LeChiffre virus. How to remove? (Uninstall guide)
LeChiffre ransomware strikes again
LeChiffre virus was spotted last year. Security experts managed to find a decryption tool for it. It did not take too long for the authors to devise a newer version. Continuing the popular trend, the virus was named after the name of the villain called “LeChiffre,” meaning “the Cypher”, featured in the first James Bond movie. The latter franchise inspired many cyber criminals. Another similar threat happens to be notorious Petya virus now switched to GoldenEye[1]. Besides the title, the virus also uses an elaborate algorithm. If this virus manages to enter victim’s system, it finds all user’s personal files (including documents, music, videos, audio files and so on) and encrypts them using AES algorithm[2]. The encryption is made by encrypting the first and last 8192 bytes of the file and then attaching the malicious key to the file as a 32-byte blob. Once encrypted, the files become inaccessible. However, there is no need to give into the distress. The first thing you need to do is to remove LeChiffre.
Questions about LeChiffre virus
After the encryp[tion process is finished, the malware leaves a note on the infected computer. The note is usually a .html or .txt file. Here is what it states:
Your important files […] which were crypted with the strongest military cipher RSA1024 and AES. No one can help you to restore files without out decoder, Photorec, RannohDecryptor […] repair tools are useless and can destroy your files irreversibly. If you want to restore files – send an e-mail to […] You will receive decrypted samples and our conditions how you’ll get decoder. Follow the instructions to send payment.
If you see this note, it is a proof that LeChiffre ransomware has attacked your computer. We do not recommend paying the ransom[3]. You cannot trust cyber criminals – there’s no guarantee that they will put any efforts to help you get the files back. Plus, a decryptor for this ransomware has been created already (unfortunately, works only on LeChiffre 2.6 version only, but may be upgraded in the future). However, you can also restore your files in case you have backup copies of them[4]. If you have such copies of your files, all you need to do is to remove the LeChiffre ransomware from your computer using LeChiffre removal tool (for example, Reimage, and then import your files from a backup drive. Keep in mind that you should store backups on an EXTERNAL backup drive, because some viruses can reach your online data cloud storages and infect files that are stored there, too.


Select 'Safe Mode with Networking'

Select 'Enable Safe Mode with Networking'

Select 'Safe Mode with Command Prompt'

Select 'Enable Safe Mode with Command Prompt'

Enter 'cd restore' without quotes and press 'Enter'

Enter 'rstrui.exe' without quotes and press 'Enter'

When 'System Restore' window shows up, select 'Next'

Select your restore point and click 'Next'

Click 'Yes' and start system restore
Update 2017 January: the virus remains active
Since the appearance in mid-summer last year, the authors have not departed the ransomware market. Unfortunately, the virus has been continuously developed. Small business with a wider network of servers happens to be the preference of LeChiffre malware. Specifically, the virus launches brute force to paralyze the activities of the server and infect all linked computers. Furthermore, the virus marks the corrupted data with .lechiffre file extension. It has been also known that newer version of the virtual threat utilizes a password-guessing technique. In other words, if you have been using a standard and a weak code such as “password123″[5], the cyber villains easily hack into the server remotely and then download the main payload of the ransomware. Therefore, netizens are advised to use long passwords comprised of characters and numbers. Password managers may also be a solution.
Distributing LeChiffre virus
Security experts claim that LeChiffre ransomware is not a typical ransomware, and in most of the cases it is spread through different channels. The virus should not be underestimated. A while ago, LeChiffre cyber-criminal planted this virus on a computer of a bank in India and spread the virus to the following computers via Remote Desktop Ports that did not have password protection. Crooks prefer disguising their threats in spam emails. Users are deceived with the fake notifications supposedly sent from delivery companies or even law enforcement institutions. In addition, exploit kits and trojans also serve for the purpose of spreading infection. Though LeChiffre hijack might have occurred due a different method, it is necessary to renew arm up with several security tools. Let’s not forget the fact that cyber-criminals learn and improve their products each day. Avoid opening emails from unknown senders (ransomware is commonly spread via malicious email attachments), clicking on links on high-risk websites, or installing unreliable software.
How to remove LeChiffre malware and restore the files?
According to the note of .lechiffre file extension virus, you can get your files back for free after 6 months. This is unlikely to happen. There is no guarantee that the crooks will return the undamaged or all files after this period. Do not waste time and initiate automatic LeChiffre removal. Install and update your security applications, e.g. Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. Only when the full elimination is completed, you can proceed to file recovery steps. In case, you encounter any problems and cannot remove LeChiffre virus, the below instructions will help you regain access. A decryption tool has been released last year. It is unlikely that it will decode the files encrypted by the recent version, but you might give it a try.
To remove LeChiffre virus, follow these steps:
Remove LeChiffre using Safe Mode with Networking
In case the virus locked your screen, follow these instructions:
-
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Safe Mode with Networking from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
-
Step 2: Remove LeChiffre
Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete LeChiffre removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Remove LeChiffre using System Restore
If the above-suggested methods do not solve the problem, you might need to perform System recovery.
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of LeChiffre. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove LeChiffre from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by LeChiffre, you can use several methods to restore them:
What is Data Recovery Pro?
If you did not have the back-up copies, this program, which locates missing and damaged files, might help you find the solution.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by LeChiffre ransomware;
- Restore them.
ShadowExplorer method
The key advantage of the software is that it may recover the files according to the patterns of shadow volume copies. They are automatically created by every operating system.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
LeChiffre decrypter
This free decrypter has been released last year. It might hardly decrypt the files affected by the recent version, but you may give it a try.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from LeChiffre and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes
About the author
References
- ^ GoldenEye ransomware targets HR departments, disguised as a job application. Alphr. A fresh take on technology.
- ^ Cassius Puodzius . How encryption molded crypto-ransomware. WeLiveSecurity.News, views, and insight from the ESET security community.
- ^ Carl Straumsheim. Your Data or Your Money. Inside Higher ED. Higher Education News, Career Advice, Jobs .
- ^ Eric Geier . How to back up your computer and files. My Dayton Daily News. Dayton in-depth, Investigative News.
- ^ Rob Price. The world's most popular password is depressingly easy to guess. Business Insider. Business and Tech News.