L4NC34 ransomware’s encryption routine was reversed by security researchers by decrypting a file without paying the ransom. The L4NC34 ransomware was spotted by Sucuri Security when it began investigating an attack where a malicious actor encrypted all website files and appended “.crypt” to their file names. According to the researchers, the file was not an HTML or a .txt file. The ransom note was located within a PHP file that contained actual functions. The malicious PHP file was base64 encoded.