The encryption routine performed by L4NC34 ransomware has been reversed by security researchers. This was done by decrypting a file with no payment made as ransom. The L4NC34 ransomware was first discovered by sucuri security when there was an inquiry into attack where a malicious actor encrypted all website files and added “crypt” to all file names.
MALICIOUS PHP FILES
When the security firm investigated more and something unusual was detected, a ransom note was stored in a PHP file instead of the usual HTML or .txt file. They realized that this malicious PHP file was base64 encoded and they went further to react by decoding the file. With this effort, they were able to uncover parts of code that were responsible for showing the ransom note and also finishing decryption after retrieving a password
The revelation by this latter snippet shows that L4NC34 hasn’t “encrypted” the organization’s data of the victim but had just employed the “gzdeflate” function to modify the data. They did follow up the threat by altering the edited files’ names
Sucuri used the knowledge acquired to know that the decryption process can be run via the browser or the terminal and retrieve a file successfully without the victim having to pay a ransom fee of $10. At the time of this discovery, it was found out that no victim had transferred money to the Bitcoin account provided by L4NC34 for the ransom payment.
Although the LANC34’S encryption routine was easily reversed by the researchers same can’t be said of other ransomware families. This goes further to buttress why companies should take their security against a crypto malware attack very seriously. One of the great avenues of nipping attacks like this in the bud is avoiding having a ransom infection of any kind in the first place.