Widely referred to as Peyta – though the attack is new and not a Peyta variant – the virus uses the same Windows SMB flaw that allowed last month’s WannaCry outbreak to spread so quickly.
The malicious software, which has thus far been detected in countries such as Russia, Ukraine, Poland, Spain, Italy, Germany, France, the UK and US, encrypts and alters critical system files before demanding $300 worth of Bitcoin.
— Kevin Beaumont (@GossiTheDog) June 27, 2017Initially, nearly all antivirus programs were unable to detect the ransomware – which disguised itself as an approved Microsoft file.
Prominent victims include Denmark-based shipping firm Maersk, multinational law firm DLA Piper, medical facilities in Pittsburg as well as Ukraine’s central bank and the Chernobyl nuclear power plant.
The plant, which suffered a catastrophic nuclear accident in 1986, is still being decommissioned to this day.
According to a Ukranian newspaper, Chernobyl staff have been forced to begin monitoring radiation levels manually as their computers remain crippled. Vladimir Ilchuk, the plant’s shift director, said “excess levels of control” helped avert any potential radiation leaks.
#Breaking: Supermarket in Kharkiv, east Ukraine – all payment terminals look to have been hit by the #Petya #ransomeware pic.twitter.com/e1nUHNkVwg— Ryan Clapham (@NewsReport365) June 27, 2017
We confirm some Maersk IT systems are down. The safety of our customers’ business and our people is our top priority. Updates to follow.— Maersk Line (@MaerskLine) June 27, 2017
A tipster sends along this photo taken outside DLA Piper’s D.C. office around 10am. #Petya pic.twitter.com/HWS4UFlvQR— Eric Geller (@ericgeller) June 27, 2017
Apparently Hospital system in the Pittsburgh PA area got hit by #Petya #ransomware. pic.twitter.com/cBEYyqhXrA— Anis (@0xUID) June 27, 2017
We confirm our company’s computer network was compromised today as part of global hack. Other organizations have also been affected (1 of 2)— Merck (@Merck) June 27, 2017
Petya on an ATM. Photo by REUTERS.https://t.co/fDQ0nGyQc6 pic.twitter.com/gT2xQP9wAo— Mikko Hypponen (@mikko) June 27, 2017
Victims are being told not to pay the ransom as the email accepting Bitcoin payments – wowsmith123456@posteo.net – has been shutdown by the provider. Although Microsoft released a patch for the SMB vulnerability prior to the WannaCry outbreak, the exploit continues to be useful as countless computers have failed to apply the security update.Targeted in Ukraine cyberattack:– Metro network
– Electric grid
– Ministry sites
– Airport
– Banks
– Media outlets
– State owned companies
— The Spectator Index (@spectatorindex) June 27, 2017
While Microsoft’s update will stop the ransomware from remotely infecting vulnerable computers with SMBv1 enabled, patched machines can still be hit if the virus makes its way into their network.Do not pay the #Petya ransom. You will not get your files back. The email address used is blocked! @SwiftOnSecurity @thegrugq pic.twitter.com/NOzxLz0vul— haveibeencompromised (@HIBC2017) June 27, 2017
According to cybersecurity expert Matthew Hickey, co-founder of UK-based Hacker House, affected users can avoid having their files encrypted by turning off their computer when presented with the message below:If #Petya gets in, you are in for a ride. It is using WMIC and PSEXEC to laterally pivot and infect patched systems. Just like a pentester.— Carbon Dynamics (@CarbonDynamics) June 27, 2017
Amit Serper, a security researcher with Cybereason, similarly discovered a method to stop the malware on a compromised computer.If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6— Hacker Fantastic (@hackerfantastic) June 27, 2017
“While analyzing the ransomware’s inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk…” writes Bleeping Computer’s Catalin Cimpanu. “This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.”Confirmed the local vaccine for #Petya / #NotPetya in LAB as described by @0xAmit & @hackerfantasticcopy NUL C:\Windows\perfc.dat pic.twitter.com/XxrBzkfRgG
— Florian Roth (@cyb3rops) June 27, 2017
As of publication, those responsible for the outbreak have received 3.15303437 BTC or roughly $7422.05.
Some analysts believe, given the timing of the attack, that the ransomware was used not for monetary gain but for instilling chaos in Ukraine specifically.#WannaCry was the warning shot. #Petya #NotPetya is the real deal by someone who knows what they’re doing. Probably worst worm ever seen.— zerosum0x0 (@zerosum0x0) June 27, 2017
“In Ukraine tomorrow is a holiday – June 28 – Constitution Day,” Nick Bilogorskiy, senior director of threat operations at Cyphort, told CyberScoop. “Hackers are known to seed malware outbreaks right before the holidays, to make the recovery take longer.”
Security researcher “The Grugq” also notes that the ransomware authors, while sophisticated, made decisions that clearly inhibited their ability to quickly collect payment.
“Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline,” he writes. “There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.)”
“Predictably, within hours the email address had been disabled by the service provider. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of ‘send a personal cheque to: Petya Payments, PO Box …’).”
“This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.'”
No comments:
Post a Comment