Petya Ransomware Attack

Well, looks like we’ve got another one. This Ransomware is named “Petya”. Origination of infection (first site) is in the Ukraine / Russia area. Russian oil company Rosneft has their computers down, but says they are still pumping oil as that is on different systems (hey, can you say “air gap” or “linux”?…)

It has spread to Europe where Maersk shipping is down. Plus many others. It looks to have made the jump to the USA. (One local news show from back east said folks needed to use their cell phones to call 911 as the regular land line system “was down”… I don’t know, but suspect, it is related.)

It looks to be Microsoft Windows specific, has been a known threat for about a year, and patches for it exist, so it looks like anyone with up to date security patches ought to be safe. (Me? I just use Linux and MacOS …)

h/t to A C Osborn for “tipping” it here: https://chiefio.wordpress.com/2017/06/01/tips-june-2017/#comment-84543 a good 7 hours before I “woke up and smelled the coffee” enough to pay attention to “computer stuff”.

CNET has an article on it here: https://www.cnet.com/news/unprecedented-cyberattack-hits-businesses-across-europe/

It looks like there is no way to recover an attacked computer. That is, it locks up the computer entirely, not just encrypting the data. I’m guessing a complete wipe and reload would recover the hardware, but that’s only a guess at this time. (That is, I don’t know if it exploits any firmware persistence tools).

Another widespread ransomware attack is threatening to wreak havoc across the world.

Businesses and government agencies have been hit with a variation of the Petya ransomware — that is, malware that holds crucial files hostage. The malware is demanding $300 in bitcoin before victims can regain access.

The new ransomware, identified by security firm Bitdefender as GoldenEye, has two layers of encryption, researchers said. It locks up both your files and your computer’s file system.

“Just like Petya, it is particularly dangerous because it doesn’t only encrypt files, it also encrypts the hard drive as well,” said Bogdan Botezatu, a senior threat analyst with Bitdefender.

The malware forces an infected PC to reboot as soon as it finishes encrypting files, so you’ll see the ransom demands as soon as possible. Researchers at Recorded Future said there’s also a hidden Trojan on Petya that steals victims’ usernames and passwords.

This is the second global ransomware attack in the last two months. It follows the WannaCry outbreak that ensnared more than 200,000 computers, locking up hospitals, banks and universities. Like WannaCry, the GoldenEye and Petya attacks affect only computers running the Windows operating systems.

Microsoft released patches for all Windows operating systems after the global outbreak, but people who’ve updated their computers could still be affected, according to Anomali, a threat intelligence company. That’s because Petya can also spread through Office documents, taking advantage of yet another vulnerability and combining it with similar wormholes a la WannaCry.

The difference between Petya and WannaCry is that Petya apparently does not have a kill-switch that could be accidentally triggered.
[…]
Researchers from Symantec confirmed that the GoldenEye ransomware used EternalBlue, the NSA exploit that fueled WannaCry’s spread.
So far, more than $4,600 has been paid to the attackers’ bitcoin wallet in 19 payments.
[…]
It’s still unclear who’s behind the Petya attacks. Researchers still have not found the hackers responsible for WannaCry, though the NSA has linked that attack to North Korea.

Originally published June 27 at 8:14 a.m. PT.
Updated at 10:11 a.m. PT: Incorporated more details on the ransomware and who has been affected and at 11:40 a.m. PT: to include that the email address behind the ransomware has been shut down.

What I’m Doing

Not much, really. I have 2 Widows boxes mostly just as an archive for any potential “need to run something ancient” use. They are left off and disconnected from the internet essentially all the time. My major systems are various Linux / BSD types, and they are not involved in this event. I have a minor use (browsing mostly) Android Tablet and MacOS Macbook, both also immune (and both off most of the time).

That just leaves my primary infrastructure systems as things to think about. I’ve shutdown my main file server ( 41 days unattended uptime…) even though it ought to be immune. Not really using the files on it at present anyway. I’m running one Linux based Raspberry Pi chip as my Daily Driver desktop ( 44 days uptime…) with most of the “few TB” of data that it uses left shutdown and offline almost 100% of the time. The chip can be reflashed in about 4 minutes, if I’m slow, so even there not much an issue. The live disks on it are cloned into the shutdown archive, so they, two can be recovered.

So at present I’ve got a TB USB hard disk, fully duplicated in a deep archive, and a 16 GB SD chip that are exposed, and the system is immune anyway. That’s a comfortable feeling ;-) I also have 3 more similar SBCs I can boot up if I need systems to recover from ( 2 x Pi and 1 x Odroid ) all with pristine chips (and with copies in a box and with another dozen “variety OS chips” in said box).

So basically, for me, it is largely a “non-event”. My major issue just being which of my many immune and recoverable systems to bother using today… and an excessive level of caution shutdown of a file storage system that didn’t need to be shut down, but hey, I’m not really using it at the moment anyway so why put wear on the disks? Honestly, what with the SBC Single Board Computer device being silent, and the disks going to idle spin-down, I’d really just forgotten that I’d left it “running”. It’s got a few TB of climate data on it and not much else, so a PITA to lose it, but all just a clone of sites on the internet anyway. I could fire off the clone script and in a month be recovered with a newer version, worst case. (The oldest data is in an offline powered off archive disk set.) But hey, may as well shut it off if not in use.

Were I at a company right now, I’d be assuring my staff was similarly “ready to start recovery” and that any “at risk” data archives were properly shutdown and safe. I’d also be asking for a patch level report on EVERY system in the place and anything not up to snuff would be shut down, cloned, and a planning session scheduled to determine what to do with it. (i.e. bring up the clone, leave it down, upgrade it, replace with Linux, whatever). Oh, and the Intrusion Detection / Prevention System checked to see if it has a profile for this to detect and block it. Scheduling folks for 24 x 7 double shifts “for the duration” and sending out company wide email about how to avoid this via behaviour changes, and updates on home systems…

Lucky for me, I’m not at a company right now, so instead, I’m going to investigate the Rum and OJ status… It looks to me like about 24 to 48 hours of entertainment are in my future ;-)

(I know, it’s “wrong” to be smug in retirement… but I guess I’m just a Bad Boy at heart ;-0 )

Subscribe to feed

Advertisements

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , . Bookmark the permalink.

25 Responses to Petya Ransomware Attack

  1. tom0mason says:

    Yes, it looks to be another Windows attack.
    zdnet ( http://www.zdnet.com/article/a-massive-cyberattack-is-hitting-organisations-around-the-world/ )has a little information —

    …cybersecurity researchers at firms including Recorded Future say this attack appears to take advanatage of the Windows Management Instrumentation Command-line (WMIC), the command line used to execute system management commands for Windows.

    WMIC requires a username and password, suggesting that the payload could also contain a trojan information stealer, meaning attackers can scrape usernames and passwords from the infected machine and jump from one unit to the next- potentially even those patched against EternalBlue.

    Maybe the public and corporations will now start to take this seriously and move over to more secure OSs. IT folks will be earning their money again thanks to M$.

  2. E.M.Smith says:

    “IT folks will be earning their money again thanks to M$.”

    Once had an I.T. guy ask me why he ought to promote Unix solutions since he got recognition as being important every time MS needed fix / recovery…

    And just who is doing that “recommend of Microsoft”? Oh, right, the I.T. guys now “earning THE money”…

  3. tom0mason says:

    And just another small thing —
    Debian Linux developers have discovered a flaw in the microcode of a large number of latest Intel chips that causes unpredictable system behavior. So Linux, Apple, and Windows are affected and Intel are so far keeping quiet about it.
    http://www.zdnet.com/article/debian-linux-reveals-intel-skylake-kaby-lake-processors-have-broken-hyper-threading/
    The final part of that review says it all — Not if but when.

    To date, no one has found a way to exploit this for a malware attack, but it seems likely that it’s only a matter of time before someone uses it for a denial of service attack. Before that happens, I have every hope that the microcode update to all users via their hardware vendors and/or their operating system distributors.

  4. E.M.Smith says:

    @Tom0Mason:

    I got skeptical of Intel with the rePentium math bug, then fell entirely off the wagon with their embedded “I can’t touch it” co-processor and UEFI. I now use non-Intel whenever possible. AMD chips if I must have something x86 instruction set, if at all possible.

    I’m patiently waiting for OpenSPARC based hardware and figure as soon as it exists, it will be my next muse. Until then, the NVidia boards with CUDA Cores massive parallel math have my attention. With that kind of stuff, I’m just not seeing anything to cause me interest in the Intel PRISM-compliant systems approved by Spooks World Wide…

    Frankly, I’m quite happy running on a quad-core ARM chip, so I’m just not seeing why I would need all that extra crap in my systems. Just avoid Microsoft and you really don’t need the added hardware suckage.

    I know it doesn’t work for everyone, but I’m happy with it. At the present rate of hardware improvement in the ARM world, it is already time for a generation even faster than the Odroid, which was faster than I really needed. So sometime in the next year I’m likely to be able to buy much more than I need for about $60 all up. I already have more than I can use at any one time in my present set of Pi and Odroid and Orange Pi boards. (I ought to get back to making the cluster run climate models again, but “stuff came up” so the stack is mostly idle).

    In the end, I’ve reached the point where both the Micro$oft Follies and the Intel Opsies are just side-show entertainment for me, now. To paraphrase PG (from other topics) “I don’t need them!”… So it’s fun to have the updates and watch the Aw Shit! news, but it just isn’t part of my worry bucket any more, and I like it that way ;-)

    Well, there’s a global Computing Catastrophe sweeping the world, IT Departments and computer guys everywhere are in a tizzy, Intel has a broken chip and Microsoft is sure they got it right this time, for the 10000+th time… And I’m looking at a nice warm, not too hot, day, “enough” rum, and some OJ. All my computers are fine, thanks. I think it’s time for a bit of relaxing in the lawn chair… Schadenfreude, what’s not to like? ;-)

  5. Larry Ledwick says:

    Some are also refering to this as Goldeneye
    From twitter:
    Reuters Top News‏Verified account @Reuters 24 minutes ago

    ‘GoldenEye’ cyber attack goes global: http://reut.rs/2tixTmx . More #ReutersCyber coverage: http://reut.rs/2rZoMmA #CyberRisk

    http://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD

  6. E.M.Smith says:

    @Larry:

    Yeah, names… such fun.

    I hate to say it (no I don’t… I’m lovin’ it ;-) but after 30 years of telling folks just what is going to “fill their back door with something hot and unpleasant” and being told “go away kid, you bother me”; I’m just absolutely entirely THRILLED to watch folks running around with their hair on fire from ignoring just those things I’ve shouted about.

    I guess with Social Security just a year away, and having decided to not bother looking for a ‘next gig’ (so really “retired”) I’m finally at ease to just “let it go”. It really is “Not MY Problem” and from this point on, it never will be. I’m not sure there’s enough money to wave under my nose to get me to put on the mantle of “Responsible” in the current milieu of crap systems and crap OS design. Maybe if given “free hand” to spec what is allowed hardware AND software and completely ban Microsoft… maybe… but sign up for another Mostly MS Shop and be told to STFU on valid advice, yet again? Sorry, not interested. Forget the zeros on the end of the salary… “Live is too short to drink bad wine”.

    Or maybe that’s the Rum talking ;-) Yes, I’ve had a wonderful couple of hours in the sun, tropical rum drink in hand, watching the sprinkler bring life and happiness to various flowers and even a tomato plant… MUCH better than dealing with some sucky malware / ransomware.

    I’m enjoying this “F-yours and your ugly dog too!” moment far too much. (No it isn’t too much… it’s just about right!) and finding it very liberating. No longer need I worry about what a potential future contract might say. I just don’t care any more.

    Folks can listen to those “with clue”; or they can have a BOHICA moment. (Bend Over, Here It Comes Again). This is the second in about as many months, based on the same issue, and using an NSA method ( Gee, THANKS! US Government, for having a group dedicated to assuring everything is broken every way possible!!! Next time, maybe you ought to have a group working to keep things secure instead? Oh, sorry, never mind, I think I have a Rum Sunrise calling my name…) and causing global disruption. Hope it was worth it… (NOT!)

    So FWIW, I’m ready, willing, and able to buy Snowden a “drink of his choice at the place of his choice”. That’s my standard offer. My only caveat is that they must get me to the venue. So a bar in Tahiti, or a club in Moscow, no problem. I’ll open the tab and pay it in full end of night. Just get me there. WHY? When he is a ‘traitor’? Because he showed that all the things I suspected were, in fact, real. He moved me from “Semi-Paranoid Ideation” to “Accurate Prognostication”. For that, the tab is on me. Any size. Any place. Just get me there. Same offer for anyone else doing similar work. Show that my intuition is illuminating fact, it’s a free ride at the bar (and the appetizers too!).

    Do I hate the USA? Nope. 180 degrees off. IMHO, the USA is the “last best hope” for liberty in the world. I love this place. More so the way it was in the 1960s than now, but it is still better than the rest. Texas and Florida look like the Last Bastions to me, but I don’t know enough about rural Arkansas, Mississippi, Wyoming, etc. etc. to say for sure. I’ve lived in Florida for a couple of years, and I’m good with that. I’m an honorary “Texan by marriage” and I’m good with that, too. So we’re preparing our Great Escape from California to somewhere like them. Sorry to see California join Venezuela in the “Socialist Workers Paradise” collapse, but unwilling to fund it in my “golden years”. So me, my money and my guns, are moving soon enough to somewhere more like California of the 1960s.

    For today: I’m happily basking in the knowledge that my systems and my pattern of operations have left me… totally secure in the face of a global pandemic of malware. What kind of validation could be more than that? Eh?

    Well, I have a (nice!) dinner to cook and another rum drink to concoct, so time to go…

    To all the I.T. folks working through the night to recover, having warned of this stuff in the past, my condolences, and take what pleasure you can in knowing that someday, this too, shall end for you. I’ll drink a rum drink in your honor. Shortly ;-)

  7. Larry Ledwick says:

    I am about your age but will be working for quite a long time yet. Luckily I work for a company with a top notch IT team that take things like patching seriously. Unfortunately we do run windows on our desk tops but mostly that is not my problem as we have 5 other folks who are strong in windows and they do most of that work.

    At home all my systems are powered down today, and I have 2 emergency backup lap tops stashed in an 20MM ammo can that only get plugged in about every 6 months to charge batteries and update patches.

    Almost all my data is on USB disk docking stations and they only get powered up if I need to access those files.

    I do need to make a backup image of my desk top USB drive, maybe I can do that tonight on an off line system.

  8. Larry Ledwick says:

    They got into an American Nuclear Power plant’s systems it looks like. The way the article is written does not look to be the current raging IT attack, but an intrusion into the business side of the operation although they did not explicitly say when the hack occurred or what type of breach it was.

    http://abcnews.go.com/Politics/us-nuclear-plants-computer-system-hacked/story?id=48314345

  9. jim2 says:

    @E.M.Smith says: 27 June 2017 at 11:48 pm
    And good on ya for all that !! :)

  10. cdquarles says:

    I hate to say it, EM, but Florida is being transformed into a Socialist Worker’s Paradise, too. I don’t know about Texas, as I’ve never been there. Florida, though, is a neighboring state and I have been there, a lot. Sadly, no state is immune to this infection. Though, I’d say the rural parts of any state is going to remain sane a lot longer than the urban parts. Away from the cities, you can make it on your own, using your own initiative. You can even ask your neighbor to help. Most will happily do so and will live and let live is the motto of the day.

  11. John Silver says:

    How do the malware get into the puters in the first place? The only method mentioned is by a MS Office document. Some code have to be executed some way.

  12. John Silver says:

    Here is an easy countermeasure:
    http://www.zdnet.com/article/create-a-single-file-to-protect-yourself-from-latest-ransomware-attack/
    If there is only one key, why can’t those that have already paid, share it with other victims?
    And don’t tell me the systems are infected by phishing emails, how amateurish can professionals be?

  13. John Silver says:

    I think they nailed it, don’t get your knickers in a twist:

  14. John Silver says:

    Get ransomware protection for your PC with RansomFree

    Protects against 99% of ransomware, including new strains such as Petya/NotPetya.

    https://ransomfree.cybereason.com/

  15. E.M.Smith says:

    @John Silver:

    Microsoft was all in favor of making active documents and linking everything together. Partly a strategy to get you to buy more of their software suit (i.e. someone sends you a World document with embedded Excel, you need Excel too…) and didn’t give a damn that embedding random live code into documents might be a Bad Idea.

    Much like embedding live Java Script into web pages opens a giant security risk.

    Once you let document exchange become code exchange, it is now just a contest of wits. Can the software provider give 100% “sandbox” protection against all possible modes of attack vs Can the attacker find just ONE obscure weakness…

    For this particular attack, it looks to spread by documents, which I’d expect to include email, AND it harvests credentials; which implies it may have an active mode of attack via the Admin Credentials inside a site. One fool lets it in, then it rampages over all via internal authority. It might come in via an email, or via a click on a phish at some website. It might also harvest that identity information to mail itself to your address book… ( I don’t know that it does that, but that’s a common vector )

    And folks wonder why I don’t click the “close box” on popups at random web sites, but just shut the whole window and never return…

  16. tom0mason says:

    @John Silver
    1. You ask —
    “How do the malware get into the puters in the first place? The only method mentioned is by a MS Office document. Some code have to be executed some way.”

    Please be aware that with MS there are no simple ‘MS Office document’, MS has made their Office program and the documents/Spreadsheets that run on the Office Suit, both operating system and network aware. The the Office program on opening a document does not necessarily show you anything as it probes your system. That is to say opening an ‘MS Office document’ can open your computer system and network to threats every time you use it. And yes you can mitigate against such activity but as some folk pointed out (many years ago) that allowing such behaviors (from OLE to Active X to all the network and internet connectivity these programs have now) was opening systems up to the degree that they would be easily compromised and spied on. I have a link to the internals of MS Document format somewhere (I’ll post it if I ever find it again), it show how compromised MS makes your system. However most businesses and governments like the MS ideas and products, despite all the warnings. Well the chickens are coming home to roost.
    Be aware that there are other office programs that are as capable as MS offering but do not compromise the computer/network system so much, most of them work in standard open document formats and not the ever-changing MS proprietary formats.

    2. You say —
    “Protects against 99% of ransomware, including new strains such as Petya/NotPetya.”

    Actually it can only protect against 99% of currently known ransomware. Tomorrow is a different day with different problems.

    Cybercriminals, and malicious hackers are every minute of everyday working on new ways to ‘break the system’. Cyber-security is a constantly moving target and no system is utterly secure. Some hackers are state sponsored, many are not. IMO given Microsoft’s vast customer base and their huge profits and revenues, they could/should do a lot better.

  17. Larry Ledwick says:

    On the ransom ware attack, this is the original vector apparently.

    The virus is believed to have first taken hold on Tuesday in Ukraine where it silently infected computers after users downloaded a popular tax accounting package or visited a local news site, national police and international cyber experts said.

    Sounds like they are still trying to pin down the exact attack vector and identify “patient zero”

  18. E.M.Smith says:

    I could easily see an attack vector of sending a doc to a news outlet saying something in the cover letter like “Inside dirt / scoop on Trump” (or Putin or whoever) and then having a decent mockup document display. While the person reads it, the launch happens as it compromises their system, then leverages out into others using the admin path.

    From that point forward, it just needs to get into the Web Site and then it is off to the world… Easy peasy… I doubt their “web news service” story writers are very careful about what the open and / or click on…

  19. jim2 says:

    “London Met Police’s 18,000 Windows XP PCs is a disaster waiting to happen”

    https://mspoweruser.com/london-metropolitan-polices-18000-windows-xp-pcs-is-a-disaster-waiting-to-happen/

  20. Another Ian says:

    “THE hacker behind Wednesday’s global ransomware attack can’t get emails from those who met his demands because his account has been closed by the German provider. ”

    More at

    http://www.couriermail.com.au/technology/hacker-behind-massive-ransomware-attack-has-no-access-to-emails-from-victims-who-paid/news-story/3ef6113116882b588c51f9402229136c

  21. tom0mason says:

    Jim2,
    You may be interested to know that Britain’s new £3 billion aircraft carrier is running on Windows XP….
    http://uk.businessinsider.com/queen-elizabeth-aircraft-carrier-is-running-on-windows-xp-2017-6?r=US&IR=T

  22. philjourdan says:

    Last month, I had a lot of sympathy for the victims of Wanna Cry. This time I do not. As you indicated, the patch has been out for over 3 months now. MS even released a patch for the unsupported OSes still in use. So anyone caught by this one is either stupid or lazy.

  23. Larry Ledwick says:

    Since it is kind of related to computer security in general, Windows takes security data leakage to new levels with a default behavior which leaks private intranet info the pubic internet by broadcasting dns requests on all available paths. As a result VPN users leak info to the the public internet when dns requests for internal systems get broadcast out side the vpn.

    https://www.us-cert.gov/ncas/alerts/TA15-240A

  24. tom0mason says:

    Problems of tomorrow …

    The main problem is that the west has passed peak imagination and within so called ‘Western civilization’ stocks are now fast running out. As the globe opened-up digitally, the ‘first world’s’ human capacity to imagine is fast closing down.
    If only these humans had the digital ingenuity to remedy the situation but sadly they don’t. They try digital remedial action but at each iteration of their near endless design cycle of programming a more capable, a more consensus aware imagination, they fail. Sadly for them at each instance of trying has the effect of reducing the net imaginative stocks across the Western population.
    Soon despondency sets in for the least imaginative human dullards, then as the slide to profound shortage ensues, all are engulfed in irrecoverable learning deficit, and finally doom with an orgy of chaotic tweeting, unfriending on facebook, and unfocused random behavior with pages of violent scripts occurring on blogs.
    Sales literally rocket for the new PentagonFightSoft™ games of Grand Theft Remote and Grand Theft Remote International, where player are literally in charge of the drone of their choice.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Or is it I have digital depression?
    Probably time for some GhostBSD or for more adventures in ReactOS

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s