0

Over the weekend, my personal server got hit with the LeChiffre ransom ware. Unfortunately, they were able to get in due to an insecure Active Directory account. I've since disabled all accounts and changed passwords, however all my files now have a .LeChiffre extension.

I was able to find a decryption tool specifically for this infection, and at first it looked like it was going to work. However, after trying to open a file that was stated to be decrypted it failed to open.

How can I decrypt these files?

This is the LeChiffre ransom ware, not the same as far as I know as CryptoLock

Phil
  • 101
  • 2
  • 2
    Restoring from a backup is your only real solution. – Ramhound Feb 22 '16 at 14:29
  • 2
    Related: http://superuser.com/questions/723600/excel-word-pdf-files-got-encrypted-by-ransomware – Ƭᴇcʜιᴇ007 Feb 22 '16 at 14:37
  • Note that only the first and last 8KB of files actually get changed by LeChiffre. You might be able to save some data. – Ben N Feb 24 '16 at 17:55
  • @BenN I'm all ears how would you go about that? – Phil Feb 24 '16 at 17:57
  • Break out a hex editor (I like XVI32), jump to address 0x2000, and copy out everything until 0x2000 before the end. Small files will have been destroyed, but you can probably get something out of large files, though getting programs to accept it without the header will be challenging. – Ben N Feb 24 '16 at 18:00

0 Answers0