Many firms hit by global cyber-attacks

"Weaver noted that Petya’s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim"

Quote from ronjors link above^^^^^^^



Perhaps this is a kinda beta test given the comments about the email logic!

 

Just received this email from kaspersky...


Dear paul,


Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organisations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. While it has several strings similar to Petya, it possesses entirely different functionality. We have named it “ExPetr”.

The company’s telemetry data indicates around 2,000 attacked users so far. Organisations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries.

This appears to be a complex attack, which involves several vectors of compromise. We can confirm that modified EternalBlue and EternalRomance exploits are used by the criminals for propagation within the corporate network.

• Kaspersky Lab detects the threat as UDS dangerousObject.Multi.Generic, Trojan-Ransom.Win32.ExPetr.a, HEUR:Trojan-Ransom.Win32.ExPetr.gen.
  
• Our behavior detection engine SystemWatcher detects the threat as PDM:Trojan.Win32.Generic, PDM:Exploit.Win32.Generic

In most cases to date, Kaspersky Lab proactively detected the initial infection vector through its behavioral engine, System Watcher. We are also working on behavioral anti-ransomware detection improvement to proactively detect any possible future versions.

Kaspersky Lab experts will continue to examine the issue to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can.

 

Batch file for that "kill switch":

So all the crooks would have to do is change the name of the file that this vacinates against

"Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak

Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers...

To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only. For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you.

This batch file can be found at: https://download.bleepingcomputer.com/bats/nopetyavac.bat


https://www.bleepingcomputer.com/ne...found-for-petya-notpetya-ransomware-outbreak/

Wondering if CyberReasons' RansomeFree was able to block the ransomware from trashing the MBR and Master File Record.

 

So, apparently someone claimed it would work on fully patched Windows 10

https://arstechnica.com/security/20...to-wcry-is-shutting-down-computers-worldwide/
There are also unconfirmed reports that infections worked against a fully patched computer running Windows 10, by far Microsoft's most secure OS, which was never vulnerable to EternalBlue. What's more, according to the unconfirmed report, the computer was using up-to-date AV protection and had disabled the SMBv1 file-sharing protocol that EternalBlue exploits.

 

So is this "over" now or what?

Have not seen anything new in hours -- just aftermath post-mortem analysis and stuff.

 

Bleeping Computer is aces for great reporting without sensationalism, as always.

 

Thanks, used the batch file.

 

"...Tuesday’s attack contained some puzzling elements to security experts, raising concerns that it may not have been about payment at all.

Like WannaCry, which the U.S. government has reportedly linked to North Korea, the new attack does not have the usual characteristics associated with hackers who want to maintain control of the infected computers and facilitate payment and easy decryption of locked files. That the hardest hit country is Ukraine, whose power grid and other critical systems have been the target of repeated high-level hacking attacks ...[by state associated actors], raised suspicions among some researchers that another motive could be at play...

... an aide to the Interior Ministry in Ukraine, wrote on Facebook that the goal appeared to be 'the destabilization of the economic situation and in the civic consciousness of Ukraine' even though it was 'disguised as an extortion attempt.'

'There’s something weird about this one,' added SentinelOne’s Grossman."


https://www.bloomberg.com/news/arti...-go-to-hack-as-bitcoin-rallies-nsa-tools-leak

 

My theory on this attack posted here: https://www.wilderssecurity.com/thr...infect-windows-10.394550/page-13#post-2688175.

 

Its hit Australia as well, Cadbury (chocolate manufacturer)

 

Click

itman-you been on to something for awhile now. Don't think we've seen the last of these for awhile.

 

Maybe they're state sponsored.

 

I don't get it. What killed this and why

Spreads like wildfire for several hours and then nada.

There was no kill switch that we know of -- just a big flash in the pan.

Makes the motive all the more suspicious IMHO.

It's like a scene from a James Bond movie where Spectre sets off one of three stolen nukes to demonstrate what it can do.

Was this just a message

During the day I read a speculative article proposing the theory that this was a message by one Country's leader to the leader of another Country who last night had threatened one of the messaging Country's allies.

Or was it merely a test, a prelude of something bigger to come?

Or was it indeed an attack to destabalize the Ukraine with some collateral damage that provided a cover? The attack coincides by one day with Ukraine's National Holiday -- Constitution Day -- 6/28.

 

The vaccine patch should keep it from executing. KAR already detects and blocks the new ransomware strain so you don't need to do anything more. Eventually AV definitions will be updated to deal with it.

 

I suspect many more attacks were thwarted with the rapid release of the vaccine patch.

 

Yeah, needs a few days for the dust to settle and security nerds to get the nitty gritty of it all.

 

Ransomware remains lucrative because of the money... that cybercriminals can receive anonymously.

We can expect ransomware to continue to evolve as a service for that reason.

 

Could be, but how many of the thousands of potential targets were made aware of that "vaccine" early enough to deploy it in time? This thing was spreading like wildfire this AM from Ukraine to USA,though it had the most impact in the Ukraine and in multi-national companies that had offices there.

I agree with the analyst quoted in The Bloomberg article I linked above -- "there's something weird about this one."

 

"...Because GoldenEye appears to take a more targeted approach to infection, rather than barreling around the internet, it has so far resulted in fewer infections: it has affected 2,000 targets versus the hundreds of thousands that WannaCry hit...."

https://www.wired.com/story/petya-ransomware-wannacry-mistakes

 

Petya-based Ransomware Assaults Global Networks

https://www.webroot.com/blog/2017/06/27/petya-based-ransomware-assaults-global-networks/

 

"Cyberattack Hits Ukraine Then Spreads Internationally...

A Microsoft spokesman said the company’s latest antivirus software should protect against the attack...

The ransomware spread for five days across Ukraine, and around the world, before activating Tuesday evening.
“If I had to guess, I would think this was done to send a political message,” said Craig Williams, the senior technical researcher at Talos...

Cybersecurity researchers questioned whether collecting ransom was the true objective of the attack.
“It’s entirely possible that this attack could have been a smoke screen,” said Justin Harvey, the chief security officer for the Fidelis cybersecurity company. “If you are an evil doer and you wanted to cause mayhem, why wouldn’t you try to first mask it as something else?”

https://www.nytimes.com/2017/06/27/...column-region&region=top-news&WT.nav=top-news

 

Normally the way things go is that first the specific malware is to blame (worst thing ever!), and then the nastiness of the Blackhats spreading the malware is brought up

But the true villains in this sort of attack are the IT guys in charge of the Networks. Although an attack like this (and God forbid if anyone brings up the specific exploit used to initiate the malware) should have been met with contempt, it obviously was not. This is due to the blind adherence to the traditional type of Security software that has been shown time and again to fall before any even half-assed zero-day malware. But as it is much easier to dismiss such real-life proof of failure and instead go with the flow and maintain the same old inadequate protection methodology (and justify the choice by pointing to the 'Professional" AV testing sites), this arrogant shortsightedness will just lead to injury and despair for those that rely on whatever Industry was affected.

 

Personally, I think the general complacence and negligence were exploited just like the software. Computer-related behaviors and habits were probably studied for years for just this purpose. Perpetrators of such diabolical global attacks could only have the protection of an entire government or ruling party, right? Nuclear Chernobyl? We used to know our attackers and their agendas and now we don't. That's pure evil.

Edited to add: another ironic factor is the Windows update process and all the issues that can come with it, particularly in an enterprise setting. No doubt that was a consideration also--these attacks don't seem to be spur-of-the-moment opportunism to me. I got a cumulative kb just now (not security)--that reminded me of this big issue.