Author Topic: ’Petya’ ransomware attack goes global  (Read 404 times)

unix

  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 3353
    • View Profile
’Petya’ ransomware attack goes global
« on: June 28, 2017, 03:27:26 AM »
https://www.rt.com/usa/394294-ransomware-attack-petya-merck/

How apropos. I have been dealing with a self-imposed encryption problem for weeks, a total nightmare, until finally resolved.



Brawndo. It's got what plants crave.

ilconsiglliere

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2713
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #1 on: June 28, 2017, 11:33:41 AM »
Some people I know got hammered. Thousands of people around the globe have been locked out of their machines.

unix

  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 3353
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #2 on: June 28, 2017, 12:43:19 PM »
How in the **** are they getting in.

On such a wide scale. I can understand an anomaly, but this is a disaster on Biblical scale almost.
Brawndo. It's got what plants crave.

Code Refugee

  • Wise Sage
  • *****
  • Posts: 1489
  • To Serve Man
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #3 on: June 28, 2017, 03:14:42 PM »
Details are scarce so far. There's a Ukrainian tax software program called MEDoc. Someone inserted malware into their updater. Then thousands of people in Ukraine got infected and became hosts when the software did its daily autoupdate. Instantly there were massive infections across Ukraine. Initially it was thought this mean someone (Russia!) was attacking Ukraine. But it then spread out of Ukraine. The tax software was only an issue in quickly spreading the initial infection.

What OS does it affect? No articles say. But Microsoft says they've "issued a patch", so Windows. Which Windows? I've heard Windows 7 or 8 and not 10 but who knows.

To avoid infection, patch your Windows machine.

If your computer reboots itself and displays a text message that it is running CHKDSK to fix disk errors, you are infected and your files are being encrypted. Pull the plug on the computer, pull the drive, and clone it. Then get your files off remotely. Never boot off it again.

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 21655
  • Gorn Classic, user of Gornix
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #4 on: June 28, 2017, 04:53:07 PM »
Somewhat related, saw on the evening (MSM) news that Kaspersky Antivirus (based in Russia) is suspected of monitoring user's computers for the use of the KGB and that a couple of officers of the company are ex-KGB agents.

It's kind of funny considering that the US has had wide open access of the world to its software products for decades. Russia has exactly one SW product that is not that widely used in the western world and people and legislators are freaking out. (Most people think Norton when they think of AV or if they're geek and cheap like me they think of Avast.)

I think a visionary like John McAfee should be the CEO of an antivirus vendor.  :laugh:
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

benali72

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2562
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #5 on: June 28, 2017, 05:17:54 PM »
Has anybody found an article that explains specifically how Petya infects computers? I've only found inspecific or generic stuff. I'd be interested in knowing.
Thank you.

Code Refugee

  • Wise Sage
  • *****
  • Posts: 1489
  • To Serve Man
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #6 on: June 28, 2017, 05:44:10 PM »
This talks about how it propagates:

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

This guy says he's determined it's not really ransomware. He thinks it destroys your files, it doesn't really encrypt them and has no functions to restore them. He calls that a "wiper", basically "rm -rf /".

https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b

unix

  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 3353
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #7 on: June 28, 2017, 06:22:20 PM »
Ha.
Brawndo. It's got what plants crave.

ilconsiglliere

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2713
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #8 on: June 28, 2017, 06:29:50 PM »
Its hit a bunch of companies including American ones. The companies are being very quiet about as they don't want Wall Street and others to know the extent of the damage. Make no mistake that this is not just in the Ukraine. In my friend's company THOUSANDS of Windows desktop and servers have been taken out. He said they were supposedly patched by the company and it got past the patch and security software.

He described what happened to me - he was sitting in front of his computer yesterday morning and he saw that a patch was being downloaded. A few minutes later the machine forced a reboot. When it booted up it was dead. It would not boot up at all. In his particular group 50% of the Windows desktops got hit. His company is not exactly sure how many were hit.

This is very nasty stuff.

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 21655
  • Gorn Classic, user of Gornix
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #9 on: June 28, 2017, 07:38:24 PM »
You guys are scaring the crap out of me.

How's the ransomware being deployed, actually? By users clicking email links? Or is this something from visiting a website?

Maybe we should do like they did on rebooted Battlestar Galactica... no computer networks, because Cylons.
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

Code Refugee

  • Wise Sage
  • *****
  • Posts: 1489
  • To Serve Man
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #10 on: June 28, 2017, 08:19:47 PM »
The Microsoft article I posted the link to explains it.

Quote
Given this new ransomware’s added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:

  • stealing credentials or re-using existing active sessions
  • using file-shares to transfer the malicious file across machines on the same network
  • using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines

To stay safe they recommend:

Quote
We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:

Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously
Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445

benali72

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2562
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #11 on: June 29, 2017, 07:50:56 AM »
Thanks a ton, Code Refugee. Very useful info!

unix

  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 3353
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #12 on: June 29, 2017, 08:54:55 AM »
cool. I hear the majority of  attacks are against Windows XP, which hasn't been supported since 2014 but there is still a gazillion machines around the world - especially in impoverished countries like Ukraine.
Brawndo. It's got what plants crave.

ilconsiglliere

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2713
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #13 on: June 29, 2017, 06:30:22 PM »
Here are the instructions I did at my family's computers a few weeks ago.

http://www.vinransomware.com/blog/how-to-disable-smb-on-windows-machines-to-prevent-wannacry-ransomware

From my reading it can come in via the SMB or an attached file. A Ukrainian accounting software company deployed a patch to their product and it was buried in the patch. Once its inside your network it runs like fire scanning the subnets and using Windows management tools to override permissions and push more copies of itself.

Code Refugess link:

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

I highly recommend everyone read it because it describes how it works. Very scary stuff.

It specifically mentions these Windows tools which pretty much every corporate environment has:

"It then tries to execute remotely the malware using either PSEXEC or WMIC tools."

I am not familiar with these tools so looked it up. It allows remote execution of software on other people's machines. And it bypasses the security because the virus already has the administrative controls.

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 21655
  • Gorn Classic, user of Gornix
    • View Profile
Re: ’Petya’ ransomware attack goes global
« Reply #14 on: June 29, 2017, 07:05:20 PM »
I found the stuff about the remote execution tools. So are home PCs and networks without a Windows server on-site not affected?

About 3 times total I messed around with the Group Policy crap in Windows 7 and gave up. Above my pay grade.
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.