{"id":48640,"date":"2016-03-28T13:13:07","date_gmt":"2016-03-28T20:13:07","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=48640"},"modified":"2025-06-02T20:14:21","modified_gmt":"2025-06-03T03:14:21","slug":"mcafee-labs-unlocks-lechiffre-ransomware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-labs-unlocks-lechiffre-ransomware\/","title":{"rendered":"McAfee Labs Unlocks LeChiffre Ransomware"},"content":{"rendered":"

At McAfee Labs we recently received a low-profile ransomware called LeChiffre. Unlike ransomware that is\u00a0distributed by a spam campaign or downloaded by other malware, this sample\u00a0needs to be run manually on a victim’s machine to encrypt files. As we analyzed this ransomware, we found that we could unlock all LeChiffre-encrypted files without having to pay a ransom.<\/p>\n

We have two versions of this malware. Both variants use the Blowfish algorithm to encrypt files. The Blowfish key-generation technique is the same for both variants. It calculates two MD5s using a constant string, computer name, currently logged on user name, and current system date. The first MD5 is calculated on a string that\u00a0is the concatenated output of a constant string, computer name, and system date. The second MD5 is retrieved from the user name and a constant string. These two MD5s are appended with the version string of the malware. Then the malware calculates the SHA1 on the resulted string and appends 12 bytes of FFh to the SHA1 value.<\/p>\n

The constant string for the first and the second versions:<\/p>\n

    \n
  1. LXAi48XxK9ig6gD351BA0ACF3A661B3E3AA<\/li>\n
  2. dDcLXlen2Dg0gpuV9XZ4hYBR6wrwe55izm24Id<\/li>\n<\/ol>\n

    The algorithm follows:
    \nMD5_1 = MD5(constant string + computer name + current date)
    \nMD5_2 = MD5(user name + constant string)
    \nSHA1_key = SHA1(version string + MD5_1 + MD5_2)
    \nBlowfish_key = SHA1_key + (12 bytes of FFh)<\/p>\n

    The malware uses this Blowfish_key value to initialize the Blowfish key sequence. It also initializes the initial vector of the Blowfish algorithm by encrypting a buffer of eight zero bytes. The encrypted value is kept as the initial vector for the entire encryption process. Then it encrypts this 32 bytes (SHA1 length is 20 bytes plus 12 bytes of FFh) and keeps it in what we’ll call the\u00a0marker buffer.<\/p>\n

    The encryption method differs based on the size of the file. If the file size is greater than\u00a017,032 bytes, the method\u00a0encrypts the first and last 2000h bytes. Otherwise\u00a0it encrypts only the first 2000h bytes. If the entire file size is smaller\u00a0than 2000h bytes, the method\u00a0encrypts the complete file. After encryption the malware\u00a0appends the marker buffer to the encrypted file and adds the extension \u201c.LeChiffre\u201d to the original extension, for example abcdef.jpg.Lechiffre. Because the malware appends this obvious extension to the encrypted file, it is easy to restore the original extension of the file.<\/p>\n

    Our analysis also turned over an interesting aspect of the version string. The first version has a version string of \u201cv2.5EN:\u201d; the second has \u201cV2.6.\u201d The second version, however, appends the ISO code of the victim\u2019s IP address to the string by querying http:\/\/api[dot]sypexgeo[dot]net\/xml\/, a legitimate website used by the malware to learn the ISO code of the country. The resulting version string is \u201cV2.6[ISO CODE]:\u201d If the malware fails to query the URL, it falls back to \u201cEN\u201d as the default ISO code.\u00a0By reconstructing these findings, we have written a tool to restore files encrypted with this ransomware.<\/p>\n

    The McAfee fix is a standalone command-line tool that needs to run on the infected machine. This tool will not delete encrypted files. For example, if the encrypted file name is MyPicture.jpg.LeChiffre, the file will be decrypted and named MyPicture.jpg. If there is a duplicate file in the same location, it will create MyPicture{random number}.jpg. This tool will connect to http:\/\/api[dot]sypexgeo[dot]net\/xml\/ to get the ISO code. Input to the tool is\u00a0the directory or drive path. It will look into subdirectories to find encrypted files. Run the tool at command line without any input to see the usage.<\/p>\n

    Usage<\/strong><\/h2>\n

    To only decrypt the encrypted files without deleting the .LeChiffre files, use the following syntax:<\/p>\n