Well, looks like we’ve got another one. This Ransomware is named “Petya”. Origination of infection (first site) is in the Ukraine / Russia area. Russian oil company Rosneft has their computers down, but says they are still pumping oil as that is on different systems (hey, can you say “air gap” or “linux”?…)
It has spread to Europe where Maersk shipping is down. Plus many others. It looks to have made the jump to the USA. (One local news show from back east said folks needed to use their cell phones to call 911 as the regular land line system “was down”… I don’t know, but suspect, it is related.)
It looks to be Microsoft Windows specific, has been a known threat for about a year, and patches for it exist, so it looks like anyone with up to date security patches ought to be safe. (Me? I just use Linux and MacOS …)
h/t to A C Osborn for “tipping” it here: https://chiefio.wordpress.com/2017/06/01/tips-june-2017/#comment-84543 a good 7 hours before I “woke up and smelled the coffee” enough to pay attention to “computer stuff”.
CNET has an article on it here: https://www.cnet.com/news/unprecedented-cyberattack-hits-businesses-across-europe/
It looks like there is no way to recover an attacked computer. That is, it locks up the computer entirely, not just encrypting the data. I’m guessing a complete wipe and reload would recover the hardware, but that’s only a guess at this time. (That is, I don’t know if it exploits any firmware persistence tools).
Another widespread ransomware attack is threatening to wreak havoc across the world.
Businesses and government agencies have been hit with a variation of the Petya ransomware — that is, malware that holds crucial files hostage. The malware is demanding $300 in bitcoin before victims can regain access.
The new ransomware, identified by security firm Bitdefender as GoldenEye, has two layers of encryption, researchers said. It locks up both your files and your computer’s file system.
“Just like Petya, it is particularly dangerous because it doesn’t only encrypt files, it also encrypts the hard drive as well,” said Bogdan Botezatu, a senior threat analyst with Bitdefender.
The malware forces an infected PC to reboot as soon as it finishes encrypting files, so you’ll see the ransom demands as soon as possible. Researchers at Recorded Future said there’s also a hidden Trojan on Petya that steals victims’ usernames and passwords.
This is the second global ransomware attack in the last two months. It follows the WannaCry outbreak that ensnared more than 200,000 computers, locking up hospitals, banks and universities. Like WannaCry, the GoldenEye and Petya attacks affect only computers running the Windows operating systems.
Microsoft released patches for all Windows operating systems after the global outbreak, but people who’ve updated their computers could still be affected, according to Anomali, a threat intelligence company. That’s because Petya can also spread through Office documents, taking advantage of yet another vulnerability and combining it with similar wormholes a la WannaCry.
The difference between Petya and WannaCry is that Petya apparently does not have a kill-switch that could be accidentally triggered.
Researchers from Symantec confirmed that the GoldenEye ransomware used EternalBlue, the NSA exploit that fueled WannaCry’s spread. So far, more than $4,600 has been paid to the attackers’ bitcoin wallet in 19 payments.
It’s still unclear who’s behind the Petya attacks. Researchers still have not found the hackers responsible for WannaCry, though the NSA has linked that attack to North Korea.
Originally published June 27 at 8:14 a.m. PT.
Updated at 10:11 a.m. PT: Incorporated more details on the ransomware and who has been affected and at 11:40 a.m. PT: to include that the email address behind the ransomware has been shut down.
What I’m Doing
Not much, really. I have 2 Widows boxes mostly just as an archive for any potential “need to run something ancient” use. They are left off and disconnected from the internet essentially all the time. My major systems are various Linux / BSD types, and they are not involved in this event. I have a minor use (browsing mostly) Android Tablet and MacOS Macbook, both also immune (and both off most of the time).
That just leaves my primary infrastructure systems as things to think about. I’ve shutdown my main file server ( 41 days unattended uptime…) even though it ought to be immune. Not really using the files on it at present anyway. I’m running one Linux based Raspberry Pi chip as my Daily Driver desktop ( 44 days uptime…) with most of the “few TB” of data that it uses left shutdown and offline almost 100% of the time. The chip can be reflashed in about 4 minutes, if I’m slow, so even there not much an issue. The live disks on it are cloned into the shutdown archive, so they, two can be recovered.
So at present I’ve got a TB USB hard disk, fully duplicated in a deep archive, and a 16 GB SD chip that are exposed, and the system is immune anyway. That’s a comfortable feeling ;-) I also have 3 more similar SBCs I can boot up if I need systems to recover from ( 2 x Pi and 1 x Odroid ) all with pristine chips (and with copies in a box and with another dozen “variety OS chips” in said box).
So basically, for me, it is largely a “non-event”. My major issue just being which of my many immune and recoverable systems to bother using today… and an excessive level of caution shutdown of a file storage system that didn’t need to be shut down, but hey, I’m not really using it at the moment anyway so why put wear on the disks? Honestly, what with the SBC Single Board Computer device being silent, and the disks going to idle spin-down, I’d really just forgotten that I’d left it “running”. It’s got a few TB of climate data on it and not much else, so a PITA to lose it, but all just a clone of sites on the internet anyway. I could fire off the clone script and in a month be recovered with a newer version, worst case. (The oldest data is in an offline powered off archive disk set.) But hey, may as well shut it off if not in use.
Were I at a company right now, I’d be assuring my staff was similarly “ready to start recovery” and that any “at risk” data archives were properly shutdown and safe. I’d also be asking for a patch level report on EVERY system in the place and anything not up to snuff would be shut down, cloned, and a planning session scheduled to determine what to do with it. (i.e. bring up the clone, leave it down, upgrade it, replace with Linux, whatever). Oh, and the Intrusion Detection / Prevention System checked to see if it has a profile for this to detect and block it. Scheduling folks for 24 x 7 double shifts “for the duration” and sending out company wide email about how to avoid this via behaviour changes, and updates on home systems…
Lucky for me, I’m not at a company right now, so instead, I’m going to investigate the Rum and OJ status… It looks to me like about 24 to 48 hours of entertainment are in my future ;-)
(I know, it’s “wrong” to be smug in retirement… but I guess I’m just a Bad Boy at heart ;-0 )