Ransomware Racket Demanding Bitcoin from India cos.

Earlier this month, the ransomware infected three Indian banks and a pharmaceutical company, demanding one bitcoin per compromised computer and reportedly causing millions of dollars in damage.
LeChiffre is not your typical ransomware and works only if launched into execution manually. The hacker managed to infiltrate the networks of all companies, and then escalated his access to other computers via unprotected Remote Desktop ports.

Once he gained access to a computer, the hacker would download the ransomware from his server and then double-click it to start the encryption process.

LeChiffre’s encryption operates by encrypting the first and last 8192 bytes of each file and then appending the encryption key to the file as a 32-byte blob. The encryption is AES. This ransomware is written in Delphi, and that its interface is in Russian.

“LeChiffre looks very unprofessional , practically, no countermeasures against analysis has been taken, but still it has managed to damage.

Here is LeChiffre message after files are infected:

Untitled-1

CryptoJoker Ransomware

A new ransomware has been discovered called CryptoJoker that encrypts your data using AES-256 encryption and then demands a ransom in bitcoins to get your files back. The CryptoJoker installer is disguised as a PDF file, which means it is probably distributed via email phishing campaigns. Once the installer is executed it will download or generate numerous executables in the %Temp% folder and one in the %AppData% folder.

When CryptoJoker encrypts your data it will scan all drives, including mapped network drives, on the victim’s computer for files with certain extensions. When it discovers a targeted extension it will encrypt the file and change the filename it so it has a .crjoker extension appended to it. For example, Dog.jpg would become Dog.jpg.crjoker.

Files Associated with CryptoJoker:

%Temp%\crjoker.html
%Temp%\drvpci.exe
%Temp%\GetYouFiles.txt
%Temp%\imgdesktop.exe
%Temp%\new.bat
%Temp%\README!!!.txt
%Temp%\sdajfhdfkj
%Temp%\windefrag.exe
%Temp%\windrv.exe
%Temp%\winpnp.exe
%AppData%\dbddbccdf.exe
%AppData%\README!!!.txt22

Registry Entries associated with CryptoJoker;

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winpnp %Temp%\winpnp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvpci %Temp%\drvpci.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windefrag %Temp%\windefrag.exe