The originality of Petya was the as propagation vector it used update mechanism for popular in Ukraine
software, the path that previously was used by state produced malware such as Stuxnet.
this was not a new ransomware. the first version was detected in 2016 and called 'Petya'. but it
was not very sucessful. This new version was. This new version re-emerged to affect computer systems
across Europe, causing issues primarily in Ukraine, Russia, England and India. There was also a case
in the USA.
"There have been indications of late that Petya is exploiting the SMB (Server Message Block) vulnerability,"
the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) said in an e-mail.
This ransomware is currently being distributed via emails that are targeting the human resources
departments of German companies. These emails contain dropbox links to supposed applications
that download a file that when executed will install the Petya Ransomware on the computer. An example
filename for the installer is Bewerbungsmappe-gepackt.exe.
It is important to note that there is a lot of bad information on the web about how how to fix
your computer when it has been encrypted by Petya. Many of these sites state that you can use
the FixMBR command or repair your MBR to remove the infection. Though this will indeed remove the
lock screen, it will not decrypt your MFT and thus your files and Windows will still be inaccessible.
Only repair the MBR if you do not care about any lost data and want to reinstall Windows.
The Petya Ransomware Encryption Process
When first installed, the Petya Ransomware will replace the boot drive's
existing Master Boot Record, or MBR, with a malicious loader. The MBR
is information placed at the very beginning on a hard drive that tells the computer
how it should boot the operating system. It will then cause Windows to reboot
in order to execute the new malicious ransomware loader, which will display
a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya will
encrypt the Master File Table on the drive. Once the MFT is corrupted, or encrypted
in this case, the computer does not know where files are located, or if they
even exist, and thus they are not accessible.
Once the fake CHKDSK is completed, you will be presented with a lock screen that displays instructions
on connecting to a TOR site and a unique ID you must use on the site to make the ransom payment.
Once a ransom payment has been made, you will receive a password that you can enter into this screen
to decrypt your computer.
When the update reached M.E.Doc's customers, the tainted software packaged delivered the Petya
ransomware -- also referenced online as NotPetya, or Petna. The Ukrainian software vendor appears
to have inadvertently confirmed that something was wrong when, this morning, issued a
security advisory .
M.E.Doc
denied on
Facebook its servers ever served any malware. According to security researcher MalwareHunter, this
is not the first time M.E.Doc has carried a malicious software update that delivered ransomware.
Back in May, the company's software update mechanism also helped spread the
XData ransomware .
Typically, when a user becomes infected by a crypto-ransomware, the infection targets and encrypts
the files on the victim's hard drives. This leaves the operating system working properly, but
with the user unable to open the encrypted documents. The Petya Ransomware takes it to the next level
by encrypting portions of the hard drive itself that make it so you are unable to access anything
on the drive, including Windows. At the time of this writing, the ransom payments are at ~.9 bitcoins
and there is no way to decrypt your drive for free.
An individual going by the twitter handle
leostone was able to
create an algorithm
that can generate the password used to decrypt a Petya encrypted computer. In my test this, this
algorithm was able to generate my key in 7 seconds.
You can protect your computer based on the fact that ransomware typically access
files and directories in alphabetical order. This is not 100% proof trick, but it might help
to detect the ransom ware before it encrypted you most valuable files.
Create a honeypot directory that is first of C: drive (for example A_centinel).
chances are that it might be visited by the ransomware first. Put a couple of Linux ISO into them,
compressing them with zip archiver. Then create a small Excel or Ms Word document (those two types of
files are targeted by all ransomware ) that will serve as canary with the name which alphabetically
precede those two or three "huge" files, designed to slow the work down.
Also put the same "canary file" and a "huge" file in your Documents folder as
well as the directory where you store backups. You can also do the same trick with other directories
with valuable data if you have such. You may change the name but I doubt that such worms are engaged
in de-duplication business ;-)
After that write a small script, for example in Perl, which monitors the content of
"canary" file using Cygwin diff utility or something like that. Run it each 10 min or so via
scheduler. If content of canary file in any of "watched" directories changed send email, flash
alert and shutdown or halt the computer.
If yu think you need a coiuple of minutes before the shutdown, to slow the worm down
you can replace "canary" files in all "other" directories with your huge-file ( do not create
a new files as directories might be scanned only once).
Elimination of free memoery, for example which launching multiple "dummy" processes
(which for exampel calculate prime numbers and store them in memory), or space on the drive also
can help . If you use small SSD as your C-drive on your laptop you can generate a dummy
file so that there are no space on the drive. That means that new file can't be written to the disk.
On desktops with thier huge harddrives this is a more difficult understating and does not make any sense,
but on 120GB SSD drive this isa very quick operation.
Unmounting the volume with backup also can help, in this sense storing the backup of
USB3 drives is preferable option (I use Unix Terminology, but yes Windows allow to put the USB volume
offline; Microsoft's own
DevCon
is the command-line version of Device Manager. See also
windows - Remove
USB device from command line - Super User).
One of the most viable methods for preventing this type of malware from running is to tighten your
Group Policy. Details may vary and depends on your level of understanding Group policies. Here is one,
reasonably simple, but effective variant that does not require other then superficial understanding
of Group Policies and was created for
CryptoLocker
Prevention
You get the idea from the description of a tool developed for Cryptolocker:
CryptoPrevent is a tiny utility to lock down any Windows OS to prevent infection by the Cryptolocker
malware or ‘ransomware’, which encrypts personal files and then offers decryption for a paid ransom.
Recent Changes:
◦v2.2.1 – made changes to prevent duplicate rules from being created when protection is applied
multiple times without undoing the protection first. No harm would come from the duplicate rules,
but my OCD was bothering me.
◦v2.2 – added additional restriction policies to better protect Windows XP against the latest
strains – prior versions were not protecting %username%\local settings\application data and their
first level subdirectories, but rather only %username%\application data and their first level subdirectories.
Along with this comes additional whitelist scanning functionality. Other syntax changes in the rules
for better compatibility with all OSes.
◦v2.1.2 – added gpupdate /force to force a refresh of group policy after removing prevention via
the Undo features. This may negate the need for a reboot after Undo, and resolve issues where a reboot
doesn’t quite do the trick… Also added a re-test for active protection to determine if a reboot prompt
should be displayed after Undo, on the chance that it is still required.
◦v2.1 – fixed Temp Extracted EXEs blocks on some systems that refused to work with %temp% in the
rules.
◦v2.0.1 – fixed whitelisting capabilities not working on some systems since v2.0
There already exists a Cryptolocker Prevention Kit as found here, but it only works with domains
and OSes that have access to group policy editor (Professional versions of Windows) leaving Home
versions without a method of protection. It also isn’t the most intuitive of installations for the
average Joe, either. The methodology CryptoPrevent uses to lock down a system is presented by Lawrence
Abrams of bleepingcomputer.com here, and without that guide CryptoPrevent would not exist. Unfortunately,
like the other Cryptolocker Prevention Kit mentioned, Lawrence Abrams guide involves usage of the
Group Policy Editor available in Professional versions of Windows, and is a time consuming manual
task. CryptoPrevent seeks to alleviate these issues in allowing protection on ALL Windows OSes, while
being easy enough for the average Joe to do, and optionally providing silent automation options for
system admins and those who need to immunize a lot of computers automatically.
CryptoPrevent is a single executable and is fully portable (of course unless you download the
installer based version) and will run from anywhere, even a network share.
Prevention Methodology
CryptoPrevent artificially implants group policy objects into the registry in order to block
certain executables in certain locations from running. Note that because the group policy objects
are artificially created, they will not display in the Group Policy Editor on a Professional version
of Windows — but rest assured they are still there!
Executables are blocked in these paths where * is a wildcard:
◦%appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2,
etc.)
◦%localappdata% (on Vista+) and any first-level subdirectories in there.
◦%temp%\rar* directories
◦%temp%\7z* directories
◦%temp%\wz* directories
◦%temp%\*.zip directories
The first two locations are used by the malware as launch points. The final four locations are
temporary extract locations for executables when run from directly inside of a compressed archive
(e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from
directly inside the download, it is actually extracted to a temporary location and run from there
– so this guards against that as well.)
NOTE: Protection does not need to be applied while logged into each user account, it may be applied
only once from ANY user account and it will scan for and protect all user accounts on the system.
This is accomplished despite an apparent bug in Microsoft’s software prevention policies that does
not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata%)…
so protection for %temp% folders is now applied by expanding the full path to the user’s temp folder
in each rule set, and replacing the username with an * in the rules so that a single rule can cover
all users. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to protect
all user accounts, but it was later discovered that methodology wasn’t working on all systems. If
you applied protection with prior versions and want temp extracted exes blocked, you may want to
reapply protection with v2.2 to ensure it will work for you.
Open up Local Security Policy or the Group Policy Object editor and create a new GPO. I'll
show you how to create two here -- one for Windows XP machines (which use slightly different paths
for the user space) and one for Windows Vista and later machines.
Name the new GPO "SRP for XP to prevent Cryptolocker" or something similar for you to remember
easily.
Choose Computer Configuration and then navigate through Policies � Windows Settings � Security
Settings � Software Restriction Policies.
Right-click Software Restriction Policies and choose New Software Restriction Policy from
the context menu.
Now, create the actual rules that will catch the software on which you want to enforce a restriction.
Right-click Additional Rules in the left-hand pane. Choose New Path Rule.
Under Path, enter %AppData%\*.exe.
Under Security level, choose Disallowed.
Enter a friendly description, like "Prevent programs from running in AppData."
Choose New Path Rule again, and make a new rule like the one just completed. Use the following
table to fill out the remainder of this GPO.
Path
Security Level
Suggested Description
%AppData%\*.exe
Disallowed
Prevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exe
Disallowed
Prevent virus payloads from executing in subfolders of AppData
%UserProfile%\Local Settings\Temp\Rar*\*.exe
Disallowed
Prevent un-WinRARed executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\7z*\*.exe
Disallowed
Prevent un-7Ziped executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\wz*\*.exe
Disallowed
Prevent un-WinZIPed executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\*.zip\*.exe
Disallowed
Prevent unarchived executables in email attachments from running in the user space
*Note this entry was covered in steps 5-8. It is included here for your easy reference later.
WinRAR and 7Zip are the names of compression programs commonly used in the Windows environment.
Close the policy.
To protect Windows Vista and newer machines, create another GPO and call this one "SRP for Windows
Vista and up to prevent Cryptolocker." Repeat the steps above to create the SRP and create path rules
based on the following table.
Path
Security Level
Suggested Description
%AppData%\*.exe
Disallowed
Prevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exe
Disallowed
Prevent virus payloads from executing in subfolders of AppData
%LocalAppData%\Temp\Rar*\*.exe
Disallowed
Prevent un-WinRARed executables in email attachments from running in the user space
%LocalAppData%\Temp\7z*\*.exe
Disallowed
Prevent un-7Ziped executables in email attachments from running in the user space
%LocalAppData%\Temp\wz*\*.exe
Disallowed
Prevent un-WinZIPed executables in email attachments from running in the user space
%LocalAppData%\Temp\*.zip\*.exe
Disallowed
Prevent unarchived executables in email attachments from running in the user space
Close the policy.
Once these GPOs get synchronized down to your machines -- this can take up to three reboots to
happen, so allow some time -- when users attempt to open executables from email attachments, they'll
get an error saying their administrator has blocked the program. This will stop the Cryptolocker
attachment in its tracks.
Unfortunately, taking this "block it all in those spots" approach means that other programs your
users may install from the web, like GoTo Meeting reminders and other small utilities that do have
legitimate purposes, will also be blocked. There is a solution, however: You can create ad-hoc allow
rules in the software restriction policy GPOs. Windows allows these "whitelisted" apps before it
denies anything else, so by defining these exceptions in the SRP GPO, you will instruct Windows to
let those apps run while blocking everything else. Simply set the security level to Unrestricted,
instead of Disallowed as we did above.
AppLocker
AppLocker is the SRP feature on steroids. However, it only works on Windows 7 Ultimate or Windows
7 Enterprise editions, or Windows 8 Pro or Windows 8 Enterprise edition, so if you're still on Windows
XP for the time being or you have a significant contingent of Windows Vista machines, AppLocker will
not do anything for you.
But if you are a larger company with volume licenses that is deploying the enterprise editions
of the OS, AppLocker is really helpful in preventing Cryptolocker infections because you can simply
block programs from running -- except those from specific software publishers that have signed certificates.
Here's what to do:
Create a new GPO.
Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings,
Security Settings, Application Control Policies and AppLocker.
Click Configure Rule Enforcement.
Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected
from the drop-down box. Click OK.
In the left pane, click Executable Rules.
Right-click in the right pane and select Create New Rule.
On the Before You Begin screen, click Next.
On the Permissions screen, click Next.
On the Conditions screen, select the Publisher condition and click Next.
Click the Browse button and browse to any executable file on your system. It doesn't matter
which.
Drag the slider up to Any Publisher and then click Next.
Click Next on the Exceptions screen.
Name the policy something like "Only run executables that are signed" and click Create.
If this is your first time creating an AppLocker policy, Windows will prompt you to create
default rules -- go ahead and click Yes here.
NOTE: Also take this opportunity to review the permissions set on your file server share access
control lists, or ACLs. Cryptolocker possesses no special capabilities to override deny permissions,
so if the user who gets infected is logged into an account that has very limited permissions, the
damage will be minimal. Conversely, if you allow the Everyone group Write access for the NTFS permissions
on most of your file shares, and you use mapped drives, one Cryptolocker infection could put you
into a world of hurt. Review your permissions now. Tighten where you can. Work with your line of
business application vendors to further tighten loose permissions that are "required" for "supportability"
-- often these specifications are needlessly broad.
Using either an SRP or an AppLocker policy, you can prevent Cryptolocker from ever executing and
save yourself a lot of problems.
Enable and restrict port 445 on your firewall. (this is Wanna Cry specific defense, but it
is unclear why this port would be "worldwide" open in the first place.
Use two sets of backup drives: one week use one set the other another.
Put backup drives offline when they are not in use.
Use Linux and Rsync for backup. Allow only one way ssh login (from Linux computer to Cygwin
ssh daemon).
Other generic measure which were not effective in case of this worm but still make a log of
sense
Use separate old computer connected via remote desktop for browsing. Or in case of laptop
virtual machine with Linux instance and Firefox browser. Use Thunderbird and Linux
VM for opening email attachments and Windows remain the most targeted OS for malware.
Use DNS which can block resolution of domains less then a month old as well as "generated"
names. In this case the Trojan cant's communicate with the C&C center and get private
key.See for example OpenDNS
Learn about Shadow Copy functionality
and turned it on
Shadow copies are created automatically once per day, or manually when triggered by the
backup utility or installer applications which create a restore point.[14][15]
The "Previous Versions" feature is available in the Business, Enterprise, and Ultimate
editions of Windows Vista[16]
and in all
Windows
7 editions. The Home Editions of Vista lack the "Previous Versions" feature, even though
the Volume Snapshot Service is included and running. Using third-party tools it is still
possible to restore previous versions of files on the local volume.[17]
Some of these tools also allow users to schedule snapshots at user-defined intervals, configure
the storage used by volume shadow copies and compare files or directories from different points-in-time
using snapshots.[18]
Windows 7 also adds native support through a GUI to configure the storage used by volume shadow
copies.
I also edited the registry to classify .zip file attachments as "Level 2" files. When
Outlook users click on a .zip file attachment they now get the message:
"Attachment Security Warning. This file may contain a virus that can be harmful to
your computer. You must save this file to disk before it can be opened. It is important
to be very certain that this file is safe before you open it."
I've been asked what procedure I followed to classify .zip file attachments as "Level 2" files.
This is what worked for me using Windows 7 and Outlook 2010. The Microsoft Knowledge Base article
lists the correct procedure for other versions of Office.
Prevent users from opening .zip
files in Outlook 2010:
Disable hiding of extensions. This is not enough to protect from the Trojan,
but this feature of Microsoft Windows adds to confusion. This was a pretty idiotic idea from the
very beginning and Microsoft inflicted on Windows user a lot of suffering due to this stupid attempt
to make Windows more user friendly.
A good spam filter can block infection via attachments. Detention of correspondence
of extension to the header of the file also would be helpful (executable is typically masked as
PDF and due to Microsoft incompetence Windows happily executes it instead of checking the header
and complaining about the discrepancy).
Use network proxy and address translation which make direct access to Command and Control
center more difficult (although not impossible, if they use HTTPS). Some posters claim that if
you disconnect the computer from the network when virus start encrypting it immediately stop encryption
process and shows ransom screen.
Use more strict group policies. If Trojan can't get to Command and Control center it
just stops. That can be different with other "copycat" Trojans. This is a very effective
method with relatively minor side effects, which protects against a class of Trojans, not just
single Trojan. See below for some ideas.
Immunization of computer based on the fact that virus access files and directories in alphabetical
order. In this case you can monitor number of open files on computer and create a honeypot
directory that would be visited first (alphabetically) by the virus. Throw in a few files that
would tie it up encrypting for a while and create a script to monitor the first file for content
with grep or something similar. If grep fails, send an alert message and start
generating large dummy files with the sequential letters (which virus will try to encrypt next),
effectively trapping the process in an infinite loop until the alert is noticed and dealt with
(also, you would need to delete the old encrypted files so the drive didn't fill up and allow
it to escape).
This Trojan explicitly target backups in addition to files with MS Office extensions and such (see
above). Backups now need to be protected by keeping them offline and putting online only when need arise.
Network drives should unmapped. Rotating physical disks is also a good idea.
"... The US and European press have both published stories accusing the Russian government, and in particular, the Russian military, of the so-called "NotPetya" cyberattack which targeted information technology infrastructure in Ukraine. ..."
"... Ulson Gunnar is a New York-based geopolitical analyst and writer especially for the online magazine " New Eastern Outlook ". ..."
"... All images in this article are from the author. ..."
The US and European press have both published stories accusing the Russian government,
and in particular, the Russian military, of the so-called "NotPetya" cyberattack which targeted
information technology infrastructure in Ukraine.
Britain and the United States blamed the Russian government on Thursday for a
cyberattack that hit businesses across Europe last year, with London accusing Moscow of
"weaponizing information" in a new kind of warfare. Foreign Minister Tariq Ahmad said "the
U.K. government judges that the Russian government, specifically the Russian military, was
responsible for the destructive NotPetya cyberattack of June 2017."The fast-spreading
outbreak of data-scrambling software centered on Ukraine, which is embroiled in a conflict
with Moscow-backed separatists in the country's east. It spread to companies that do business
with Ukraine, including U.S. pharmaceutical company Merck, Danish shipping firm A.P.
Moller-Maersk and FedEx subsidiary TNT.
The Russian military was directly behind a "malicious" cyber-attack on Ukraine that
spread globally last year, the US and Britain have said.
The BBC also added that:
On Thursday the UK government took the unusual step of publicly accusing the Russia
military of being behind the attack."The UK and its allies will not tolerate
malicious cyber activity," the foreign office said in a statement. Later, the White House
also pointed the finger at Russia.
Yet despite this "unusual step of publicly accusing the Russian military of being behind
the attack," neither the US nor the British media provided the public with any evidence, at
all, justifying the accusations. The
official statement released by the British government would claim:
The UK's National Cyber Security Centre assesses that the Russian military was almost
certainly responsible for the destructive NotPetya cyber-attack of June 2017. Given the high
confidence assessment and the broader context, the UK government has made the judgement that
the Russian government – the Kremlin – was responsible for this
cyber-attack.
Claiming that the Russian military was "almost certainly responsible," is not the
same as being certain the Russian military was responsible. And such phrases as "almost
certainly" have been used in the past by the United States and its allies to launch
baseless accusations ahead of what would otherwise be entirely unprovoked aggression against
targeted states, in this case, Russia. The White House would also
release a statement claiming:
In June 2017, the Russian military launched the most destructive and costly
cyber-attack in history.The attack, dubbed "NotPetya," quickly spread worldwide,
causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of
the Kremlin's ongoing effort to destabilize Ukraine and demonstrates ever more clearly
Russia's involvement in the ongoing conflict. This was also a reckless and indiscriminate
cyber-attack that will be met with international consequences.
Considering claims that this is the "most destructive and costly cyber-attack in
history, " it would seem imperative to establish evidence beyond doubt of who was
responsible. No Evidence From Governments Confirmed to Possess the Means to Fabricate
Attribution Yet, so far, this has not been done. Claims that Russia's military was behind
the attacks seems to be built solely upon private analysts who have suggested the attacks
appear to have originated in Russia.
A division of the Central Intelligence Agency stockpiled hacking techniques culled from
other hackers, giving the agency the ability to leave behind the "fingerprints" of the
outside hackers when it broke into electronic devices, the anti-secrecy group WikiLeaks
alleges as it released thousands of documents Tuesday.
The article continues by pointing out:
The documents also suggest that one of the agency's divisions – the Remote
Development Branch's UMBRAGE Group – may have been cataloguing hacking methods from
outside hackers, including in Russia, that would have allowed the agency to mask their
identity by employing the method during espionage."With UMBRAGE and related projects
the CIA cannot only increase its total number of attack types, but also misdirect attribution
by leaving behind the 'fingerprints' of the groups that the attack techniques were stolen
from," Wikileaks said in a statement.
Not only does this ability allow the CIA to carry out espionage that if discovered would be
attributed to other parties, it also allows the CIA to conduct attacks the US government and
its allies can then blame on foreign states for the purpose of politically maligning them, and
even justifying otherwise indefensible acts of aggression, either militarily, or in the realm
of cyberspace.
Evidence provided by the UK and US governments would have to establish Russia's role in the
"NotPetya" cyberattack beyond mere attribution, since this is now confirmed to be possible to
forge. The UK and US governments have failed to provide any evidence at all, likely because all
it can offer is mere attribution which skeptics could easily point out might have been forged.
NATO Had Been Preparing "Offensive" Cyber Weapons
A group of NATO allies are considering a more muscular response to state-sponsored
computer hackers that could involve using cyber attacks to bring down enemy networks,
officials said.
Reuters would also report:
The doctrine could shift NATO's approach from being defensive to confronting hackers
that officials say Russia, China and North Korea use to try to undermine Western governments
and steal technology.
It has been repeatedly pointed
out how the US, UK and other NATO members have repeatedly used false pretexts to justify
military aggression carried out with conventional military power. Examples include fabricated
evidence of supposed "weapons of mass destruction (WMD)" preceding the 2003 US invasion of Iraq
and the so-called "humanitarian war" launched against Libya in 2011 built on fabricated
accounts from US and European rights advocates.
With UMBRAGE, the US and its allies now possess the ability to fabricate evidence in
cyberspace, enabling them to accuse targeted nations of cyber attacks they never carried out,
to justify the deployment of "offensive" cyber weapons NATO admits it has prepared ahead of
time. While the US and European media have warned the world of a "cyber-911″ it appears
instead we are faced with "cyber-WMD claims" rolled out to justify a likewise "cyber-Iraq War"
using cyber weapons the US and its NATO allies have been preparing and seeking to use for
years. Were Russia to really be behind the "NotPetya" cyberattack, the US and its allies have
only themselves to blame for decades spent undermining their own credibility with serial
instances of fabricating evidence to justify its serial military aggression. Establishing that
Russia was behind the "NotPetya" cyberattack, however, will require more evidence than mere
"attribution" the CIA can easily forge.
*
Ulson Gunnar is a New York-based geopolitical analyst and writer especially for the
online magazine " New Eastern Outlook
".
"... Poor Russia cant get a break, neither can Americans get a break from this USA 'get Russia' monkey circus. The monkeys now reach back a year ago to get Russia on a cyber attack. ..."
Poor Russia cant get a break, neither can Americans get a break from this USA 'get
Russia' monkey circus. The monkeys now reach back a year ago to get Russia on a cyber
attack.
White House blames Russia for 'reckless' NotPetya cyber attack
3 days ago -- WASHINGTON/LONDON (Reuters) -- The White House on Thursday blamed Russia for
the devastating 'NotPetya' cyber attack last year , joining the British government in
condemning Moscow for unleashing a virus that crippled parts of Ukraine's infrastructure and
damaged computers in countries across the
Best advice for Americans believe nothing, trust nothing that issues from a
government.
The experts:
John McAfee, founder of an anti-virus firm, said: "When the FBI or when any other agency
says the Russians did it or the Chinese did something or the Iranians did something -- that's
a fallacy," said McAfee.
"Any hacker capable of breaking into something is extraordinarily capable of hiding their
tracks. If I were the Chinese and I wanted to make it look like the Russians did it I would
use Russian language within the code. "I would use Russian techniques of breaking into
organisations so there is simply no way to assign a source for any attack -- this is a
fallacy."
I can promise you -- if it looks like the Russians did it, then I can guarantee you it was
not the Russians."
Wikileaks has released a number of CIA cyber tools it had obtained. These included
software specifically designed to create false attributions.
The article's central message is plausible: Russia running a cyberwar against Ukraine and at
the same time trying to build up knowhow. But at the same time the author knows that he can write
anything about Russia and it will be believed. At the same time the story is part of a large anti-Russia
and anti Trump campaign.
I don't keep track so I don't have a lot of links ready but I know the news about a russian
cyberattack on US powerplant was bogus. Russian hacking of DNC was bogus.Russian-Trump links are
bogus. Russian hacking of french elections was bogus. But these debunkings only come through very
slowly. On the other side there is a barrage of claims that is so overwhelming nobody can begin
to debunk them.
And I see good reasons why the democrats and the military industrical complex prefer to have
high tensions with Russia and why they want to blame Russia for the failed elections. And I see
why the press goes along with it.
And I think that whatever Russia is doing(a lot less than claimed, but certainly a lot of business
as usual nasty stuff) it's a good idea to improve the ties with them rather than deteriorate them.
That is my opinion about policy. That it's in the west's interest. I also think they're open for
chances for improvement , at least as long as Putin is there.
But look at this thread. It's almost unanimous against Russia. Any outsider looking here without
any knowledge of the situation would know, this is bad. It means no good thinking will come out
of it.(there's more reasons for that though). It also means propaganda is still very effective
here and now.
So the article of the topic here may have a good degree of truth, but it's all part of an anti-russian
frenzy which I think is a very bad idea.
Here's a new link about a lot of the hacking stories. It covers quite some ground. I'd have
to dig for the rest. The ones I mentioned are some I'm pretty certain of although one can debate
how convincing the proof is.
https://consortiumnews.com/201... [consortiumnews.com]
I didn't discuss Trump. I'd like to get rid of him but I'm convinced the current campaign to
link him to Russia is extremely dishonest. He's right about that. Maybe he'll go down because
in his efforts to stop them he'll do something very illegal. Or maybe he'll stay in power because
he made the right friends. The Saudis and the weapons manufacturers for instance. Then all that
the anti Russia campaign will have achieved is to give us the worst of both worlds. Thanks for
cooperating everyone.
Whatever it was, that Petya thing hit bunch of Russian companies as well. For example, it hit
Russia's top oil providers Rosneft and Bashneft. Some of them suffered quite a bit. Invitro, a
nationwide network of private medical laboratories, temporarily ceased samples collection due
to the cyberattack.
The world's most reprehensible newspaper, The New York Times , is quick to blame the
ransomeware attack which crippled computers in Ukraine
on Russia . Never mind the evidence; Ukrainians say Russia did it, and Ukrainians never lie.
Moreover, they say it was Russia because just a couple of days ago a senior government official
was blown up in a car bomb attack, and that was Russia, so they probably did this, too. QED.
Curiously enough, another Times story from just a little over a month ago reported
a near-identical attack, which it said was executed using malicious software
'stolen' from the NSA's tickle trunk .
Uh huh. Sure it was. And Cisco Systems is right there in Kiev, 'helping' Ukraine pin down the
origin of the attack.
For what it's worth, one of our favouritest authors, Molly McKew – at the Washington Post
, the world's second-most-reprehensible newspaper – quickly makes the connection between
Shapoval's murder and Russia , which she says is the wide assumption of experts.
While there are still plenty of unknowns regarding Petya, security researchers have pinpointed
what they believe to be the first target of the attack: M.E.Doc, a Ukrainian company that develops
tax accounting software.
The initial attack took aim the software supply chain of the tax software MEDoc, which then spread
through a system updater process that carried malicious code to thousands of machines, including
those who do business in Ukraine.
U.S. delivery firm FedEx Corp said its TNT Express division had been significantly affected by
the virus, which also wormed its way into South America, affecting ports in Argentina operated by
China's Cofco.
The malicious code locked machines and demanded victims post a ransom worth $300 in bitcoins or
lose their data entirely, similar to the extortion tactic used in the global WannaCry ransomware
attack in May.
More than 30 victims paid up but security experts are questioning whether extortion was the goal,
given the relatively small sum demanded, or whether the hackers were driven by destructive motives
rather than financial gain.
Hackers asked victims to notify them by email when ransoms had been paid but German email provider
Posteo quickly shut down the address, a German government cyber security official said.
While the malware seemed to be a variant of past campaigns, derived from code known as Eternal Blue
believed to have been developed by the U.S. National Security Agency (NSA), experts said it was not
as virulent as May's WannaCry attack.
Security researchers said Tuesday's virus could leap from computer to computer once unleashed
within an organisation but, unlike WannaCry, it could not randomly trawl the internet for its next
victims, limiting its scope to infect.
Bushiness that installed Microsoft's latest security patches from earlier this year and turned
off Windows file-sharing features appeared to be largely unaffected. A number of the international
firms hit have operations in Ukraine, and the virus is believed to have spread within global corporate
networks after gaining traction within the country. ... ... ...
Shipping giant A.P. Moller-Maersk, which handles one in seven containers shipped worldwide, has
a logistics unit in Ukraine.
Other large firms affected, such as French construction materials company Saint Gobain and Mondelez
International Inc, which owns chocolate brand Cadbury, also have operations in the country.
Maersk was one of the first global firms to be taken down by the cyber attack and its operations
at major ports such as Mumbai in India, Rotterdam in the Netherlands and Los Angeles on the U.S.
west coast were disrupted.
Other companies to succumb included BNP Paribas Real Estate , a part of the French bank that provides
property and investment management services.
"The international cyber attack hit our non-bank subsidiary, Real Estate. The necessary measures
have been taken to rapidly contain the attack," the bank said on Wednesday.
Production at the Cadbury factory on the Australian island state of Tasmania ground to a halt
late on Tuesday after computer systems went down.
Russia's Rosneft, one of the world's biggest crude producers by volume, said on Tuesday its systems
had suffered "serious consequences" but oil production had not been affected because it switched
to backup systems. (Additional reporting by Helen Reid in London, Teis Jensen in Copenhagen, Maya
Nikolaeva in Paris, Shadia Naralla in Vienna, Marcin Goettig in Warsaw, Byron Kaye in Sydney, John
O'Donnell in Frankfurt, Ari Rabinovitch in Tel Aviv and Noor Zainab Hussain in Bangalore; writing
by Eric Auchard and David Clarke; editing by David Clarke)
A massive cyber attack has disrupted businesses and services in Ukraine on Tuesday, bringing down
the government's website and sparking officials to warn that airline flights to and from the country's
capital city Kiev could face delays. Motherboard reports that the ransomware is quickly spreading
across the world.
From a report:
A number of Ukrainian banks and companies, including the state power distributor,
were hit by a cyber attack on Tuesday that disrupted some operations (
a non-paywalled source ) , the Ukrainian central bank said. The latest disruptions follow
a spate of hacking attempts on state websites in late-2016 and repeated attacks on Ukraine's power
grid that prompted security chiefs to call for improved cyber defences. The central bank said
an "unknown virus" was to blame for the latest attacks, but did not give further details or say
which banks and firms had been affected. "As a result of these cyber attacks these banks are having
difficulties with client services and carrying out banking operations," the central bank said
in a statement.
BBC reports that Ukraine's aircraft manufacturer Antonov, two postal services, Russian oil producer
Rosneft and Danish shipping company Maersk
are also facing "disruption,
including its offices in the UK and Ireland ." According to local media reports, the "unknown
virus" cited above is a ransomware strain known as Petya.A .
"We are seeing several thousands of infection attempts at the moment, comparable in size
to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard
in an online chat. Judging by photos posted to Twitter and images provided by sources, many of
the alleged attacks involved a piece of ransomware that displays red text on a black background,
and demands $300 worth of bitcoin. "If you see this text, then your files are no longer accessible,
because they are encrypted," the text reads, according to one of the photos. "Perhaps you are
busy looking for a way to recover your files, but don't waste your time. Nobody can recover your
files without our decryption service."
(cbslocal.com)
23 Posted by msmash on Tuesday June 27, 2017 @03:20PM from the aggressive-expansion dept.
The Heritage Valley Health System says it has been hit with a cyber attack. From a report: A spokeswoman
confirmed the attack Tuesday morning. "Heritage Valley Health System
has been affected by a cyber security incident . The incident is widespread and is affecting
the entire health system including satellite and community locations. We have implemented downtime
procedures and made operational adjustments to ensure safe patient care continues un-impeded." Heritage
Valley is a $480 million network that provides care for residents of Allegheny, Beaver, Butler and
Lawrence counties, in Pennsylvania; parts of eastern Ohio; and the panhandle of West Virginia.
Also read:
Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly
Spreading Across the World .
(vice.com)
143 Posted by msmash on Tuesday June 27, 2017 @04:41PM from the interesting-turns dept.
Joseph Cox, reporting for Motherboard: On Tuesday, a new,
worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere
. The hackers hit everything from international law firms to media companies. The ransom note
demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly
have their files decrypted. But the email company the hacker happened to use, Posteo, says
it has decided to block the attacker's account, leaving victims with no obvious way to unlock their
files . [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly
has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal
installation key." This is a 60 character code made up of letters and digits generated by the malware,
which is presumably unique to each infection of the ransomware. That process is not possible now,
though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using
a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account
with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account
straight away.
An anonymous reader quotes a report from Bleeping Computer:
Today's massive ransomware outbreak was
caused by a malicious software update for M.E.Doc , a popular accounting software used by Ukrainian
companies. According to several researchers, such as
Cisco Talos ,
ESET ,
MalwareHunter
, Kaspersky Lab
, and others
, an unknown attacker was able to compromise the software update mechanism for M.E.Doc's servers,
and deliver a malicious update to customers. When the update reached M.E.Doc's customers, the tainted
software packaged delivered the Petya ransomware -- also referenced online as NotPetya, or Petna.
The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when,
this morning, issued a
security advisory . Hours later, as the ransomware outbreak
spread all over Ukraine and other countries across the globe causing huge damages, M.E.Doc
denied on
Facebook its servers ever served any malware. According to security researcher MalwareHunter, this
is not the first time M.E.Doc has carried a malicious software update that delivered ransomware.
Back in May, the company's software update mechanism also helped spread the
XData ransomware .
Ransomware known as Petya seems to have re-emerged to affect computer systems across Europe,
causing issues primarily in Ukraine, Russia, England and India, a Swiss government information technology
agency has told Reuters.
"There have been indications of late that Petya is in circulation again, exploiting the SMB (Server
Message Block) vulnerability," the Swiss Reporting and Analysis Centre for Information Assurance
(MELANI) said in an e-mail.
I t said it had no information that Swiss companies had been impacted, but said it was following
the situation. The Petya virus was blamed for disrupting systems in 2016.
Russia's top oil producer Rosneft said a large-scale cyber attack hit its servers on Tuesday,
with computer systems at some banks and the main airport in neighbouring Ukraine also disrupted.
3:48PM 'A multi-pronged attack' "This appears to be a multi-pronged attack that started
with a phishing campaign targeting infrastructure in the Ukraine," said Allan Liska, a security analyst
at Recorded Future.
"There is some speculation that, like WannaCry, this attack is being spread using the EternalBlue
exploit which would explain why it is spreading so quickly (having reached targets in Spain and France
in addition to the Ukraine).
This story was being reported as an attack on Ukraine alone by this a- wipe earlier today
(and Russia were being put in the frame for it)
The attack was always a global one and indeed many Russian companies have been hit – but of
course the 1% want the world to believe it is all down to the Russian government.
Add to that bit of knowledge – the extra bits of knowledge that the 1% are all buying up properties
in New Zealand all of a sudden – and the US are suddenly pushing hard against the Syrian government,
notwithstanding the fact that Russia are allied to Syria and Iran in their fight against terrorism
(i.e. the US)
Can you all now see what is going on in the minds of those that would rule the world?
Actually, they blame North Korea for it, although that seems pretty unlikely to me and is more
likely just capitalizing on an event to do a little bashing.
Why is Fallon only prepared to respond militarily to the next attack? Why not this one? Come
on, Mikey, get your finger out! What're they paying you for?
Early analysis of the attack points towards a variant of the known
Petya ransomware
, a strain of
malware
that encrypts the filesystem tables and hijacks the Master Boot Record to
ensure it starts before the operating system on infected Windows PCs. Early reports
suggest the malware is spreading using by network shares and email but this remains
unconfirmed. The outbreak is centred but not confined to the Ukraine. Victims in
Spain, France and Russia
have also been reported.
Victims include Ukrainian power distribution outfit Ukrenergo, which said the
problem is confined to its computer network and is not affecting its power supply
operations, Reuters
reports
. Other victims include Oschadbank, one of Ukraine's largest state-owned
lenders.
Global shipping outfit Maersk Group is also under the cosh.
Hackers behind the
attack
are demanding $300 (payable in Bitcoin) to unlock each computer. It's easy
to ascribe any computing problem in Ukraine to Russia because of the ongoing conflict
between the two countries, but the culprits behind the latest attack are just as
likely to be cybercriminals as state-sponsored saboteurs, judging by the evidence
that's emerged this far.
"While ransomware can be (and has been) used to cover other attacks, I think it's
wise to consider Ukraine attack cybercriminal for now,"
said
Martijn Grooten, editor of Virus Bulletin and occasional security
researcher. ®
Updated at 1500 UTC to add
: Allan Liska, intelligence architect at Recorded
Future, said the attack has multiple components including an attack to steal login
credentials as well as trash compromised computers.
"This appears to be a multi-pronged attack that started with a phishing campaign
targeting infrastructure in the Ukraine," Liska said. "The payload of the phishing
attack is twofold: an updated version of the Petya ransomware (older version of Petya
are well-known for their viciousness, rather than encrypt select files Petya
overwrote the master boot record on the victim machine, making it completely
inoperable)."
There is some speculation that, like WannaCrypt, this attack is being spread using
the EternalBlue exploit, which would explain why it is spreading so quickly (having
reached targets in Spain and France in addition to the Ukraine). "Our threat
intelligence also indicated that we are now starting to see US victims of this
attack," according to Liska.
There are also reports that the payload includes a variant of Loki Bot in addition
to the ransomware. Loki Bot is a banking Trojan that extracts usernames and passwords
from compromised computers. This means this attack not only could make the victim's
machine inoperable, it could steal valuable information that an attacker can take
advantage of during the confusion, according to Recorded Future.
Updated at 1509 UTC to add
:
Reg
sources from inside London firms
have been notifying us that they've been infected. We were sent this screenshot
(cropped to protect the innocent) just minutes ago:
The Last but not LeastTechnology is dominated by
two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt.
Ph.D
FAIR USE NOTICEThis site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
You can use PayPal to to buy a cup of coffee for authors
of this site
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society.We do not warrant the correctness
of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be
tracked by Google please disable Javascript for this site. This site is perfectly usable without
Javascript.