Many firms hit by global cyber-attacks

"Cash machines go down across Ukraine due to huge ransomware cyberattack..."

http://www.ibtimes.co.uk/cash-machi...raine-due-huge-ransomware-cyberattack-1628043

 

"...researchers at F-Secure, the Finnish cybersecurity firm, also noted that the ransomware used at least two other vectors to spread, beyond Eternal Blue, which suggests even those who implemented the Microsoft patch could be vulnerable..."

https://www.nytimes.com/2017/06/27/...column-region&region=top-news&WT.nav=top-news

 

"LA port’s largest terminal shuttered as European cyberattack hits Danish shipper..."

http://www.sbsun.com/business/20170...d-as-european-cyberattack-hits-danish-shipper

 

"The Russian cybersecurity firm Kaspersky Lab reported that it believed the malware was a "new ransomware that has not been seen before" despite its resemblance to Petya.

As a result, the firm has dubbed it NotPetya. Kaspersky added that it had detected suspected attacks in Poland, Italy, Germany, France and the US in addition to the UK, Russia and Ukraine.

Andrei Barysevich, a spokesman for security firm Recorded Future told the BBC such attacks would not stop because cyber-thieves found them too lucrative.

"A South Korean hosting firm just paid $1m to get their data back and that's a huge incentive," he said. "It's the biggest incentive you could offer to a cyber-criminal."

A bitcoin wallet associated with the outbreak has received several payments since the outbreak began. The wallet currently holds 1.5 bitcoins - equivalent to $3,500.

An email address associated with the blackmail attempt has been blocked by German independent email provider Posteo.

It means that the blackmailers have not been able to access the mailbox"

Above quoted from BBC news^^^^^^^^^^^^^^^





http://www.bbc.co.uk/news/technology-40416611

 

"Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files

Posteo, the email provider where the Petya author is hosting an inbox to handle victims from today's massive ransomware outbreak, has announced that it shut down the crook's email account:

The German email provider's decision is catastrophic news for Petya victims, as they won't be able to email the Petya author in the case they want to pay the ransom to recover sensitive files needed for urgent matters..."

https://www.bleepingcomputer.com/ne...box-preventing-victims-from-recovering-files/

 

"Petya Or NotPetya: Why The Latest Ransomware Is Deadlier Than WannaCry

...The malware widely believed to be responsible is called Petya... or NotPetya. It's similar to Petya, but different enough that researchers are saying it's an entirely new form of ransomware, researchers say...

But NotPetya has some extra powers that security experts say make it deadlier than WannaCry. ...the ransomware finds passwords on the infected computer itself to move to other systems. It does that by extracting passwords from memory or from the local filesystem itself,...

...another proliferation technique is NotPetya's abuse of PsExec, a tool usually used for carrying out limited actions on other systems, but in this case for simply spreading the infection by executing malicious code on other computers it can access...

A similar method is used by NotPetya with the Windows Management Instrumentation (WMI) tool,...

Perhaps most crucially, thanks to all these added features, the new strain will infect the latest and even patched Windows PCs, including version 10, as one IT professional noted in a blog, whereas WannaCry worked largely on older systems. A Microsoft spokesperson said the company was aware of the reports and was investigating..."

https://www.forbes.com/sites/thomas...-is-more-powerful-than-wannacry/#54feaa4c532e

 

What was Posteo thinking?--on the surface, it looks like a gleeful, knee-jerk reaction without fully taking in the ramifications. The victims get burned yet again, remaining stuck with unusable machines for who knows how long. Wonder if any victims of WannaCry were hit by this one?

If the ransomware overrides Windows boot, I'm intrigued the ransom "request" wasn't higher. Then again, maybe it's not strictly about the money, just like WannaCry. Incredible.

Add: Maybe it is, just not derived from direct ransom payoffs.

 

petya payments monitored on twitter...


https://twitter.com/petya_payments

 

Any detailed report yet? Thus far it seems, that #notpetya uses PsExec.exe, so simply adding it to disallowed apps should do.

https://twitter.com/hashtag/notpetya?src=hash

https://www.joesecurity.org/reports/report-71b6a493388e7d0b40c83ce903bc6b04.html

Code:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "wscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "cscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "mshta.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "PsExec.exe" /f

 

Would blocking psexec prevent malware "installation" or only spreading to other computers in network?

 

You are right, that just stops spreading. Still waiting to see, how the dropper works, but I expect it is the the same old: vbscript runs powershell and then elevates.

 

Luckily, it has got the kill switch.

https://twitter.com/0xamit

 

"The end is near!" Head for the fallout bunkers if your downwind and live in Europe

 

Eset to the rescue again

 

You should be their security consultant, a few days of reading other experts analysis and you'll have it in the bag

 

This is going to be an interesting thread to follow

 

Emsisoft gives a clear and simple explanation of the outbreak.

 

New variant locks you out of Windows by rendering it unbootable as well as by encrypting data files - just like original Petya ransomware family did.

 

I'm pretty sure it is not clear yet. This new unknown variant is suppose to infect even fully patched Windows 10 machines.

 

So Posteo told victims ****** in the name of protecting them.

Its not like its going to pay them for lost data and to get their PCs back online.

 

I think they were a bit hasty with that decision.

 

Regarding Posteo:
https://posteo.de/en/blog/info-on-t...ount-in-question-already-blocked-since-midday