be seen in the file properties)

Developers will need several encrypted files and an original ransom note file. 

You not need change anything in the name and text.

 

Share this post


Link to post
Share on other sites

Hi,

The encrypted date/time is in file properties.

I have attach the several encrypted files for your reference.

Please let me know if you want more information.

Thank you in advance for your help.

aa.txt.QLZWVR_LeChiffre

Test Access Audit - Update.txt.QLZWVR_LeChiffre Test Access Audit - Rename.txt.QLZWVR_LeChiffre HMTh-Automated Email Reminders.ps1.QLZWVR_LeChiffre log.csv.QLZWVR_LeChiffre QLZWVR_LeChiffre_ReadMe.txt

Share this post


Link to post
Share on other sites

Ok, wait for the decryption specialist to respond.
Most likely, an original ransomware file will be required to make an update of Decryptor, if possible in this case.

Share this post


Link to post
Share on other sites
11 minutes ago, SanyaW said:

The encrypted date/time is in file properties.

I'm not just asking for a date, because the file gets today's date when downloading it from a message.
I set the encryption date in another way. It could be June 9th.

  • Like 1

Share this post


Link to post
Share on other sites

I have no reason to doubt that it is LeChiffre Ransomware, and not one of the imitators, impostors or deceivers. 
Because one of the addresses coincides with those that were earlier in 2016-2017.

This is Email: [email protected]

The victims reported here about different options in 2016-2017. There is one in the beginning of 2020, but then without a malware-sample it was not possible to decrypt.

Share this post


Link to post
Share on other sites

Is it possible to decrypt my files ?  Hopefully I will get a lucky because we also got a trouble with our backup system.

Share this post


Link to post
Share on other sites
20 hours ago, SanyaW said:

Is it possible to decrypt my files ?  Hopefully I will get a lucky because we also got a trouble with our backup system.

Not without a copy of the malware that encrypted your files.

Share this post


Link to post
Share on other sites
8 minutes ago, GT500 said:

Not without a copy of the malware that encrypted your files.

Hi,

I'm not have experiencing with virus. Please advise, How can I get the malware ?

Share this post


Link to post
Share on other sites
1 minute ago, SanyaW said:

I'm not have experiencing with virus. Please advise, How can I get the malware ?

Assuming it was run by an attacker that compromised the system via RDP (Remote Desktop) or something similar, then a copy of the malicious program used to encrypt your files probably wasn't left on the system by the attacker. Let's try getting a log from FRST on the effected system and see what it shows. You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: If you have Emsisoft Anti-Malware installed then when FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.

Share this post


Link to post
Share on other sites

Hi,

Thanks for your information. After ran the FRST, And I found the suspicious file on the suspicious servers. "rdapi.dll" 

Is it possible to help me to check it ? 

rdapi.dll

Share this post


Link to post
Share on other sites

It appears to be a file from a hacking tool called mimikatz. The description on its project page says "It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets."

The tool was probably used after compromising the system.

Can I see the logs from FRST? You can send them to me in a private message.

Share this post


Link to post
Share on other sites

Sent.

On 6/17/2020 at 6:22 PM, GT500 said:

It appears to be a file from a hacking tool called mimikatz. The description on its project page says "It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets."

The tool was probably used after compromising the system.

Can I see the logs from FRST? You can send them to me in a private message.

 

Share this post


Link to post
Share on other sites

Extended Support for Windows Server 2003 ended July 14th, 2003. That means this server has gone for 5 years without monthly security updates. You need to switch to a newer Operating System that still received regular security updates, or things like this are just going to keep happening (whoever did this knows you have vulnerable equipment now, and if they don't do this again then someone else will figure it out too eventually). I don't care if you go with Windows, Linux, BSD, or something else as long as it's still receiving security updates.

As for the logs, there's nothing that looks like they left behind a copy of the ransomware. The server may still be infected, but I'm really not certain what would run on a 32-bit edition of Windows Server 2003 these days, and I'm not finding much info about some of the odd stuff I'm seeing in the logs.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.