Powerful cyber-attack that started in Ukraine hit banks and IT systems around the world

HereWeGoAgain

Well-known member
Joined
Aug 2, 2012
Messages
14,578
BBC News

Global ransomware attack causes chaos
Companies across the globe are reporting that they have been struck by a major ransomware cyber-attack.
British advertising agency WPP is among those to say its IT systems have been disrupted as a consequence.
Ukrainian firms, including the state power company and Kiev's main airport were among the first to report issues.
The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down.
Experts suggest the malware is taking advantage of the same weaknesses used by the Wannacry attack last month.
"It appears to be a variant of a piece of ransomware that emerged last year," said computer scientist Prof Alan Woodward.
Global ransomware attack causes chaos - BBC News


New York Times
:

Petya for sale on 'dark-web' - hard to trace attackers:

Immediate reports that the computer virus was a variant of Petya, suggest the attackers will be hard to trace. Petya was for sale on the so-called dark web, where its creators made the ransomware available as “ransomware as a service” — a play on Silicon Valley term for delivering software over the internet, according to the security firm Avast Threat Labs.

That means anyone can launch the ransomware, with the click of a button, encrypt someone’s systems and demand a ransom to unlock it. If the victim pays, the authors of the Petya ransomware, who call themselves “Janus Cybercrime Solutions,” get a cut of the payment.

That distribution model means that pinning down the individuals responsible for Tuesday’s attack could be difficult, if near impossible.
https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html?smid=tw-nytimes&smtyp=cur


Sky News reporting:


- A "powerful" cyberattack that started in Ukraine hit banks and IT systems around the world
- Chernobyl has been affected
- The UK's National Cyber Security Centre is investigating
- Russian, US and German companies were also among those hit
- British advertising group WPP said its computer networks in several locations had been targeted

Link:
LIVE: Chernobyl affected in ransomware attack

Reuters:

One of the victims of Tuesday's cyber attack, a Ukrainian media company, said its computers were blocked and it had received a demand for $300 worth of the Bitcoin crypto-currency to restore access to its files.

"If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service," the message said, according to a screenshot posted by Ukraine's Channel 24.

The same message appeared on computers at Maersk offices in Rotterdam, according to screenshots posted on local media.
https://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD


Washington:



Jon Humbert‏Verified account @jonhumbert 10m10 minutes ago
- NEW: overseas #Petya cyberattack affecting systems here in Western Washington. Confirmed that terminal ops affected in Tacoma.

- Global law firm DLA Piper also slammed in #Petya ransomware attack. Local phones down at Seattle offices. h/t @ericgeller


https://twitter.com/jonhumbert


Dublin

Adrian Weckler, Tech Editor Irish & Sunday Indo

Adrian Weckler‏Verified account @adrianweckler 1m1 minute ago

Two people in WPP/Ogilvy offices in Dublin told me that parts of their IT system are now off as a response to the global cyber attack.
https://twitter.com/adrianweckler


Images

Ryan Clapham‏ @NewsReport365 3m3 minutes ago https://twitter.com/NewsReport365 #Breaking: [B]Emergency landing after plane hit by the #Petya #Ransomeware #CyberAttack[/B] [IMG]https://pbs.twimg.com/media/DDWAIE-XoAEt-Fm.jpg[/IMG] Maxim Eristavi‏Verified account @MaximEristavi 3h3 hours ago A supermarket in Ukraine.



https://twitter.com/MaximEristavi
 
Last edited:


Wascurito

Well-known member
Joined
Apr 18, 2017
Messages
7,298
I really have no sympathy for anyone who didn't take action to protect themselves after the Wannacry debacle last month.
 

robut

Well-known member
Joined
Apr 6, 2008
Messages
8,729
This one is called PETYA

It seems it might be a variant of the WANNACRY ransomware via how it is spread using the NSA EXTERNAL BLUE Exploit.

However this one is WAY NASTIER. Not alone does it ENCRYPT Files on system it also ENCRYPTS the MASTER BOOT RECORD. This stops system from booting into windows even.

Some reports also stating that it has Loki Bot components which steal banking logins and passwords etc.

According to early research by BitDefender, the variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents the victim’s computers from being booted up in a live OS environment and retrieving stored information or samples. - INFO SECURITY
Read these two articles:

Huge ransomware outbreak spreads in Ukraine and beyond - The REGISTER

Ukraine Businesses Hit by Petya Ransomware - INFO SECURITY
 

HereWeGoAgain

Well-known member
Joined
Aug 2, 2012
Messages
14,578
Gardere Wynne Sewell‏ @garderelaw 4m4 minutes ago

Honda plant halted operations because of #WannaCry #Ransonware! Read more from @PeterSVogel here: Honda plant halted operations because of WannaCry Ransonware! - Lexology
https://twitter.com/garderelaw


What to do:

CDW Corporation‏Verified account @CDWCorp 14m14 minutes ago

Similar to #wannacry, new #petya #ransomware attack spreads. 7 action steps to take NOW for protecting your org Redirecting...

Mitigating the Risks
Here are a few immediate steps you can take to minimize your organization’s risk:
1. Immediately Update All Windows Systems

This vulnerability has been fixed since March 14, 2017, and updated computers are not vulnerable to the worm-like attack functionality. This vulnerability affects both current and older operating systems including Windows XP, Windows 8 and Server 2003. In addition to applying currently available patches, be aware that Microsoft has taken the unusual step of creating updates for outdated operating systems as well as current systems.

2. Identify and Update Unmanaged Windows Systems

It is the experience of CDW’s penetration testers that most organizations do not regularly patch all their Windows systems. Of particular concern are systems that are “off the radar,” such as machines not joined to your domain or vendor-maintained systems, some of which you may not even know about. We recommend performing a full scan of your internal network using a tool such as Tenable’s Nessus or arrange for a penetration test from an organization such as CDW that use a mature assessment methodology. If you cannot patch your systems for some reason, you may be able to partially protect yourself by disabling SMBv1 on these systems, although this may not work for all future variants.

3. Disable or Thoroughly Clean Affected Machines

In addition to encrypting files, this malware may also leave behind a backdoor such as DOUBLEPULSAR or other malicious payloads. The safest approach is generally to wipe the computer thoroughly and restore data from before the incident.

4. Block Windows Ports on Your Firewall

Block both incoming and outgoing SMB ports on your internet border including TCP ports 139 and 445 as well as UDP ports 137 and 138 – these should be blocked to limit the spread of the malware’s worm component. If possible, also block these ports using internal network segmentation on connections to internal destinations such as other VLANs, remote WAN connections and IPsec tunnels. This will limit the scope of attack on your network.

5. Create and Monitor DNS Entries

Create a DNS entry to activate the kill switch on the original version of the attack on your local DNS server that points the FQDN of www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com so that they point at a known-working HTTP server and monitor your DNS system for hits. Your systems must successfully resolve this DNS name in order for the kill switch to work. Also, take this step on any proxy servers or similar security devices on your network. Review the logs – if any of your internal machines are performing DNS lookups for this address they are quite likely vulnerable and will need to be investigated. This step will not protect you from current variants but may help you identify older ones.

6. Train Users on Phishing Awareness

Communicate with your users immediately to ensure that they are aware of the risk of this particular attack as well as being resistant to phishing attacks in general. Consider phishing exercises and training for a longer-term solution.

7. Keep Unmanaged Systems off Your Network

As this system takes advantage of an older attack, the primary risk is to systems that are not well maintained. In addition to untracked and vendor-managed systems, also be very careful about allowing guest devices to connect to your internal network, as these devices are likely not under your control and are less likely to be patched. It only takes one machine that is actively infected to be plugged into your network for this attack to spread to other machines that might otherwise not have been exposed.
https://twitter.com/CDWCorp
 

robut

Well-known member
Joined
Apr 6, 2008
Messages
8,729
I really have no sympathy for anyone who didn't take action to protect themselves after the Wannacry debacle last month.
Problem is this is a new variant and much more vicious. The patch for last wannacry attack probably will not protect you from this attack.
 

robut

Well-known member
Joined
Apr 6, 2008
Messages
8,729
More info:

Global ransomware attack causes chaos - BBC News

Petya is a type of ransomware that appeared in early 2016 and returned to a trick first seen in the early 1990s, whereby criminals do not encrypt all the files on your computer but instead they attack a part of the operating system called the Master File Table (MFT).

The MFT is essential for the system to know where to find files on the computer, so it has the same effect as if each file had been locked separately.

The big difference is that it is very much faster to attack the MFT than to encrypt each file separately.
 

Civic_critic2

Well-known member
Joined
Nov 29, 2008
Messages
4,883
I have no faith that these attacks are not conducted by western governments. They have corrupted everything else related to computers. Their first piece of advice is 'update windows' - trust the corporates in a time of creeping fascism. Trust the government and their advice, FEAR connecting to others, keep your computer isolated, introduce DNS changes that perhaps allow us [the government] to fk with your computer. ABOVE ALL, in a time of increasingly restless political activity from the populations BE AFRAID and don't use the net to its fullst to organise, isolate your computer, trust the government...
 
Joined
Oct 8, 2011
Messages
39,552
This one is called PETYA

It seems it might be a variant of the WANNACRY ransomware via how it is spread using the NSA EXTERNAL BLUE Exploit.

However this one is WAY NASTIER. Not alone does it ENCRYPT Files on system it also ENCRYPTS the MASTER BOOT RECORD. This stops system from booting into windows even.

Some reports also stating that it has Loki Bot components which steal banking logins and passwords etc.



Read these two articles:

Huge ransomware outbreak spreads in Ukraine and beyond - The REGISTER

Ukraine Businesses Hit by Petya Ransomware - INFO SECURITY
I think that a level of NTFS thrashing would be easy which would allow the OS to retain boot capabilities. File systems are astonishingly easy to corrupt in a designed manner. Fat could be corrupted to hide files by inserting four zeroes as the header in a try and all subsequent entries were now invisible to the OS.
 

Telstar 62

Well-known member
Joined
May 28, 2013
Messages
26,604
'Chernobyl had to monitor radiation levels manually after Windows-based sensors
shut down'.:shock:
 

Mick Mac

Well-known member
Joined
Jan 6, 2017
Messages
7,851
I have no faith that these attacks are not conducted by western governments. They have corrupted everything else related to computers. Their first piece of advice is 'update windows' - trust the corporates in a time of creeping fascism. Trust the government and their advice, FEAR connecting to others, keep your computer isolated, introduce DNS changes that perhaps allow us [the government] to fk with your computer. ABOVE ALL, in a time of increasingly restless political activity from the populations BE AFRAID and don't use the net to its fullst to organise, isolate your computer, trust the government...
Tactical A,

Track this one down and resolve the breech.
 

HenryHorace

Well-known member
Joined
Mar 22, 2017
Messages
2,984
I don't think it's unfair to say it's hugely worrying that they could get into a nuclear power stations systems. I mean WTF??
 

Mad as Fish

Well-known member
Joined
Dec 6, 2012
Messages
24,185
I have no faith that these attacks are not conducted by western governments. They have corrupted everything else related to computers. Their first piece of advice is 'update windows' - trust the corporates in a time of creeping fascism. Trust the government and their advice, FEAR connecting to others, keep your computer isolated, introduce DNS changes that perhaps allow us [the government] to fk with your computer. ABOVE ALL, in a time of increasingly restless political activity from the populations BE AFRAID and don't use the net to its fullst to organise, isolate your computer, trust the government...
Add to that -

- The cashless society
- ID cards
- Autonomous cars

All rely on the internet and all will be ultimately controlled by the government and yet some still think they are a good idea. Now why would they do that?
 

EUrJokingMeRight

Well-known member
Joined
Sep 28, 2009
Messages
11,664
Give it a week and the root cause will be determined by the NSA,CIA and RTE as.......

PutinisWorsethanObamaeverwas.exe file fromMoscow or something...

tune into fox news? RTE for your facts theres a good lad/lady. :D
 

gleeful

Well-known member
Joined
Feb 7, 2016
Messages
7,520
This based on secret NSA developed cyberweapon that the NSA failed to keep secret. I hope they get sued.
 


New Threads

Popular Threads

Most Replies

Top