Roj Bash Kurdistan

[Anthea]

Global ransomware attack causes turmoil

Companies across the globe are reporting that they have been struck by a major ransomware cyber-attack.

British advertising agency WPP is among those to say its IT systems have been disrupted as a consequence.

Ukrainian firms, including the state power company and Kiev's main airport, were among the first to report issues.

The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down.

The international police organisation Interpol has said it is "closely monitoring" the situation and liaising with its member countries.

Experts suggest the malware is taking advantage of the same weaknesses used by the Wannacry attack last month.

"It initially appeared to be a variant of a piece of ransomware that emerged last year," said computer scientist Prof Alan Woodward.

"The ransomware was called Petya and the updated version Petrwrap.

"However, now that's not so clear."

The Russian cybersecurity firm Kaspersky Lab reported that it believed the malware was a "new ransomware that has not been seen before" despite its resemblance to Petya.

As a result, the firm has dubbed it NotPetya. Kaspersky added that it had detected suspected attacks in Poland, Italy, Germany, France and the US in addition to the UK, Russia and Ukraine.

Andrei Barysevich, a spokesman for security firm Recorded Future told the BBC such attacks would not stop because cyber-thieves found them too lucrative.

"A South Korean hosting firm just paid $1m to get their data back and that's a huge incentive," he said. "It's the biggest incentive you could offer to a cyber-criminal."

A bitcoin wallet associated with the outbreak has received several payments since the outbreak began. The wallet currently holds 1.5 bitcoins - equivalent to $3,500.

An email address associated with the blackmail attempt has been blocked by German independent email provider Posteo.

It means that the blackmailers have not been able to access the mailbox.

Network down

Others reporting problems include the Ukrainian central bank, the aircraft manufacturer Antonov, and two postal services.

Russian oil producer Rosneft and Danish shipping company Maersk also say they face disruption, including its offices in the UK and Ireland.

"We can confirm that Maersk IT systThe Russian cybersecurity firm Kaspersky Lab reported that it believed the malware was a "new ransomware that has not been seen before" despite its resemblance to Petya.

As a result, the firm has dubbed it NotPetya. Kaspersky added that it had detected suspected attacks in Poland, Italy, Germany, France and the US in addition to the UK, Russia and Ukraine.

Andrei Barysevich, a spokesman for security firm Recorded Future told the BBC such attacks would not stop because cyber-thieves found them too lucrative.

"A South Korean hosting firm just paid $1m to get their data back and that's a huge incentive," he said. "It's the biggest incentive you could offer to a cyber-criminal."

A bitcoin wallet associated with the outbreak has received several payments since the outbreak began. The wallet currently holds 1.5 bitcoins - equivalent to $3,500.

An email address associated with the blackmail attempt has been blocked by German independent email provider Posteo.

It means that the blackmailers have not been able to access the mailbox.
Network down

Others reporting problems include the Ukrainian central bank, the aircraft manufacturer Antonov, and two postal services.

Russian oil producer Rosneft and Danish shipping company Maersk also say they face disruption, including its offices in the UK and Ireland.

"We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber-attack," the Copenhagen-headquartered firm said via Twitter.

"We continue to assess the situation. The safety of our employees, our operations and customers' business is our top priority."ems are down across multiple sites and business units due to a cyber-attack," the Copenhagen-headquartered firm said via Twitter.

"We continue to assess the situation. The safety of our employees, our operations and customers' business is our top priority."

Spanish media reports that the offices of the food giant Mondelez - whose brands include Oreo and Toblerone - had suffered attacks.

Netherlands-based shipping company TNT said some of its systems needed "remediation".

And French construction materials company St Gobain has said that it had fallen victim.

In the US, the pharmaceuticals-maker Merck and local offices of the law firm DLA Piper have been affected.

"Please remove all laptops from docking stations and keep turned off - no exceptions," read a sign erected in the lobby of DLA Piper's Washington DC office.

A US hospital operator, Heritage Valley Health System, has also reported its computer network is down causing operations to be delayed, but it is not yet clear if it was subject to the same type of attack.

The attacks come two months after another global ransomware assault, known as Wannacry, which caused major problems for the UK's National Health Service.

No defence

Veteran security expert Chris Wysopal from Veracode said the malware seemed to be spreading via some of the same Windows code loopholes exploited by Wannacry. Many firms did not patch those holes because Wannacry was tackled so quickly, he added.

Those being caught out were also industrial firms that often struggled to apply software patches quickly.

"These organisations typically have a challenge patching all of their machines because so many systems cannot have down time," he said. "Airports also have this challenge."

Copies of the virus have been submitted to online testing systems that check if security software, particularly anti-virus systems, were able to spot and stop it.

"Only two vendors were able to detect it so many systems are defenceless if they are unpatched and relying on anti-virus," he said.

Ukraine seems to have been particularly badly hit this time round.

Reports suggest that the Kiev metro system has stopped accepting payment cards while several chains of petrol stations have suspended operations.

Ukraine's deputy prime minister has tweeted a picture appearing to show government systems have been affected.

His caption reads: "Ta-daaa! Network is down at the Cabinet of Minister's secretariat."

http://www.bbc.co.uk/news/technology-40416611

[Anthea]

Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak

Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers.

The ransomware has been wreaking havoc across the globe today, locking hard drive MFT and MBR sections and preventing computers from booting. Unless victims opted to pay a ransom (which is now pointless and not recommended), there was no way to recover their systems.

Initially, researchers believed this new ransomware was a new version of an older threat called Petya, but they later discovered that this was a new strain altogether, which borrowed some code from Petya, hence the reason why they recently started it calling it NotPetya, Petna, or as we like to call it SortaPetya

Researchers flocked to find killswitch mechanism

Because of the ransomware's global outreach, many researchers flocked to analyze it, hoping to find a loophole in its encryption or a killswitch domain that would stop it from spreading, similar to WannaCry.

While analyzing the ransomware's inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.

The researcher's initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft.

This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.

While this does prevent the ransomware from running, this method is more of a vaccination then a kill switch. This is because each computer user must independently create this file, compared to a "switch" that the ransomware developer could turn on to globally prevent all ransomware infections.
How to Enable the NotPetya/Petna/Petya Vaccine

To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only. For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you.

This batch file can be found at: https://download.bleepingcomputer.com/b ... tyavac.bat

For those who wish to vaccinate their computer manually, you can so using the following steps. Please note that these steps are being created to make it as easy as possible for those with little computer experience. For those who have greater experience, you can do it in quite a few, and probably better, ways.

First, configure Windows to show file extensions. For those who do not know how to do this, you can use this guide. Just make sure the Folder Options setting for Hide extensions for known file types is unchecked like below.

Follow Link For Details:

https://www.bleepingcomputer.com/news/s ... -outbreak/

[Anthea]

Turns Out New Petya is Not a Ransomware, It’s a Destructive Wiper Malware

What if I say the Tuesday's devastating global malware outbreak was not due to any ransomware infection?

Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.

Is Petya Ransomware Faulty or Over-Smart?

Petya is a nasty piece of malware that, unlike other traditional ransomware, does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Then Petya ransomware takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot.

However, this new variant of Petya does not keep a copy of replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if victims get the decryption keys.

Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines (even fully-patched) on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.

Don't Pay Ransom; You Wouldn’t Get Your Files Back

So far, nearly 45 victims have already paid total $10,500 in Bitcoins in hope to get their locked files back, but unfortunately, they would not.

It's because the email address, which was being set-up by the attackers to communicate with victims and send decryption keys, was suspended by the German provider shortly after the outbreak.

Meaning, even if victims do pay the ransom, they will never recover their files. Kaspersky researchers also said same.

"Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks," the security firm said.

"To decrypt a victim’s disk threat actors need the installation ID. In previous versions of 'similar' ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery."

If claims made by the researcher is correct that the new variant of Petya is a destructive malware designed to shut down and disrupt services around the world, the malware has successfully done its job.

However, it is still speculation, but the virus primarily and massively targeted multiple entities in Ukraine, including the country's local metro, Kiev's Boryspil airport, electricity supplier, the central bank, and the state telecom.

Other countries infected by the Petya virus included Russia, France, Spain, India, China, the United States, Brazil, Chile, Argentina, Turkey and South Korea.

How Did Petya get into the Computers in the First Place?

According to research conducted by Talos Intelligence, little-known Ukrainian firm MeDoc is likely the primary source of the yesterday's global ransomware outbreak.

Researchers said the virus has possibly been spread through a malicious software update to a Ukrainian tax accounting system called MeDoc, though MeDoc has denied the allegations in a lengthy Facebook post.

"At the time of updating the program, the system could not be infected with the virus directly from the update file," translated version of MeDoc post reads. "We can argue that users of the MEDoc system can not infect their PC with viruses at the time of updating the program."

However, several security researchers and even Microsoft agreed with Talo's finding, saying MeDoc was breached and the virus was spread via updates.