Ransomware Hits Three Indian Banks, Causes Millions In Damages

An anonymous reader writes: Ransomware has locked computers in three major Indian banks and one pharmaceutical company. While the ransom note asks for 1 Bitcoin, so many computers have been infected that damages racked up millions of dollars. According to an antivirus company that analyzed the ransomware, it's not even that complex, and seems the work of some amateur Russians.

HAW HAW

And now those jackasses will have to call tech support in India and the shit will REALLY hit the fan.

Re: HAW HAW

Considering there are billion dollar high rises right next to slums I could care less.

Re:HAW HAW

Pity I do not mod points to mod you up...

Re: HAW HAW

At least they'll be able to understand them.

Re: HAW HAW

Yeah they don't segregate as well as New York and Chicago do.

Re: HAW HAW

Considering there are billion dollar high rises right next to slums I could care less.

So you care a LOT then? It is 'couldn't care less', dipshit.

Re: HAW HAW

[darthsilun]

Considering there are billion dollar high rises right next to slums I could care less.

Maybe there are billion Rupee high rises. I'm pretty sure building costs and property values have not reached billion (US) dollar level yet.
And be my guest, go ahead and care less. I'll get the popcorn.

Re: HAW HAW

[Mashiki]

Oh sweet child how little do you know. My neurologist(here in Canada) these days primarily handles patients from India, and has a secretary that natively speaks Hindi. Even her secretary can't understand them.

Re:HAW HAW

[Billly+Gates]

Have they tried rebooting their mission critical servers?

Re:HAW HAW

[JustAnotherOldGuy]

Did they shard the replicator to do the needful? Otherwise it won't work, even if it's webscale.

Re:HAW HAW

[blackpaw]

Unless they get a call center in Kentucky. Now that would be irony! :)

Re:HAW HAW

Yes. But they can take solace in knowing their call is bery bery important to us.

Re:HAW HAW

Is there any wonder why the likes of Donald Trump has support in the US. Look at these people.

Re: HAW HAW

That's why we have zoning laws!

Re: HAW HAW

[Tablizer]

I've heard it's a status symbol in parts of India to talk fast. There's less pressure on clarity. I found out because I suggested to an H1B co-worker that he try to talk slower. He said he didn't want to because a slower habit would make it harder to find a wife when he got back home to India.

Re: HAW HAW

[nikkipolya]

They have surpassed billion (US) dollar levels. Mumbai is the worlds 9th most costliest city in terms of real-estate prices (http://www.telegraph.co.uk/finance/property/pictures/8892109/In-pictures-The-worlds-20-most-expensive-cities-to-buy-property.html?image=11).

Re: HAW HAW

That's not necessarily because she can't understand the others' Hindi. Not everybody in India even speaks Hindi, there being more than 22 constitutionally recognized languages and more than 122 major languages

Re:HAW HAW

[skovnymfe]

A customer feedback vindaloop? https://www.youtube.com/watch?...

Re: HAW HAW

Most costliest? Of course, we already know that India is more better than anybody else, and that it has more numerous toilets that are more better than the rest of the world's.

Re: HAW HAW

[tsqr]

Considering there are billion dollar high rises right next to slums I could care less.

So you care a LOT then? It is 'couldn't care less', dipshit.

If you are unfamiliar with the concept of the widely accepted idiom, it is likely that you are in fact the dipshit here.

Re: HAW HAW

Considering there are billion dollar high rises right next to slums I could care less.

So you care a LOT then? It is 'couldn't care less', dipshit.

Perhaps he cares very little, but could possibly care none.

Re: HAW HAW

[CronoCloud]

Of course she can't, India has MANY "official" languages. It's why English is sometimes the only common language Indians of different regions speak.

India could save itself a LOT of trouble by just making English the "One and Only" official language, but they won't do it because of hard feelings about the Colonial period.

Re: HAW HAW

Widely accepted by dipshits?

Re: HAW HAW

Thanks for the reminder, that was awesome.

Not too shocking

[Shoten]

Most of these ransomware packages can traverse laterally within an org; they run in the rights context of the user on the first infected computer and use that to infect other systems, spreading within the local network. So if you don't have your permissions properly set up (having "Domain Users" in the local Administrators group on your desktops as a matter of standard, for example), it's a cakewalk for the malware to hit everyone.

Re:Not too shocking

I had the pleasure to clean up one ransomware from my father's computer, but luckily it completely ignored the documents folder which I had redirected to a network drive. So he got to keep most of his files and the network shares were also saved.

Re:Not too shocking

It's also incredibly easy to fix - ever hear of backups?

Re:Not too shocking

[thegarbz]

Define "properly". Having domain users in the local administrators group can save a small fortune in IT related support costs in many scenarios. It just needs to be weighed against the potential risks.

I would imagine that the potential risks for randsomware hitting an organisation with proper IT support should be minimal... unless someone isn't doing their backups properly.

When everyone goes home at night, re-image all PCs, and restore backups. That shouldn't cost $1m.

Re:Not too shocking

[moonlandingchap]

That's exactly how we deal with it when a user is stupid enough to click where they shouldn't. backups really help. also gives IT a chance to have a clear out of some old junk and keep it only in archives.

In each case the user rights of the offender were the limits of the infection. We did change the rights of the users and imposed stricter program execution policies to prevent further hassle. Also some user training helped them spot what they were about click on.

these minor attacks really helps our systems to evolve a little and not one bitcoin was ever paid.

with a widespread problem in india, they must have had either a very flat rights for the users or poor policies in genral. it should be a wakeup call for them

Re:Not too shocking

Define "properly". Having domain users in the local administrators group can save a small fortune ....

Thank you for keeping me employed.

Re:Not too shocking

[Shoten]

Define "properly". Having domain users in the local administrators group can save a small fortune in IT related support costs in many scenarios. It just needs to be weighed against the potential risks.

I would imagine that the potential risks for randsomware hitting an organisation with proper IT support should be minimal... unless someone isn't doing their backups properly.

When everyone goes home at night, re-image all PCs, and restore backups. That shouldn't cost $1m.

So...you're a fan of building a whole new PC image every time there's a patch? Not to mention the bandwidth needed to push images to all PCs at the same time, every single night, and be sure that there have been no issues? Let's also keep in mind the fact that desktop configurations in nearly all organizations differ, so you'll have driver concerns for some devices, and one-off applications (especially for the most critical users) on others.

At first blush, your "re-image all PCs" idea sounds great...but I've seen it tried and it never works. I'm guessing you've never even tried it.

Re: Not too shocking

I think he was talking about re-imaging the computers that have been infected, not every single computer in the world every 24 hours.

If one were to set up a system to automatically re-image computers every day, I would think it would have some problems in the first few days and then work reliably after all the bugs are worked out. Bandwidth wouldn't be an issue considering reliable multicast protocols exist.

Re:Not too shocking

[peragrin]

I am not my companies it person we hire that out. That said I have three logins.
My everyday low rights user information. A higher rights user and full admin access to every server
This way when a print job gets stuck I can kill it with admin rights of if someone access is screwed up I can force a logout of them which general clears up the issue.

  I only do limited actions and then log out of admin. This saves it daily headaches. While providing security.

You can do both. You the responsible people a scond login with higher privellegse.

Re:Not too shocking

[thegarbz]

So...you're a fan of building a whole new PC image every time there's a patch?

What the hell kind of an operation are you running? No what we do is control the patching at our own schedule and once a quarter update the master image. Get your machine rebuilt just before the new master comes out? Tough get a coffee while it applies updates when you first turn it on.

That word

[Barny]

"Amateur Russians."

If they are actually making money from this, then they are firmly in the "professional" bracket.

Re:That word

[sjames]

They are professional malware distributors. Nobody pays them to be Russians :-)

Re:That word

They are professional malware distributors. Nobody pays them to be Russians :-)

In communist Russia, malware pays you...

Re:That word

Indeed, they live on the wrong side of the bering street. You can be a professional Alaskaian!

Re:That word

[turbidostato]

"Amateur Russians."

And that means the headline is wrong. It says "Ransomware Hits Three Indian Banks, Causes Millions In Damages" when it should say instead "Incompetence Hits Three Indian Banks, Causes Millions in Damages".

When some amateurs from a different country can wreak havoc in three different financial institutions the cause is not whatever the amateurs have done but gross incompetence.

Re: That word

Here's an imaginary mod point for you *+1*. Was about to say the exact same thing.

Re:That word

IN SOVIET RUSSIA, meme mangles YOU!

What a country! Dank meme.

Re:That word

[Threni]

Eh? I know a lot of amateurs working in IT. I don't think that word means what you think it means.

if there's a way they can get paid....

[iggymanz]

there is a way they can be hunted down and killed. take pictures of the corpses and post them, send the message.

Re:if there's a way they can get paid....

[thegarbz]

Who the randsomware authors or the Indian bank employees who keep calling me?

Re:if there's a way they can get paid....

Who the randsomware authors or the Indian bank employees who keep calling me?

Both.

Indian like Hindus

[Chris+Mattern]

Or Native American?

What security?

[PhunkySchtuff]

According to the linked article from Malwarebytes:

It is different than most of the ransomware present nowadays. Instead of spreading to users and automatically infecting their machines, LeChiffre needs to be run manually on the compromised system. Common scenario of infection is that attackers are automatically scanning network in search of poorly secured Remote Desktops, cracking them, and after logging remotely they manually run an instance of LeChiffre.

Just how good is their security if something that has to be manually run on each system has completely pwned them?

Re:What security?

[BarbaraHudson]

Le Chiffre - the villain in Casino Royale - strikes again!

Re:What security?

[Lumpy]

Complete crap. Honestly I am surprised it hasn't happened earlier.

Re:What security?

Someone emailed a file called DoTheNeedful.EXE to everyone in the bank, of course they all ran it.

Re:What security?

It is India, to look more genuine, the executable name would have to have a couple of English errors to look trustworthy.

Re:What security?

[thegarbz]

That depends on just how desperately you want to see britney-spears-leaked-sex-tape.exe

This is Sanjay from Microsoft

[Hognoxious]

And now those jackasses will have to call tech support in India

It was probably them who installed it.

dollars

[Smiddi]

"Millions of dollars in damages" OR "Millions of Rupee in damages"? - equalling about US$9

Re:dollars

It might be US $9 tomorrow. Need to check the bitcoin market.

Fake news

[ajyand]

Fake news just based on word of mouth. Take a look at the original article referenced in the referenced article and you'll know that not a single aspect of the news is verifiable. No company has been named. No people have been named. Just one person's statement has been bloated into a short article.

Re:Fake news

Also, banks would immediately pay the ransom, the crooks would up the price 100-fold, and the bank would pay it form the Friday-afternoon-part-fund, which is kept outside the books anyway.

Re:Fake news

You're an idiot my friend. If you would be the director of a bank, you would not want your company's name leaked from the police investigation either. That's why the names aren't mentioned. Get a clue... it's 2016.... things like these never get leaked unless someone really wants them to.... like the competition. Remember when CSO ran a story like "the biggest ddos attack of all time" all based on a private conversation they had on Twitter.... that was considered ground-breaking stuff was everywhere on twitter.... now this story based on a police investigation is "fake" in your eyes.... b%^%h please! Get a brain!

Re:Fake news

It's not fake. Police don't release names while investigating. It's always been like this. It can cause damage to the bank's reputation.

Perfect solution

I would mother fucking kill those Russians.

Re:Loads of Engrish posts in...

[Zontar+The+Mindless]

Do you even know what "Engrish" actually refers to? Derp.

DESIGNATED $HITTING BANKS

DESIGNATED
E
S
I
G
N
A
T
E
D

Re:That word for the bear-riding shirtless leader

> "Amateur Russians."
> If they are actually making money from this, then they are firmly in the "professional" bracket.

If those hackers were professionals, they wouldn't have attacked India in the first place.

(That country is just too important for Putin to upset. India develops all electronics and software for the Sukhoi T-50 stealth jetfighter, which is slated to enter Russian airforce service in single-seater and India airforce service in two-seater configuration, circa 2020. Russia is also selling lots of military cargo planes, helicopters, tanks and naval hardware to India and they are jointly developing a hyperfast ramjet anti-shipping missile called Brahmos, which is the key to defeating american CVN battle fleets.
Recently India has been quite vocal about the sloppiness and lack of quality control of products russian factories emit and Moscow has been busy appeasing them. The ransomware thus couldn't have come at a worse time.)

Anyhow in Russia, professional means obeys Putin 100% and amateur means... well it means the FSB/GRU will hunt them down to get the keys from India and then they will disappear in some siberian "penal reform-work camp" for 15 years or so.

Are these traveling hackers?

[videoBuff]

Here is a link to that story, as told by an actual newspaper. http://cio.economictimes.india...

"ET couldn't confirm the names of the banks and the pharmaceutical company or the total number of computers that were compromised." So it is possible that the whole story is made up.

"In May last year, two Indian conglomerates had to pay about $5 million each after hackers breached their systems. The hackers, suspected to be operating from the Middle East, threatened to leak information to the Indian government if the ransom wasn't delivered. Both are said to have paid up."

So in May the hackers were in Middle East and now they are in Russia? Looks like these hackers are going around the world and paying for their trip by hacking systems.

Re:Are these traveling hackers?

Those are two different incidents... and that's not an actual newspaper... it's just another online news site. Jeez... I'm glad you got down to "vague" sources, and then couldn't actually read them through.

Easily hosts file + firewall blocked... apk

api.sypexgeo.net
sypexgeo.net
sip1.esampark.com
esampark.com

(The last one's issued as IP address so put it into your firewall as well as 184.107.251.146 blocked...)

APK

P.S.=> However - I wrote something in Delphi 7 32-bit ported into Delphi XE2 & then Delphi XE4 (which allowed inline asm again in the latter for more loop speed, like D7 down to D1 did for 1/32 bit) that stops this thing & OTHERS LIKE IT cold:

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.start64.com/index.p...

Which populates a custom hosts file with data vs. online threats of ALL kinds (doing a far better job using LESS to do that MORE by far) online, ads, spam/phish payload sources, trackers, etc. - et al from 10 reputable sources in the security community that produce such data (thank goodness for them - I can usually draw between 50-250 of my own on my own each day for this, they provides many, Many, MANY more ontop of my own data gathers for it which makes the hosts file as STRONG as it can be)...

It also increases your:

Speed (adblocking & hardcoded favorites @ the TOP of hosts for the utmost in speed for resolving host-domain names to IP addresses cached in RAM as 1st resolver) in those 2 ways noted!

Which in turn also increases your reliability online (since DNS gets redirect poisoned & 99.999% of ISP DNS are NOT patched vs. the kaminsky flaw that does it) vs. bushwhacked or downed (dns does this a lot) remote dns servers, which are slower in resolution (OpenDNS filters too vs. threats so it's a good combination & hosts lighten DNS server loads too which admins of them ought to like to lessen the chance of being downed due to overloads)

& of course, security per the data I listed above from the source articles too!

(Lastly, it increases anonymity via DNS avoidance for more speed & reliability by avoiding DNS request log tracking too)... apk

It is distributed as a typical Windows executable:

[tetraverse]

"It is distributed as a typical Windows executable: When we run it what appears is a GUI with labels in Russian:" ref

op here

I submitted this story with softpedia, malwarebytes, and india times links,.... why did you remove the india times links? Does it have to be from a silicon valley press company? asshole moderators....

Shockey monkey

Welcome to Smelt tech support, how may I help you?

When I ran IT at a bank...

...the machines were all disposable. Nothing of worth was actually stored on the computer. For branch employees, who are quite honestly some of the stupidest people on Earth when it comes to computers, they used roaming profiles as well. This allowed them to work at any branch on any computer. All services and data were server-side including copious amounts of Citrix usage. Downtime was never more than 24 hours for any single machine and support staff for each major region kept an average of 50 desktops and 50 laptops on hand pre-imaged and ready to deploy. If the bank mentioned in the article incurred millions in damages it was only due to incompetence, that kind of shit would result in heavy SEC fines in the USA. Lesson to be learned here: never trust IT from India.

Re:Loads of Engrish posts in...

An Asian butchering of English. India is in Asia.

aMATEUR rUSSIANS?

tELL mE mORE aBOUT tHESE sEXY aMATEUR rUSSIANS

Poo in loo

DESIGNATED