Tuesday, June 27th 2017

Several Critical Ukrainian Targets Hit by "Petya" Ransomware, Fear of Outbreak

After last month's WannaCry outbreak (which persisted in its effects as recently as last week), we now have a new variant of ransomware infecting PCs across Europe. The outbreak seems centered in Ukraine, where several government facilities and critical pieces of infrastructure have been shutdown due to the attacks. The Ukrainian government seemed almost defiantly optimistic, posting this decidedly awesome response to twitter during the attack.
As if to signify not all is well, the attack has been widespread enough to even effect the radiation monitoring systems at Chernobyl, which have been reportedly switched to "manual mode" following an infection.

There are concerns that the ransomware could spread, and by the time this article was written, reports have already come in of infection across the Ukrainian borders, including in Denmark (with shipping conglomerate Maersk hit), and even isolated reports as far away as Russia and the USA.

The Director of Global Research for Kaspersky Labs, Costin Raiu, reports that the ransomware has made the most impact in the Ukraine, with the Russian Federation coming in at second. Poland takes third place, followed by Italy and then Germany. The infection is obviously spreading actively, so this list may not be accurate for long. One hopes it will not morph into a global outbreak.

UPDATE 5:45PM PST: As of this time, the network has hit the USA full force and is currently being covered on US news services. See the ABC news source for details.

The bitcoin wallet associated with this attack has already garnered more than 3.5 BTC at time of this writing, meaning at least some of the ransoms are being paid. The infection vector appears to be a compromised accounting software auto-update used common to most of the infected companies. Sources: Ukraine Twitter Account, wired.co.uk, ABC News, Blockchain.info, Microsoft Technet
Add your own comment

26 Comments on Several Critical Ukrainian Targets Hit by "Petya" Ransomware, Fear of Outbreak

#1
R-T-B
Yes, this is my third Ransomware article I think this week. That's horrible. Stop it evil malware writer-people, I like cryptocurrency and this is not helping me feel right about it!

And I know you are all curious about infection vector. I don't have info on that yet, but my advice is to be up to date and I'll update you when I know more.
Posted on Reply
#2
Basard
R-T-B
Yes, this is my third Ransomware article I think this week. That's horrible. Stop it evil malware writer-people, I like cryptocurrency and this is not helping me feel right about it!

And I know you are all curious about infection vector. I don't have info on that yet, but my advice is to be up to date and I'll update you when I know more.
Seems to me like the only reason those crypto currencies exist.
Posted on Reply
#3
R-T-B
Basard
Seems to me like the only reason those crypto currencies exist.
Considering the volume of business via ransomware vs normal business is verifiably much much smaller and probably under .1% if a ratio were generated you'd be much better off not thinking like that. There's a lot of sensationalism around ransomware right now and honestly, it skews the real picture.

Bitcoin and such has become mainstream. The criminals that use this are no different than the criminals who use cash or any currency: A minority disease on a legitimate payment means.

That said, we definently need to work on ways to make it harder for them to use, which is why I actually view Bitcoin as dying and am waiting for a more tracable tech to come out. Best I've seen yet is Ethereum, but it still doesn't really settle the lack of identity.

Plus, you can always trade to another coin to eliminate the paper trail, such as zcash, which is probably the most anonymous.

Like it or not the genie is out of the bottle and criminals will use crypto I'm afraid. But that's not even close to their primary use case, or the majority of use.
Posted on Reply
#4
Shihabyooo
I know that enterprise IT treads carefully when it comes to introducing change to their systems, but honestly, does no one read the news?

A traceable cryptocurrency kinda defeats the purpose of it, imo, adding such a feature is little different from hiding backdoors into encryption software and systems.
Posted on Reply
#5
R-T-B
Shihabyooo
I know that enterprise IT treads carefully when it comes to introducing change to their systems, but honestly, does no one read the news?

A traceable cryptocurrency kinda defeats the purpose of it, imo, adding such a feature is little different from hiding backdoors into encryption software and systems.
Depends on what you view the goal of cryptocurrency to be. We aren't talking an encryption backdoor, we're talking signing the transactions with your ip adress or similar while still using flawless, vetted encryption. Not perfect (you know, TOR, proxies, VPNs and all that), but far better than what we have now.

That's what I was thinking, anyways. I am far from a developmental expert on the matter.

I do not want globally reversible transactions though. That does kind of go against what crypto is in my mind, as you must hand control over to a central authority then. Ethereum has the right idea there, with it's "crowd fund" recipe of "party reversible transactions" where the configurable majority can successfully demand their funds be returned if they agree the contract was not fullfilled. There is no "back door" in this, just good ol' tech solutions.
Posted on Reply
#6
efikkan
This sort of stuff is why you should always do security in layers, zero days and other known exploits will exist from time to time. If a company's internal systems are breached because a secretary opened an email, then the internal network have bigger problems than this specific exploit.

Well established security practices would stop or limit the impact of such exploits, at least in >99% of all cases. Keeping systems up to date, having strict access control, isolation of systems, proper logging of unusual activity, etc. would be very efficient measures stopping these "infections". In fact, the lack of basic understanding of security and common sense is the real infection.
Posted on Reply
#7
xkm1948
So I guess it is fortunate some of the nuclear ICBM systems are still using physical floppy driver to perform. Imagine one of those got hit by a virus or ransomware.

Instead of going all out for cloud computing. I feel like system providers or tech companies in general should start investing in a type of impregnable system that is extremely resistant to all kinds of attempted hacking.
Posted on Reply
#8
Basard
I guess I'm just happy that people accept my plastic cards and paper money in exchange for shiny rocks.... I guess I should be glad that people are giving you guys shiny rocks for your 1's and 0's.
Posted on Reply
#9
R-T-B
Basard
I guess I'm just happy that people accept my plastic cards and paper money in exchange for shiny rocks.... I guess I should be glad that people are giving you guys shiny rocks for your 1's and 0's.
True. As I've pointed out before, it's not much worse (or in some ways, maybe maybe even better) than how the stock market works.
Posted on Reply
#10
efikkan
xkm1948
So I guess it is fortunate some of the nuclear ICBM systems are still using physical floppy driver to perform. Imagine one of those got hit by a virus or ransomware.
Still, obscurity is not security. I wonder if the claim about the launch code being "1111" for a decade or so was true…

I don't personally know the American systems, but the military systems I've worked on generally lacked any real security features. More than a decade has passed since then, but I remember networks of "high-tech" technology worth billions could have been disabled or breached by a single technician. Still, I fear obscurity is still the norm in both public and private sector today.
Posted on Reply
#11
R-T-B
efikkan
Still, obscurity is not security.
Physical security (something networkless floppy disks and armed guards grant) is real though.
Posted on Reply
#12
PowerPC
Maybe these people should just, you know, start making backups....?
Posted on Reply
#13
Chloe Price
Basard
Seems to me like the only reason those crypto currencies exist.
Isn't buying illegal things from the deep web the most known reason?
Posted on Reply
#14
xkm1948
9700 Pro
Isn't buying illegal things from the deep web the most known reason?
That is small scale. Most of the crypto currencies are used for massive funds transfer between powerful ruling classes among different countries.
Posted on Reply
#15
R-T-B
9700 Pro
Isn't buying illegal things from the deep web the most known reason?
Hardly. I'd say crypto going mainstream has mad that a decidedly small minority for some time.

xkm1948
That is small scale. Most of the crypto currencies are used for massive funds transfer between powerful ruling classes among different countries.
That sounds like a conspiracy theory honestly. Source?
Posted on Reply
#16
Prince Valiant
R-T-B
Physical security (something networkless floppy disks and armed guards grant) is real though.
Seems to be working pretty well so far :P.
Posted on Reply
#17
R-T-B
Prince Valiant
Seems to be working pretty well so far :p.
It has been yes.
Posted on Reply
#18
R0H1T
R-T-B
Yes, this is my third Ransomware article I think this week. That's horrible. Stop it evil malware writer-people, I like cryptocurrency and this is not helping me feel right about it!

And I know you are all curious about infection vector. I don't have info on that yet, but my advice is to be up to date and I'll update you when I know more.
Don't give them ideas, next thing you know they'll be stealing your ETH or BTC, alternatively they'll mine ETH using your PC ~ wait I think they did that already :rolleyes:
Posted on Reply
#19
silentbogo
Well, so far so good.
All attacked banks have resolved the problem within hours. Same with both govt. and private parcel services.
I don't really give a crap about whether our Cabinet of Ministers recovers or not, but so far almost every attacked entity has recovered.

Only the Boryspil airport is having problems with electronic flight schedule, but they've figured out a creative workaround:


They've put a webcam in front of the lobby schedule board =)




R-T-B
And I know you are all curious about infection vector. I don't have info on that yet, but my advice is to be up to date and I'll update you when I know more.
In here there is only one vector: greed and lack of updates. I've been in several government offices (financial and architectural bureaus), and every single f#@ng one of them was still running WinXP.
Private sector is better, but not without sins. Some payment terminals are still based on outdated versions of Windows CE, some banks are still relying on outdated hardware and software...
Some go as far as connecting workstations, or non-password-protected routers to the internet, or adding a PC on internal network to DMZ (because they wanted to share a folder with another branch office)... :banghead:

Also, @R-T-B ,you may want to add the ransom wallet. So far the guy made a whooping ~3.5BTC (all payments above 0.1BTC are a $300 ransom for decryption).
https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Posted on Reply
#20
burebista
R-T-B
And I know you are all curious about infection vector. I don't have info on that yet, but my advice is to be up to date and I'll update you when I know more.
A great analysis from MS.
Posted on Reply
#21
R-T-B
R0H1T
Don't give them ideas, next thing you know they'll be stealing your ETH or BTC, alternatively they'll mine ETH using your PC ~ wait I think they did that already :rolleyes:
No, I mine ETH using my PC so I'm pretty sure they aren't. ;)
Posted on Reply
#22
Frick
Fishfaced Nincompoop
It seems it's actually a wiper posing as ransomware.
"The ransomware was a lure for the media," researcher Matt Suiche of Comae Technologies, wrote in a blog post published Wednesday. "This version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon." He went on to write: "We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon."
Posted on Reply
#23
Prima.Vera
Do those guys never heard of Proxies, Firewalls, IDPSes, and most importantly good AntiVirus/Malware solutions installed on your stations???
Seriously, they deserve all of this crap 100% and more.
Posted on Reply
#25
Caring1
okidna
It's not a ransomware, it's a wiper...
Almost 12 hours late to the party.
Posted on Reply
Add your own comment