|May the source be with you, but remember the KISS principle ;-)|
|Contents||Bulletin||Scripting in shell and Perl||Network troubleshooting||History||Humor|
Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013
Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13
Chapter 13: Destructive Viruses and Trojans
Malware Defense History
|Introduction||Targeted files||Cryptolocker Trojan (Win32/Crilock.A)||Prevention|
|Strategies of Defending Microsoft Windows against Malware||Softpanorama Malware Defense Strategy||Fighting Spyware||Non-Scanner AntiSpyware Tools||Viewing Hidden files in windows||History||Humor||Etc|
The originality of Petya was the as propagation vector it used update mechanism for popular in Ukraine software, the path that previously was used by state produced malware such as Stuxnet.
this was not a new ransomware. the first version was detected in 2016 and called 'Petya'. but it was not very sucessful. This new version was. This new version re-emerged to affect computer systems across Europe, causing issues primarily in Ukraine, Russia, England and India. There was also a case in the USA.
"There have been indications of late that Petya is exploiting the SMB (Server Message Block) vulnerability," the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) said in an e-mail.
Not much known about it so far.
In EU countries it looks like it propagated via email attachments. Petya Ransomware skips the Files and Encrypts your Hard Drive Instead
This ransomware is currently being distributed via emails that are targeting the human resources departments of German companies. These emails contain dropbox links to supposed applications that download a file that when executed will install the Petya Ransomware on the computer. An example filename for the installer is Bewerbungsmappe-gepackt.exe.
It is important to note that there is a lot of bad information on the web about how how to fix your computer when it has been encrypted by Petya. Many of these sites state that you can use the FixMBR command or repair your MBR to remove the infection. Though this will indeed remove the lock screen, it will not decrypt your MFT and thus your files and Windows will still be inaccessible. Only repair the MBR if you do not care about any lost data and want to reinstall Windows.
The Petya Ransomware Encryption Process
When first installed, the Petya Ransomware will replace the boot drive's existing Master Boot Record, or MBR, with a malicious loader. The MBR is information placed at the very beginning on a hard drive that tells the computer how it should boot the operating system. It will then cause Windows to reboot in order to execute the new malicious ransomware loader, which will display a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya will encrypt the Master File Table on the drive. Once the MFT is corrupted, or encrypted in this case, the computer does not know where files are located, or if they even exist, and thus they are not accessible.
Once the fake CHKDSK is completed, you will be presented with a lock screen that displays instructions on connecting to a TOR site and a unique ID you must use on the site to make the ransom payment. Once a ransom payment has been made, you will receive a password that you can enter into this screen to decrypt your computer.
From Beeping computer (via slashdot):
Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc , a popular accounting software used by Ukrainian companies. According to several researchers, such as Cisco Talos , ESET , MalwareHunter , Kaspersky Lab , and others , an unknown attacker was able to compromise the software update mechanism for M.E.Doc's servers, and deliver a malicious update to customers.
When the update reached M.E.Doc's customers, the tainted software packaged delivered the Petya ransomware -- also referenced online as NotPetya, or Petna. The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory .
Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe causing huge damages,
M.E.Doc denied on Facebook its servers ever served any malware. According to security researcher MalwareHunter, this is not the first time M.E.Doc has carried a malicious software update that delivered ransomware. Back in May, the company's software update mechanism also helped spread the XData ransomware .
Typically, when a user becomes infected by a crypto-ransomware, the infection targets and encrypts the files on the victim's hard drives. This leaves the operating system working properly, but with the user unable to open the encrypted documents. The Petya Ransomware takes it to the next level by encrypting portions of the hard drive itself that make it so you are unable to access anything on the drive, including Windows. At the time of this writing, the ransom payments are at ~.9 bitcoins and there is no way to decrypt your drive for free.
An individual going by the twitter handle leostone was able to create an algorithm that can generate the password used to decrypt a Petya encrypted computer. In my test this, this algorithm was able to generate my key in 7 seconds.
You can protect your computer based on the fact that ransomware typically access files and directories in alphabetical order. This is not 100% proof trick, but it might help to detect the ransom ware before it encrypted you most valuable files.
Create a honeypot directory that is first of C: drive (for example A_centinel). chances are that it might be visited by the ransomware first. Put a couple of Linux ISO into them, compressing them with zip archiver. Then create a small Excel or Ms Word document (those two types of files are targeted by all ransomware ) that will serve as canary with the name which alphabetically precede those two or three "huge" files, designed to slow the work down.
Also put the same "canary file" and a "huge" file in your Documents folder as well as the directory where you store backups. You can also do the same trick with other directories with valuable data if you have such. You may change the name but I doubt that such worms are engaged in de-duplication business ;-)
After that write a small script, for example in Perl, which monitors the content of "canary" file using Cygwin diff utility or something like that. Run it each 10 min or so via scheduler. If content of canary file in any of "watched" directories changed send email, flash alert and shutdown or halt the computer.
If yu think you need a coiuple of minutes before the shutdown, to slow the worm down you can replace "canary" files in all "other" directories with your huge-file ( do not create a new files as directories might be scanned only once).
Elimination of free memoery, for example which launching multiple "dummy" processes (which for exampel calculate prime numbers and store them in memory), or space on the drive also can help . If you use small SSD as your C-drive on your laptop you can generate a dummy file so that there are no space on the drive. That means that new file can't be written to the disk. On desktops with thier huge harddrives this is a more difficult understating and does not make any sense, but on 120GB SSD drive this isa very quick operation.
Unmounting the volume with backup also can help, in this sense storing the backup of USB3 drives is preferable option (I use Unix Terminology, but yes Windows allow to put the USB volume offline; Microsoft's own DevCon is the command-line version of Device Manager. See also windows - Remove USB device from command line - Super User).
One of the most viable methods for preventing this type of malware from running is to tighten your Group Policy. Details may vary and depends on your level of understanding Group policies. Here is one, reasonably simple, but effective variant that does not require other then superficial understanding of Group Policies and was created for CryptoLocker Prevention
You get the idea from the description of a tool developed for Cryptolocker:
CryptoPrevent Computer Technician - PC Repair Software Foolish IT LLC
CryptoPrevent is a tiny utility to lock down any Windows OS to prevent infection by the Cryptolocker malware or ‘ransomware’, which encrypts personal files and then offers decryption for a paid ransom.
◦v2.2.1 – made changes to prevent duplicate rules from being created when protection is applied multiple times without undoing the protection first. No harm would come from the duplicate rules, but my OCD was bothering me.
◦v2.2 – added additional restriction policies to better protect Windows XP against the latest strains – prior versions were not protecting %username%\local settings\application data and their first level subdirectories, but rather only %username%\application data and their first level subdirectories. Along with this comes additional whitelist scanning functionality. Other syntax changes in the rules for better compatibility with all OSes.
◦v2.1.2 – added gpupdate /force to force a refresh of group policy after removing prevention via the Undo features. This may negate the need for a reboot after Undo, and resolve issues where a reboot doesn’t quite do the trick… Also added a re-test for active protection to determine if a reboot prompt should be displayed after Undo, on the chance that it is still required.
◦v2.1 – fixed Temp Extracted EXEs blocks on some systems that refused to work with %temp% in the rules.
◦v2.0.1 – fixed whitelisting capabilities not working on some systems since v2.0
There already exists a Cryptolocker Prevention Kit as found here, but it only works with domains and OSes that have access to group policy editor (Professional versions of Windows) leaving Home versions without a method of protection. It also isn’t the most intuitive of installations for the average Joe, either. The methodology CryptoPrevent uses to lock down a system is presented by Lawrence Abrams of bleepingcomputer.com here, and without that guide CryptoPrevent would not exist. Unfortunately, like the other Cryptolocker Prevention Kit mentioned, Lawrence Abrams guide involves usage of the Group Policy Editor available in Professional versions of Windows, and is a time consuming manual task. CryptoPrevent seeks to alleviate these issues in allowing protection on ALL Windows OSes, while being easy enough for the average Joe to do, and optionally providing silent automation options for system admins and those who need to immunize a lot of computers automatically.
CryptoPrevent is a single executable and is fully portable (of course unless you download the installer based version) and will run from anywhere, even a network share.
CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there!
Executables are blocked in these paths where * is a wildcard:
- ◦%appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2, etc.)
- ◦%localappdata% (on Vista+) and any first-level subdirectories in there.
- ◦%temp%\rar* directories
- ◦%temp%\7z* directories
- ◦%temp%\wz* directories
- ◦%temp%\*.zip directories
The first two locations are used by the malware as launch points. The final four locations are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well.)
NOTE: Protection does not need to be applied while logged into each user account, it may be applied only once from ANY user account and it will scan for and protect all user accounts on the system. This is accomplished despite an apparent bug in Microsoft’s software prevention policies that does not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata%)… so protection for %temp% folders is now applied by expanding the full path to the user’s temp folder in each rule set, and replacing the username with an * in the rules so that a single rule can cover all users. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to protect all user accounts, but it was later discovered that methodology wasn’t working on all systems. If you applied protection with prior versions and want temp extracted exes blocked, you may want to reapply protection with v2.2 to ensure it will work for you.
Here are similar ComputerWorld recommendations (computerworld.com):
Here's how to do it:
- Open up Local Security Policy or the Group Policy Object editor and create a new GPO. I'll show you how to create two here -- one for Windows XP machines (which use slightly different paths for the user space) and one for Windows Vista and later machines.
- Name the new GPO "SRP for XP to prevent Cryptolocker" or something similar for you to remember easily.
- Choose Computer Configuration and then navigate through Policies � Windows Settings � Security Settings � Software Restriction Policies.
- Right-click Software Restriction Policies and choose New Software Restriction Policy from the context menu.
- Now, create the actual rules that will catch the software on which you want to enforce a restriction. Right-click Additional Rules in the left-hand pane. Choose New Path Rule.
- Under Path, enter %AppData%\*.exe.
- Under Security level, choose Disallowed.
- Enter a friendly description, like "Prevent programs from running in AppData."
- Choose New Path Rule again, and make a new rule like the one just completed. Use the following table to fill out the remainder of this GPO.
Path Security Level Suggested Description %AppData%\*.exe Disallowed Prevent Cryptolocker executable from running in AppData* %AppData%\*\*.exe Disallowed Prevent virus payloads from executing in subfolders of AppData %UserProfile%\Local Settings\Temp\Rar*\*.exe Disallowed Prevent un-WinRARed executables in email attachments from running in the user space %UserProfile%\Local Settings\Temp\7z*\*.exe Disallowed Prevent un-7Ziped executables in email attachments from running in the user space %UserProfile%\Local Settings\Temp\wz*\*.exe Disallowed Prevent un-WinZIPed executables in email attachments from running in the user space %UserProfile%\Local Settings\Temp\*.zip\*.exe Disallowed Prevent unarchived executables in email attachments from running in the user space
*Note this entry was covered in steps 5-8. It is included here for your easy reference later.
WinRAR and 7Zip are the names of compression programs commonly used in the Windows environment.
Close the policy.
To protect Windows Vista and newer machines, create another GPO and call this one "SRP for Windows Vista and up to prevent Cryptolocker." Repeat the steps above to create the SRP and create path rules based on the following table.
Path Security Level Suggested Description %AppData%\*.exe Disallowed Prevent Cryptolocker executable from running in AppData* %AppData%\*\*.exe Disallowed Prevent virus payloads from executing in subfolders of AppData %LocalAppData%\Temp\Rar*\*.exe Disallowed Prevent un-WinRARed executables in email attachments from running in the user space %LocalAppData%\Temp\7z*\*.exe Disallowed Prevent un-7Ziped executables in email attachments from running in the user space %LocalAppData%\Temp\wz*\*.exe Disallowed Prevent un-WinZIPed executables in email attachments from running in the user space %LocalAppData%\Temp\*.zip\*.exe Disallowed Prevent unarchived executables in email attachments from running in the user space
Close the policy.
Once these GPOs get synchronized down to your machines -- this can take up to three reboots to happen, so allow some time -- when users attempt to open executables from email attachments, they'll get an error saying their administrator has blocked the program. This will stop the Cryptolocker attachment in its tracks.
Unfortunately, taking this "block it all in those spots" approach means that other programs your users may install from the web, like GoTo Meeting reminders and other small utilities that do have legitimate purposes, will also be blocked. There is a solution, however: You can create ad-hoc allow rules in the software restriction policy GPOs. Windows allows these "whitelisted" apps before it denies anything else, so by defining these exceptions in the SRP GPO, you will instruct Windows to let those apps run while blocking everything else. Simply set the security level to Unrestricted, instead of Disallowed as we did above.
AppLocker is the SRP feature on steroids. However, it only works on Windows 7 Ultimate or Windows 7 Enterprise editions, or Windows 8 Pro or Windows 8 Enterprise edition, so if you're still on Windows XP for the time being or you have a significant contingent of Windows Vista machines, AppLocker will not do anything for you.
But if you are a larger company with volume licenses that is deploying the enterprise editions of the OS, AppLocker is really helpful in preventing Cryptolocker infections because you can simply block programs from running -- except those from specific software publishers that have signed certificates.
Here's what to do:
- Create a new GPO.
- Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security Settings, Application Control Policies and AppLocker.
- Click Configure Rule Enforcement.
- Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
- In the left pane, click Executable Rules.
- Right-click in the right pane and select Create New Rule.
- On the Before You Begin screen, click Next.
- On the Permissions screen, click Next.
- On the Conditions screen, select the Publisher condition and click Next.
- Click the Browse button and browse to any executable file on your system. It doesn't matter which.
- Drag the slider up to Any Publisher and then click Next.
- Click Next on the Exceptions screen.
- Name the policy something like "Only run executables that are signed" and click Create.
- If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules -- go ahead and click Yes here.
NOTE: Also take this opportunity to review the permissions set on your file server share access control lists, or ACLs. Cryptolocker possesses no special capabilities to override deny permissions, so if the user who gets infected is logged into an account that has very limited permissions, the damage will be minimal. Conversely, if you allow the Everyone group Write access for the NTFS permissions on most of your file shares, and you use mapped drives, one Cryptolocker infection could put you into a world of hurt. Review your permissions now. Tighten where you can. Work with your line of business application vendors to further tighten loose permissions that are "required" for "supportability" -- often these specifications are needlessly broad.
Using either an SRP or an AppLocker policy, you can prevent Cryptolocker from ever executing and save yourself a lot of problems.
JohnDrake2000, on 27 Oct 2013 - 9:08 PM:
I've been asked what procedure I followed to classify .zip file attachments as "Level 2" files. This is what worked for me using Windows 7 and Outlook 2010. The Microsoft Knowledge Base article lists the correct procedure for other versions of Office.
I also edited the registry to classify .zip file attachments as "Level 2" files. When Outlook users click on a .zip file attachment they now get the message:
"Attachment Security Warning. This file may contain a virus that can be harmful to your computer. You must save this file to disk before it can be opened. It is important to be very certain that this file is safe before you open it."
Prevent users from opening .zip files in Outlook 2010:
---------------------------------------------------------------------/Start /Run /regedit.exe
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security/Edit /New /String Value
type: Level1Removepress Enter
/Edit /Modify.type: .zip;.rar
This Trojan explicitly target backups in addition to files with MS Office extensions and such (see above). Backups now need to be protected by keeping them offline and putting online only when need arise. Network drives should unmapped. Rotating physical disks is also a good idea.
Jul 03, 2017 | politics.slashdot.org
tinkerton ( 199273 ) , Monday July 03, 2017 @05:19PM ( #54738011 )Re:The Russians ate my homework... ( Score: 4 , Insightful)bogaboga ( 793279 ) , Monday July 03, 2017 @01:17PM ( #54736005 )
The article's central message is plausible: Russia running a cyberwar against Ukraine and at the same time trying to build up knowhow. But at the same time the author knows that he can write anything about Russia and it will be believed. At the same time the story is part of a large anti-Russia and anti Trump campaign.
I don't keep track so I don't have a lot of links ready but I know the news about a russian cyberattack on US powerplant was bogus. Russian hacking of DNC was bogus.Russian-Trump links are bogus. Russian hacking of french elections was bogus. But these debunkings only come through very slowly. On the other side there is a barrage of claims that is so overwhelming nobody can begin to debunk them.
And I see good reasons why the democrats and the military industrical complex prefer to have high tensions with Russia and why they want to blame Russia for the failed elections. And I see why the press goes along with it.
And I think that whatever Russia is doing(a lot less than claimed, but certainly a lot of business as usual nasty stuff) it's a good idea to improve the ties with them rather than deteriorate them. That is my opinion about policy. That it's in the west's interest. I also think they're open for chances for improvement , at least as long as Putin is there.
But look at this thread. It's almost unanimous against Russia. Any outsider looking here without any knowledge of the situation would know, this is bad. It means no good thinking will come out of it.(there's more reasons for that though). It also means propaganda is still very effective here and now.
So the article of the topic here may have a good degree of truth, but it's all part of an anti-russian frenzy which I think is a very bad idea.
Here's a new link about a lot of the hacking stories. It covers quite some ground. I'd have to dig for the rest. The ones I mentioned are some I'm pretty certain of although one can debate how convincing the proof is. https://consortiumnews.com/201... [consortiumnews.com]
I didn't discuss Trump. I'd like to get rid of him but I'm convinced the current campaign to link him to Russia is extremely dishonest. He's right about that. Maybe he'll go down because in his efforts to stop them he'll do something very illegal. Or maybe he'll stay in power because he made the right friends. The Saudis and the weapons manufacturers for instance. Then all that the anti Russia campaign will have achieved is to give us the worst of both worlds. Thanks for cooperating everyone.Wow...wait a moment... ( Score: 2 )atomlib ( 2618043 ) writes: on Monday July 03, 2017 @01:05PM ( #54735925 ) HomepageRussia Behind Cyber-attack, Says Ukraine's Security Service
I think it's premature to jump to such conclusions since we know that our very own CIA has also been implicated...
Vault 7 [wikileaks.org] and more. [wired.com]Russian companies were hit by that Petya thing ( Score: 1 , Troll)qaz123 ( 2841887 ) writes: on Monday July 03, 2017 @02:42PM ( #54736649 )
Whatever it was, that Petya thing hit bunch of Russian companies as well. For example, it hit Russia's top oil providers Rosneft and Bashneft. Some of them suffered quite a bit. Invitro, a nationwide network of private medical laboratories, temporarily ceased samples collection due to the cyberattack.Ukraine says... ( Score: 1 )
Of course Ukraine would say that. No matter it's true or not. Because that hurts Russia and that what Ukraine wants nowRe:The only true security is renewables ( Score: 2 ) by tinkerton ( 199273 ) writes: on Monday July 03, 2017 @05:24PM ( #54738061 )
Because we don't fear the bear.
Exactly.When we're enthusiastically demonizing some party it means we're not scared of them. There have been exceptions, but that's long ago.
Jun 30, 2017 | marknesop.wordpress.commarknesop , June 28, 2017 at 10:57 pmThe world's most reprehensible newspaper, The New York Times , is quick to blame the ransomeware attack which crippled computers in Ukraine on Russia . Never mind the evidence; Ukrainians say Russia did it, and Ukrainians never lie. Moreover, they say it was Russia because just a couple of days ago a senior government official was blown up in a car bomb attack, and that was Russia, so they probably did this, too. QED.
Curiously enough, another Times story from just a little over a month ago reported a near-identical attack, which it said was executed using malicious software 'stolen' from the NSA's tickle trunk .
Uh huh. Sure it was. And Cisco Systems is right there in Kiev, 'helping' Ukraine pin down the origin of the attack.
For what it's worth, one of our favouritest authors, Molly McKew – at the Washington Post , the world's second-most-reprehensible newspaper – quickly makes the connection between Shapoval's murder and Russia , which she says is the wide assumption of experts.
Jun 30, 2017 | www.msn.com
While there are still plenty of unknowns regarding Petya, security researchers have pinpointed what they believe to be the first target of the attack: M.E.Doc, a Ukrainian company that develops tax accounting software.
The initial attack took aim the software supply chain of the tax software MEDoc, which then spread through a system updater process that carried malicious code to thousands of machines, including those who do business in Ukraine.
Jun 28, 2017 | www.msn.com
U.S. delivery firm FedEx Corp said its TNT Express division had been significantly affected by the virus, which also wormed its way into South America, affecting ports in Argentina operated by China's Cofco.
The malicious code locked machines and demanded victims post a ransom worth $300 in bitcoins or lose their data entirely, similar to the extortion tactic used in the global WannaCry ransomware attack in May.
More than 30 victims paid up but security experts are questioning whether extortion was the goal, given the relatively small sum demanded, or whether the hackers were driven by destructive motives rather than financial gain.
Hackers asked victims to notify them by email when ransoms had been paid but German email provider Posteo quickly shut down the address, a German government cyber security official said.While the malware seemed to be a variant of past campaigns, derived from code known as Eternal Blue believed to have been developed by the U.S. National Security Agency (NSA), experts said it was not as virulent as May's WannaCry attack.
Security researchers said Tuesday's virus could leap from computer to computer once unleashed within an organisation but, unlike WannaCry, it could not randomly trawl the internet for its next victims, limiting its scope to infect.
Bushiness that installed Microsoft's latest security patches from earlier this year and turned off Windows file-sharing features appeared to be largely unaffected. A number of the international firms hit have operations in Ukraine, and the virus is believed to have spread within global corporate networks after gaining traction within the country. ... ... ...
Shipping giant A.P. Moller-Maersk, which handles one in seven containers shipped worldwide, has a logistics unit in Ukraine.
Other large firms affected, such as French construction materials company Saint Gobain and Mondelez International Inc, which owns chocolate brand Cadbury, also have operations in the country.
Maersk was one of the first global firms to be taken down by the cyber attack and its operations at major ports such as Mumbai in India, Rotterdam in the Netherlands and Los Angeles on the U.S. west coast were disrupted.
Other companies to succumb included BNP Paribas Real Estate , a part of the French bank that provides property and investment management services.
"The international cyber attack hit our non-bank subsidiary, Real Estate. The necessary measures have been taken to rapidly contain the attack," the bank said on Wednesday.
Production at the Cadbury factory on the Australian island state of Tasmania ground to a halt late on Tuesday after computer systems went down.
Russia's Rosneft, one of the world's biggest crude producers by volume, said on Tuesday its systems had suffered "serious consequences" but oil production had not been affected because it switched to backup systems. (Additional reporting by Helen Reid in London, Teis Jensen in Copenhagen, Maya Nikolaeva in Paris, Shadia Naralla in Vienna, Marcin Goettig in Warsaw, Byron Kaye in Sydney, John O'Donnell in Frankfurt, Ari Rabinovitch in Tel Aviv and Noor Zainab Hussain in Bangalore; writing by Eric Auchard and David Clarke; editing by David Clarke)
Jun 28, 2017 | it.slashdot.org
Posted by msmash on Tuesday June 27, 2017
A massive cyber attack has disrupted businesses and services in Ukraine on Tuesday, bringing down the government's website and sparking officials to warn that airline flights to and from the country's capital city Kiev could face delays. Motherboard reports that the ransomware is quickly spreading across the world.
From a report:
A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack on Tuesday that disrupted some operations ( a non-paywalled source ) , the Ukrainian central bank said. The latest disruptions follow a spate of hacking attempts on state websites in late-2016 and repeated attacks on Ukraine's power grid that prompted security chiefs to call for improved cyber defences. The central bank said an "unknown virus" was to blame for the latest attacks, but did not give further details or say which banks and firms had been affected. "As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations," the central bank said in a statement.
BBC reports that Ukraine's aircraft manufacturer Antonov, two postal services, Russian oil producer Rosneft and Danish shipping company Maersk are also facing "disruption, including its offices in the UK and Ireland ." According to local media reports, the "unknown virus" cited above is a ransomware strain known as Petya.A .
Here's how Petya encrypts files on a system (video).
News outlet Motherboard reports that Petya has hit targets in Spain, France, Ukraine, Russia, and other countries as well .
From the report:
"We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat. Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin. "If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."
Jun 28, 2017 | it.slashdot.org(cbslocal.com) 23 Posted by msmash on Tuesday June 27, 2017 @03:20PM from the aggressive-expansion dept. The Heritage Valley Health System says it has been hit with a cyber attack. From a report: A spokeswoman confirmed the attack Tuesday morning. "Heritage Valley Health System has been affected by a cyber security incident . The incident is widespread and is affecting the entire health system including satellite and community locations. We have implemented downtime procedures and made operational adjustments to ensure safe patient care continues un-impeded." Heritage Valley is a $480 million network that provides care for residents of Allegheny, Beaver, Butler and Lawrence counties, in Pennsylvania; parts of eastern Ohio; and the panhandle of West Virginia. Also read: Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly Spreading Across the World .
Jun 28, 2017 | it.slashdot.org(vice.com) 143 Posted by msmash on Tuesday June 27, 2017 @04:41PM from the interesting-turns dept. Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere . The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files . [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away.
Jun 28, 2017 | tech.slashdot.org
An anonymous reader quotes a report from Bleeping Computer:
Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc , a popular accounting software used by Ukrainian companies. According to several researchers, such as Cisco Talos , ESET , MalwareHunter , Kaspersky Lab , and others , an unknown attacker was able to compromise the software update mechanism for M.E.Doc's servers, and deliver a malicious update to customers. When the update reached M.E.Doc's customers, the tainted software packaged delivered the Petya ransomware -- also referenced online as NotPetya, or Petna. The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory . Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe causing huge damages, M.E.Doc denied on Facebook its servers ever served any malware. According to security researcher MalwareHunter, this is not the first time M.E.Doc has carried a malicious software update that delivered ransomware. Back in May, the company's software update mechanism also helped spread the XData ransomware .
Jun 28, 2017 | telegraph.co.uk
Ransomware is 2016-programme 'Petya'Ransomware known as Petya seems to have re-emerged to affect computer systems across Europe, causing issues primarily in Ukraine, Russia, England and India, a Swiss government information technology agency has told Reuters.
"There have been indications of late that Petya is in circulation again, exploiting the SMB (Server Message Block) vulnerability," the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) said in an e-mail.
I t said it had no information that Swiss companies had been impacted, but said it was following the situation. The Petya virus was blamed for disrupting systems in 2016.
Russia's top oil producer Rosneft said a large-scale cyber attack hit its servers on Tuesday, with computer systems at some banks and the main airport in neighbouring Ukraine also disrupted. 3:48PM 'A multi-pronged attack' "This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine," said Allan Liska, a security analyst at Recorded Future.
"There is some speculation that, like WannaCry, this attack is being spread using the EternalBlue exploit which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to the Ukraine).
Jun 28, 2017 | marknesop.wordpress.comMoscow Exile , June 27, 2017 at 11:42 amPetya cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut downMoscow Exile , June 27, 2017 at 11:46 am
Huge cyber attack cripples firms, airports, banks and government departments in Ukraine
Hack may have spread to Britain, with the advertising firm WPP affected
Danish and Spanish multinationals also paralysed by attack
Michael Fallon warns UK could respond to cyber attacks with military force
The Defence Secretary has said the UK would be prepared to retaliate against future cyber attacks using military force such as missile strikes.
He warned cyber attacks against UK systems "could invite a response from any domain – air, land, sea or cyberspace".
Tough guy, huh?
What a tosser!
Blah, blah, fucking-blah.
And the firm where I was working this afternoon, MSD Pharmaceuticals, has been down all day.
That's in Moscow.
Anyone said "Putin done it!" yet?Comment to same story in the Independent:Moscow Exile , June 27, 2017 at 1:52 pm
This story was being reported as an attack on Ukraine alone by this a- wipe earlier today (and Russia were being put in the frame for it)
The attack was always a global one and indeed many Russian companies have been hit – but of course the 1% want the world to believe it is all down to the Russian government.
Add to that bit of knowledge – the extra bits of knowledge that the 1% are all buying up properties in New Zealand all of a sudden – and the US are suddenly pushing hard against the Syrian government, notwithstanding the fact that Russia are allied to Syria and Iran in their fight against terrorism (i.e. the US)
Can you all now see what is going on in the minds of those that would rule the world?Kremlin says its computers not affected by hacker attackmarknesop , June 27, 2017 at 3:50 pm
Well there you are, then!
The Kremlin must have been behind the attacks.
Stands to reason, don't it?Actually, they blame North Korea for it, although that seems pretty unlikely to me and is more likely just capitalizing on an event to do a little bashing.kirill , June 27, 2017 at 6:58 pm
Why is Fallon only prepared to respond militarily to the next attack? Why not this one? Come on, Mikey, get your finger out! What're they paying you for?Trash talking chihuahua.
tech.slashdot.orgUpdated A huge ransomware outbreak has hit major banks, utilities and telcos in Ukraine as well as victims in other countries.
Check out our full analysis of the software nasty, here .
Early analysis of the attack points towards a variant of the known Petya ransomware , a strain of malware that encrypts the filesystem tables and hijacks the Master Boot Record to ensure it starts before the operating system on infected Windows PCs. Early reports suggest the malware is spreading using by network shares and email but this remains unconfirmed. The outbreak is centred but not confined to the Ukraine. Victims in Spain, France and Russia have also been reported.
Victims include Ukrainian power distribution outfit Ukrenergo, which said the problem is confined to its computer network and is not affecting its power supply operations, Reuters reports . Other victims include Oschadbank, one of Ukraine's largest state-owned lenders.
Global shipping outfit Maersk Group is also under the cosh.
Hackers behind the attack are demanding $300 (payable in Bitcoin) to unlock each computer. It's easy to ascribe any computing problem in Ukraine to Russia because of the ongoing conflict between the two countries, but the culprits behind the latest attack are just as likely to be cybercriminals as state-sponsored saboteurs, judging by the evidence that's emerged this far.
"While ransomware can be (and has been) used to cover other attacks, I think it's wise to consider Ukraine attack cybercriminal for now," said Martijn Grooten, editor of Virus Bulletin and occasional security researcher. ®
Updated at 1500 UTC to add : Allan Liska, intelligence architect at Recorded Future, said the attack has multiple components including an attack to steal login credentials as well as trash compromised computers.
"This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine," Liska said. "The payload of the phishing attack is twofold: an updated version of the Petya ransomware (older version of Petya are well-known for their viciousness, rather than encrypt select files Petya overwrote the master boot record on the victim machine, making it completely inoperable)."
There is some speculation that, like WannaCrypt, this attack is being spread using the EternalBlue exploit, which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to the Ukraine). "Our threat intelligence also indicated that we are now starting to see US victims of this attack," according to Liska.
There are also reports that the payload includes a variant of Loki Bot in addition to the ransomware. Loki Bot is a banking Trojan that extracts usernames and passwords from compromised computers. This means this attack not only could make the victim's machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion, according to Recorded Future.
Updated at 1509 UTC to add : Reg sources from inside London firms have been notifying us that they've been infected. We were sent this screenshot (cropped to protect the innocent) just minutes ago: