LeChiffre Ransomware Removal Guide

Do you know what LeChiffre Ransomware is?

LeChiffre Ransomware is a malicious computer infection that will encrypt your files without your permission. The presence of this ransomware program on your system also means cyber criminals trespassed into your computer, and they most probably, accessed it through a remote desktop service. If you are often connected to a server through a remote service, you should think twice before logging in again. Removing LeChiffre Ransomware might not be your first priority because this program may be deleted automatically once it has encrypted your files. What’s more, it may leave additional malware on your system that needs to be taken care of.

This infection is a Russian ransomware application, written in the .NET programming language. It will not run on your computer automatically because it needs to be launched manually. Now, you might think that this would require the hacker to be close to your computer physically, but that is not exactly the case. As long as the criminals behind this scam can access your system via remote service, they can easily run the application by launching the executable file called LeChiffre.exe. Then a GUI, which is entirely in Russian, will appear on your screen, and once the hacker clicks “Пуск” (“Start”), the encryption takes place.

Aside from encrypting your files and adding the .LeChiffre extension to all the affected documents, this program also drops a copy of itself in the Recycle Bin that looks like a .jpg file. If the attacker wishes to, they can encrypt just a few of the files because the program’s GUI comes with such a function. Nevertheless, it is highly unlikely that the infection will modify just several documents. After all, ransomware programs need to make a strong impression on the affected users so that they would feel compelled to follow the instructions provided in the so-called “decryption” manual.LeChiffre Ransomware Removal GuideLeChiffre Ransomware screenshot
Scroll down for full removal instructions

Most of the time ransomware applications display the steps of how to transfer the payment and decrypt affected files on your desktop. However, LeChiffre Ransomware is slightly different because it does not change your wallpaper and it does not even try to lock you out of your computer. Instead, it drops two different extension files into each location where the encrypted files are. These files are _How to decrypt LeChiffre files.html and _secret_code.txt files. You can open the .html file with your web browser, and then you will see the message this ransomware program wants you to read:

Your important files (photos, videos, documents, archives, databases, backups, etc.) which were crypted with the strongest military cipher RSA1024 and AES. <…> If you want to restore files – send e-mail to decrypt.my.files@gmail.com with the file “_secret_code.txt” and 1-2 encrypted files less than 5MB as *.doc, *.xls, *.jpg, but not database (*.900, *.001 etc.). Please use public mail yahoo or gmail.

You will receive decrypted samples and our conditions how you’ll get the decoder. Follow the instructions to send payment.

What follows is a rather peculiar statement, which guarantees that you can get “a decryptor for free after 6 month.” To put it simply, if you fail the transfer the payment, but if you still send the request right after the infection takes place, you will be able to restore your files after half a year. That is surely uncommon for a ransomware application to be so benevolent, but there is no user how would be willing to wait for so long to get their files back.

You may need to restore your files from a cloud server or an external hard drive backup because that is the fastest and the most efficient way to do that. You could also look for various decryption tools online because as far as LeChiffre Ransomware is concerned, it is very likely that the program would not issue a decryption key even if you were to pay the fee.

One of the most disturbing things about this infection, but the ransomware itself may not be the biggest security issue at hand. As mentioned, the program often deletes itself once the files have been encrypted, but even so it leaves a backdoor that can provide cyber criminals with the direct access to your computer. If you have the sticky keys function on, you may unwittingly launch the backdoor by hitting the Shift key five times in a row. If this happens, a hacker could take control of your system by creating a new administrator, changing user’s passwords, and performing other unsolicited system modifications.

To avoid this from happening, you should follow the instructions below to restore corrupted system files. When you are done with that, please make sure you invest in a licensed antispyware tool to protect your computer from similar intruders in the future. Do not hesitate to run a full system scan with the SpyHunter free scanner if necessary.

How to Repair System Files

  1. Open the Start menu and go to All Programs.
  2. Select Accessories and right-click Command Prompt.
  3. Click Run as administrator and click Yes on the confirmation box.
  4. Type sfc /scannow in the Command Prompt and press Enter.
  5. When the scan is complete, close the Command Prompt.

In non-techie terms:

LeChiffre Ransomware is a dangerous computer infection that brings more malware to your system. This program will modify your files, and you will no longer be able to access them. You should get yourself a legitimate antispyware tool to terminate malicious applications and protect you from similar intruders. As for your files, please make sure you back them up because that is the best way to make sure that you will always be able to get them back when a problem occurs.