Ransomware Hits Three Indian Banks, Causes Millions In Damages (malwarebytes.org)

← Back to Stories (view on slashdot.org)

Ransomware Hits Three Indian Banks, Causes Millions In Damages (malwarebytes.org)

Posted by timothy on Sunday January 24, 2016 @11:45AM from the pretty-soon-talking-real-money dept.

An anonymous reader writes: Ransomware has locked computers in three major Indian banks and one pharmaceutical company. While the ransom note asks for 1 Bitcoin, so many computers have been infected that damages racked up millions of dollars. According to an antivirus company that analyzed the ransomware, it's not even that complex, and seems the work of some amateur Russians.

38 of 76 comments (clear)

Min score:

Reason:

Sort:

HAW HAW by Anonymous Coward · 2016-01-24 12:06 · Score: 4, Funny

And now those jackasses will have to call tech support in India and the shit will REALLY hit the fan.
1. Re: HAW HAW by Anonymous Coward · 2016-01-24 12:12 · Score: 1
  
  Considering there are billion dollar high rises right next to slums I could care less.
2. Re: HAW HAW by Anonymous Coward · 2016-01-24 12:25 · Score: 1
  
  At least they'll be able to understand them.
3. Re: HAW HAW by Anonymous Coward · 2016-01-24 12:28 · Score: 2, Funny
  
  Yeah they don't segregate as well as New York and Chicago do.
4. Re: HAW HAW by Anonymous Coward · 2016-01-24 12:40 · Score: 1
  
  Considering there are billion dollar high rises right next to slums I could care less.
  So you care a LOT then? It is 'couldn't care less', dipshit.
5. Re: HAW HAW by darthsilun · 2016-01-24 12:51 · Score: 1
  
  Considering there are billion dollar high rises right next to slums I could care less.
  Maybe there are billion Rupee high rises. I'm pretty sure building costs and property values have not reached billion (US) dollar level yet.
  And be my guest, go ahead and care less. I'll get the popcorn.
6. Re: HAW HAW by Mashiki · 2016-01-24 13:12 · Score: 2
  
  Oh sweet child how little do you know. My neurologist(here in Canada) these days primarily handles patients from India, and has a secretary that natively speaks Hindi. Even her secretary can't understand them.
  
  --
  Om, nomnomnom...
7. Re:HAW HAW by Billly+Gates · 2016-01-24 13:27 · Score: 3, Funny
  
  Have they tried rebooting their mission critical servers?
  
  --
  http://saveie6.com/
8. Re:HAW HAW by JustAnotherOldGuy · 2016-01-24 13:42 · Score: 1
  
  Did they shard the replicator to do the needful? Otherwise it won't work, even if it's webscale.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
9. Re:HAW HAW by blackpaw · 2016-01-24 14:20 · Score: 1
  
  Unless they get a call center in Kentucky. Now that would be irony! :)
10. Re:HAW HAW by Anonymous Coward · 2016-01-24 14:48 · Score: 1
  
  Is there any wonder why the likes of Donald Trump has support in the US. Look at these people.
11. Re: HAW HAW by Tablizer · 2016-01-24 18:01 · Score: 2
  
  I've heard it's a status symbol in parts of India to talk fast. There's less pressure on clarity. I found out because I suggested to an H1B co-worker that he try to talk slower. He said he didn't want to because a slower habit would make it harder to find a wife when he got back home to India.
  
  --
  Table-ized A.I.
12. Re: HAW HAW by nikkipolya · 2016-01-24 18:21 · Score: 4, Informative
  
  They have surpassed billion (US) dollar levels. Mumbai is the worlds 9th most costliest city in terms of real-estate prices (http://www.telegraph.co.uk/finance/property/pictures/8892109/In-pictures-The-worlds-20-most-expensive-cities-to-buy-property.html?image=11).
13. Re: HAW HAW by Anonymous Coward · 2016-01-24 19:09 · Score: 2
  
  That's not necessarily because she can't understand the others' Hindi. Not everybody in India even speaks Hindi, there being more than 22 constitutionally recognized languages and more than 122 major languages
14. Re:HAW HAW by skovnymfe · 2016-01-24 21:29 · Score: 1
  
  A customer feedback vindaloop? https://www.youtube.com/watch?...
15. Re: HAW HAW by CronoCloud · 2016-01-25 03:02 · Score: 2
  
  Of course she can't, India has MANY "official" languages. It's why English is sometimes the only common language Indians of different regions speak.
  India could save itself a LOT of trouble by just making English the "One and Only" official language, but they won't do it because of hard feelings about the Colonial period.
Not too shocking by Shoten · 2016-01-24 12:20 · Score: 5, Informative

Most of these ransomware packages can traverse laterally within an org; they run in the rights context of the user on the first infected computer and use that to infect other systems, spreading within the local network. So if you don't have your permissions properly set up (having "Domain Users" in the local Administrators group on your desktops as a matter of standard, for example), it's a cakewalk for the malware to hit everyone.

--

For your security, this post has been encrypted with ROT-13, twice.
1. Re:Not too shocking by thegarbz · 2016-01-24 20:13 · Score: 2
  
  Define "properly". Having domain users in the local administrators group can save a small fortune in IT related support costs in many scenarios. It just needs to be weighed against the potential risks.
  I would imagine that the potential risks for randsomware hitting an organisation with proper IT support should be minimal... unless someone isn't doing their backups properly.
  When everyone goes home at night, re-image all PCs, and restore backups. That shouldn't cost $1m.
2. Re:Not too shocking by moonlandingchap · 2016-01-25 00:48 · Score: 1
  
  That's exactly how we deal with it when a user is stupid enough to click where they shouldn't. backups really help. also gives IT a chance to have a clear out of some old junk and keep it only in archives.
  In each case the user rights of the offender were the limits of the infection. We did change the rights of the users and imposed stricter program execution policies to prevent further hassle. Also some user training helped them spot what they were about click on.
  these minor attacks really helps our systems to evolve a little and not one bitcoin was ever paid.
  with a widespread problem in india, they must have had either a very flat rights for the users or poor policies in genral. it should be a wakeup call for them
3. Re:Not too shocking by Shoten · 2016-01-25 03:33 · Score: 1
  
  Define "properly". Having domain users in the local administrators group can save a small fortune in IT related support costs in many scenarios. It just needs to be weighed against the potential risks.
  I would imagine that the potential risks for randsomware hitting an organisation with proper IT support should be minimal... unless someone isn't doing their backups properly.
  When everyone goes home at night, re-image all PCs, and restore backups. That shouldn't cost $1m.
  So...you're a fan of building a whole new PC image every time there's a patch? Not to mention the bandwidth needed to push images to all PCs at the same time, every single night, and be sure that there have been no issues? Let's also keep in mind the fact that desktop configurations in nearly all organizations differ, so you'll have driver concerns for some devices, and one-off applications (especially for the most critical users) on others.
  At first blush, your "re-image all PCs" idea sounds great...but I've seen it tried and it never works. I'm guessing you've never even tried it.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
4. Re:Not too shocking by peragrin · 2016-01-25 05:36 · Score: 1
  
  I am not my companies it person we hire that out. That said I have three logins.
  My everyday low rights user information. A higher rights user and full admin access to every server
  This way when a print job gets stuck I can kill it with admin rights of if someone access is screwed up I can force a logout of them which general clears up the issue.
  I only do limited actions and then log out of admin. This saves it daily headaches. While providing security.
  You can do both. You the responsible people a scond login with higher privellegse.
  
  --
  i thought once I was found, but it was only a dream.
5. Re:Not too shocking by thegarbz · 2016-01-25 06:24 · Score: 1
  
  So...you're a fan of building a whole new PC image every time there's a patch?
  
  What the hell kind of an operation are you running? No what we do is control the patching at our own schedule and once a quarter update the master image. Get your machine rebuilt just before the new master comes out? Tough get a coffee while it applies updates when you first turn it on.
That word by Barny · 2016-01-24 12:20 · Score: 5, Insightful

"Amateur Russians."
If they are actually making money from this, then they are firmly in the "professional" bracket.

--
...
/me sighs
1. Re:That word by sjames · 2016-01-24 12:24 · Score: 4, Funny
  
  They are professional malware distributors. Nobody pays them to be Russians :-)
2. Re:That word by turbidostato · 2016-01-24 15:02 · Score: 5, Insightful
  
  "Amateur Russians."
  And that means the headline is wrong. It says "Ransomware Hits Three Indian Banks, Causes Millions In Damages" when it should say instead "Incompetence Hits Three Indian Banks, Causes Millions in Damages".
  When some amateurs from a different country can wreak havoc in three different financial institutions the cause is not whatever the amateurs have done but gross incompetence.
3. Re:That word by Threni · 2016-01-25 08:34 · Score: 1
  
  Eh? I know a lot of amateurs working in IT. I don't think that word means what you think it means.
if there's a way they can get paid.... by iggymanz · 2016-01-24 12:33 · Score: 2

there is a way they can be hunted down and killed. take pictures of the corpses and post them, send the message.
1. Re:if there's a way they can get paid.... by thegarbz · 2016-01-24 20:15 · Score: 2
  
  Who the randsomware authors or the Indian bank employees who keep calling me?
What security? by PhunkySchtuff · 2016-01-24 12:41 · Score: 4, Informative

According to the linked article from Malwarebytes:

It is different than most of the ransomware present nowadays. Instead of spreading to users and automatically infecting their machines, LeChiffre needs to be run manually on the compromised system. Common scenario of infection is that attackers are automatically scanning network in search of poorly secured Remote Desktops, cracking them, and after logging remotely they manually run an instance of LeChiffre.
Just how good is their security if something that has to be manually run on each system has completely pwned them?

--
Specialist Mac support for creative pros, Melbourne
1. Re:What security? by BarbaraHudson · 2016-01-24 12:56 · Score: 1
  
  Le Chiffre - the villain in Casino Royale - strikes again!
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
2. Re:What security? by Lumpy · 2016-01-24 12:58 · Score: 1
  
  Complete crap. Honestly I am surprised it hasn't happened earlier.
  
  --
  Do not look at laser with remaining good eye.
3. Re:What security? by Anonymous Coward · 2016-01-24 13:51 · Score: 1
  
  Someone emailed a file called DoTheNeedful.EXE to everyone in the bank, of course they all ran it.
4. Re:What security? by thegarbz · 2016-01-24 20:16 · Score: 1
  
  That depends on just how desperately you want to see britney-spears-leaked-sex-tape.exe
This is Sanjay from Microsoft by Hognoxious · 2016-01-24 14:09 · Score: 1

And now those jackasses will have to call tech support in India

It was probably them who installed it.

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Fake news by ajyand · 2016-01-24 16:27 · Score: 5, Insightful

Fake news just based on word of mouth. Take a look at the original article referenced in the referenced article and you'll know that not a single aspect of the news is verifiable. No company has been named. No people have been named. Just one person's statement has been bloated into a short article.
Re:Loads of Engrish posts in... by Zontar+The+Mindless · 2016-01-24 18:35 · Score: 1

Do you even know what "Engrish" actually refers to? Derp.

--
Il n'y a pas de Planet B.
Are these traveling hackers? by videoBuff · 2016-01-24 21:30 · Score: 1

Here is a link to that story, as told by an actual newspaper. http://cio.economictimes.india...
"ET couldn't confirm the names of the banks and the pharmaceutical company or the total number of computers that were compromised." So it is possible that the whole story is made up.
"In May last year, two Indian conglomerates had to pay about $5 million each after hackers breached their systems. The hackers, suspected to be operating from the Middle East, threatened to leak information to the Indian government if the ransom wasn't delivered. Both are said to have paid up."
So in May the hackers were in Middle East and now they are in Russia? Looks like these hackers are going around the world and paying for their trip by hacking systems.
It is distributed as a typical Windows executable: by tetraverse · 2016-01-25 00:47 · Score: 1

"It is distributed as a typical Windows executable: When we run it what appears is a GUI with labels in Russian:" ref