The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
Please vote in the Forum Structure Poll. Polling will close at 2PM EST on January 21, 2025.

[Cyberattack] New Ransomware virus strikes globally

archivistkitsunearchivistkitsune Registered User regular
edited June 2017 in Debate and/or Discourse
So who all remembers the Wannacry ransomware that struck business computer systems last month? Guess what a new one, using some of the same exploits just went live today and it pretty bad. Initially, it looked like it was being targeted solely at Ukraine, but this one has gotten pretty far.

http://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD

I figured I should get a thread going even though I'm far from being a cybersecurity guru because this is a major ongoing news in a week already full of major ongoing news.

Right now I may or may not have to go into work tomorrow because my employer's owner got hit and I already spent a sizable chunk of the day doing nothing (actually got sent home early with pay and didn't lose any PTO).

https://www.bloomberg.com/news/articles/2017-06-27/wpp-suffers-suspected-cyber-attack-as-ukraine-russia-also-hit

Rules
-Keep this relation to the current ransomware virus, the wannacry version and anything that relates to the two.

Edit: Including this since giggles suggested it.

https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4
Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline. There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.)

Predictably, within hours the email address had been disabled by the service provider. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of “send a personal cheque to: Petya Payments, PO Box …”)

archivistkitsune on

Posts

  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    If you want to follow some security folks researching this one, link:
    https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759

    This one looks bad, but it also might be starting to settle already. Merck was hit, just as one example of a big company.

  • mcpmcp Registered User regular
    Looks like it was originally delivered via an update to accounting software M.E.Doc.

    Bleeping Computer has an article on it.

  • RchanenRchanen Registered User regular
    Yeah it looks like Russia got hit hard by this. According to Kaspersky.

  • JoeUserJoeUser Forum Santa Registered User regular
    There seems to be a kill switch, but you have to create a file in the Windows directory

  • redxredx I(x)=2(x)+1 whole numbersRegistered User regular
    edited June 2017
    So, basically, do I need to care at all about this(patya) if my company has really quite thoroughly applied 17-010? Seems like it's propagation after the initial finance software thing has been via eternal-blue and... the other vuln. Which have been patched.

    redx on
    They moistly come out at night, moistly.
  • redxredx I(x)=2(x)+1 whole numbersRegistered User regular
    Fun:
    https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html
    As well as the use of EternalBlue, Petya can also propagate over the network using WMIC (Windows Management Instrumentation Commandline) by trying credentials gathered from the local machine using Mimikatz (source); this allows it to infect network systems which are patched against EternalBlue or not running SMB.

    hrrumphf.... I get another arrow in the "our damned devs shouldn't be allowed admin accounts" and "basically no network login for admin accounts" quivers at least.

    They moistly come out at night, moistly.
  • Giggles_FunsworthGiggles_Funsworth Blight on Discourse Bay Area SprawlRegistered User regular
    edited June 2017
    It probably shouldn't be considered ransomware because the payment pipeline isn't really designed to facilitate making money.

    https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4
    Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline. There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.)

    Predictably, within hours the email address had been disabled by the service provider. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of “send a personal cheque to: Petya Payments, PO Box …”)

    It's ransomware but the value is in the disruption. This is a weapon not a scam.

    Fwiw this is the best write-up of it I've seen that isn't overly technical and probably belongs in the OP.

    Giggles_Funsworth on
  • redxredx I(x)=2(x)+1 whole numbersRegistered User regular
    that seems pretty like a pretty legitimate evaluation. the payment backends and victim support systems for modern ransomware is frequently highly sophisticated and robust.

    this lacks that, and the initial attack vector was one that would particularly impact Ukrainian industry. It didn't take too long for me to start thinking Russian actors with ties to the state.



    They moistly come out at night, moistly.
  • redxredx I(x)=2(x)+1 whole numbersRegistered User regular
    https://www.binarydefense.com/petya-ransomware-without-fluff/

    has kinda an example of how to deploy deploy the kill switch/vaccine (just a write only file in c:\ that petya needs to write to) via group policy. Also some vauge oft repeated about updates and not letting people use admin accounts.

    They moistly come out at night, moistly.
  • CauldCauld Registered User regular
    I also don't currently have to go to work because of this. It's the modern version of the snow day (we do occasionally also get snow days)

  • jungleroomxjungleroomx It's never too many graves, it's always not enough shovels Registered User regular
    edited June 2017
    oops

    jungleroomx on
  • archivistkitsunearchivistkitsune Registered User regular
    Cauld wrote: »
    I also don't currently have to go to work because of this. It's the modern version of the snow day (we do occasionally also get snow days)

    This strangely sounds like my offices situation. The office is closed because of this and we do get the occasional snow day.

  • SniperGuySniperGuy SniperGuyGaming Registered User regular
    I saw a picture and wondered about the payment thing looking so much more difficult. Anyone likely to want to try and pay it would be somewhat unlikely to know how to actually pay it. I believe there was some unrest in Ukraine yesterday as this was spreading too, so cyberweapon seems much more likely.

    Don't forget to do your updates everyone.

  • FencingsaxFencingsax It is difficult to get a man to understand, when his salary depends upon his not understanding GNU Terry PratchettRegistered User regular
    SniperGuy wrote: »
    I saw a picture and wondered about the payment thing looking so much more difficult. Anyone likely to want to try and pay it would be somewhat unlikely to know how to actually pay it. I believe there was some unrest in Ukraine yesterday as this was spreading too, so cyberweapon seems much more likely.

    Don't forget to do your updates everyone.

    An intelligence officer was assassinated

  • [Expletive deleted][Expletive deleted] The mediocre doctor NorwayRegistered User regular
    Mill wrote: »
    Cauld wrote: »
    I also don't currently have to go to work because of this. It's the modern version of the snow day (we do occasionally also get snow days)

    This strangely sounds like my offices situation. The office is closed because of this and we do get the occasional snow day.

    I can only assume this is some kind of Tyler Durden situation. The only question is, which one of you is the figment of the other's imagination?

    Sic transit gloria mundi.
  • FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    edited June 2017
    Users that have Internet access and have local administrative rights is a complete pandemic in a number of organizations. This needs to change.

    ^^^^ shout it from the rooftops.

    This worm is the first time we've seen Mimikatz used for automated lateral movement across an organization.

    Minikatz, and the pass-the-hash technique it uses, have been around for almost 10 years. Penetration testers, black hats, and spearphishing campaigns have used it extensively.

    Most organizations aren't worried about skilled dedicated attackers. They want to stop script kiddies and automated malware, which until three days ago didn't include Mimikatz/PTH. So most institutions haven't taken the basic steps to mitigate Minikatz/PTH, which are, more or less in order of priority:

    1) Don't let anybody browse the Internet, check email, or do any other basic daily tasks with local admin accounts. This includes IT.
    2) If somebody positively, absolutely, needs local admin access, it should be with a separate username and password. Local admin should be used to launch specific programs only, never as a general login.
    3) Disable the built-in "Administrator" account (SID 500). Create a separate local admin account for workstation administration.
    4) Make sure all PCs have unique passwords for that local admin account. Microsoft's LAPS (Local Administrator Password Solution) is free and easy to implement in an Active Directory environment.

    Or to put it in Twitter terms,

    STOP 0476.png USING 0476.png LOCAL 0476.png ADMIN 0476.png ACCOUNTS 0476.png FOR 0476.png ROUTINE 0476.png TASKS

    Feral on
    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • SleepSleep Registered User regular
    Feral wrote: »
    Users that have Internet access and have local administrative rights is a complete pandemic in a number of organizations. This needs to change.

    ^^^^ shout it from the rooftops.

    This worm is the first time we've seen Mimikatz used for automated lateral movement across an organization.

    Minikatz, and the pass-the-hash technique it uses, have been around for almost 10 years. Penetration testers, black hats, and spearphishing campaigns have used it extensively.

    Most organizations aren't worried about skilled dedicated attackers. They want to stop script kiddies and automated malware, which until three days ago didn't include Mimikatz/PTH. So most institutions haven't taken the basic steps to mitigate Minikatz/PTH, which are, more or less in order of priority:

    1) Don't let anybody browse the Internet, check email, or do any other basic daily tasks with local admin accounts. This includes IT.
    2) If somebody positively, absolutely, needs local admin access, it should be with a separate username and password. Local admin should be used to launch specific programs only, never as a general login.
    3) Disable the built-in "Administrator" account (SID 500). Create a separate local admin account for workstation administration.
    4) Make sure all PCs have unique passwords for that local admin account. Microsoft's LAPS (Local Administrator Password Solution) is free and easy to implement in an Active Directory environment.

    Or to put it in Twitter terms,

    STOP 0476.png USING 0476.png LOCAL 0476.png ADMIN 0476.png ACCOUNTS 0476.png FOR 0476.png ROUTINE 0476.png TASKS

    Yeah, but doing things the right way is hard

  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    Sleep wrote: »
    Feral wrote: »
    Users that have Internet access and have local administrative rights is a complete pandemic in a number of organizations. This needs to change.

    ^^^^ shout it from the rooftops.

    This worm is the first time we've seen Mimikatz used for automated lateral movement across an organization.

    Minikatz, and the pass-the-hash technique it uses, have been around for almost 10 years. Penetration testers, black hats, and spearphishing campaigns have used it extensively.

    Most organizations aren't worried about skilled dedicated attackers. They want to stop script kiddies and automated malware, which until three days ago didn't include Mimikatz/PTH. So most institutions haven't taken the basic steps to mitigate Minikatz/PTH, which are, more or less in order of priority:

    1) Don't let anybody browse the Internet, check email, or do any other basic daily tasks with local admin accounts. This includes IT.
    2) If somebody positively, absolutely, needs local admin access, it should be with a separate username and password. Local admin should be used to launch specific programs only, never as a general login.
    3) Disable the built-in "Administrator" account (SID 500). Create a separate local admin account for workstation administration.
    4) Make sure all PCs have unique passwords for that local admin account. Microsoft's LAPS (Local Administrator Password Solution) is free and easy to implement in an Active Directory environment.

    Or to put it in Twitter terms,

    STOP 0476.png USING 0476.png LOCAL 0476.png ADMIN 0476.png ACCOUNTS 0476.png FOR 0476.png ROUTINE 0476.png TASKS

    Yeah, but doing things the right way is hard

    I'm the CTO, you think I don't know what I'm doing? I need this to do my job, so get it done or else!

  • EchoEcho ski-bap ba-dapModerator, Administrator admin
    So the newest info on this is that it's not ransomware, it just disguises as one - not that you'd be able to pay anyway since the contact email it uses got disabled hella fast.

    It's not ransomware, it simply wipes your boot record by overwriting it with random data. It cannot be recovered. So yeah, more signs pointing to a targeted attack against Ukraine by an unknown (heh, funny) state actor. Disguising as ransomware was a nice smokescreen to keep the media looking in the wrong direction.

  • daveNYCdaveNYC Why universe hate Waspinator? Registered User regular
    Echo wrote: »
    So the newest info on this is that it's not ransomware, it just disguises as one - not that you'd be able to pay anyway since the contact email it uses got disabled hella fast.

    It's not ransomware, it simply wipes your boot record by overwriting it with random data. It cannot be recovered. So yeah, more signs pointing to a targeted attack against Ukraine by an unknown (heh, funny) state actor. Disguising as ransomware was a nice smokescreen to keep the media looking in the wrong direction.


    So it basically shoots the hostage, the mechanism for paying any ransom was crazy complicated, the delivery method specifically targeted Ukrainian specific software, and infections were limited to spreading over LANs and not out into the wider internet.

    The question is whether the half-assed disguise was incompetence or just not giving a damn.

    Shut up, Mr. Burton! You were not brought upon this world to get it!
  • CelestialBadgerCelestialBadger Registered User regular
    When Russia does espionage stuff, they always make it obvious who it was, but technically deniable. This is an intimidation tactic. If they covered their trails well, we might never figure out who did it (could be a crime syndicate, China, India, who knows?) which doesn't serve their purposes.

  • GoodKingJayIIIGoodKingJayIII They wanna get my gold on the ceilingRegistered User regular
    DLA Piper, one of if not THE largest of the law firms in the world got hit with the attack.

    http://m.americanlawyer.com/#/article/1202791614770/Ransomware-Attack-on-DLA-Piper-Puts-Law-Firms-Clients-on-Red-Alert?_almReferrer=https://www.google.com/

    This image is particularly insane.

    Attention-DLA-Employees-Vert-201706271619.jpg

    Law firms are some of the most vulnerable businesses to these types of attacks. In my experience, they're largely unprepared for them.

    Battletag: Threeve#1501; PSN: Threeve703; Steam: 3eeve
  • redxredx I(x)=2(x)+1 whole numbersRegistered User regular
    ehh... pretty sure it overwrites the boot record with a malicious one, which boots a custom kernel, which overwrites the file allocation tables. If it just wrote garbage to the boot record, that would be fairly trivial to recover.

    So, it encrypts or writes garbage over the FAT? Isn't that recoverable, with a bunch of work? Like, it's the same thing you do when you do a forensic recovery of deleted files. Total pain in the ass, never going to be 100%, but the cluster contains a pointer to the next cluster that contains parts of the file? Can't you chase those around and get a significant portion of the data back.

    They moistly come out at night, moistly.
  • EchoEcho ski-bap ba-dapModerator, Administrator admin
    Yeah, you could identify files using the raw bits'n'bytes in some cases. Far from everything though.

    On that note, how would it work with full-disk encryption?

  • Giggles_FunsworthGiggles_Funsworth Blight on Discourse Bay Area SprawlRegistered User regular
    redx wrote: »
    ehh... pretty sure it overwrites the boot record with a malicious one, which boots a custom kernel, which overwrites the file allocation tables. If it just wrote garbage to the boot record, that would be fairly trivial to recover.

    So, it encrypts or writes garbage over the FAT? Isn't that recoverable, with a bunch of work? Like, it's the same thing you do when you do a forensic recovery of deleted files. Total pain in the ass, never going to be 100%, but the cluster contains a pointer to the next cluster that contains parts of the file? Can't you chase those around and get a significant portion of the data back.

    If you kill the endpoint it won't encrypt the files (it does this on boot) and rebuilding an MBR is a pain in the ass but not particularly hard (I've done this more than a few times). If you boot anything encrypted is gone.

  • Void SlayerVoid Slayer Very Suspicious Registered User regular
    Echo wrote: »
    Yeah, you could identify files using the raw bits'n'bytes in some cases. Far from everything though.

    On that note, how would it work with full-disk encryption?

    My understanding is encryption would protect your files from being opened/read by a virus but they could just write over the data or make it hard to access by destroying the boot record, if that is what they were doing. Still recoverable possibly.

    My experience with viruses comes from basic home network work though, where I basically just prefer to remove the hard drive and replace it entirely if it has been compromised so I do not really know technical details. I have tried to recover data from a drive with a damaged boot sector though and managed to get a massive dump of files I had the original user go through.

    Part of the reason for asking everyone not to turn on their devices may be to protect existing data from being destroyed before it can be backed up.

    He's a shy overambitious dog-catcher on the wrong side of the law. She's an orphaned psychic mercenary with the power to bend men's minds. They fight crime!
  • redxredx I(x)=2(x)+1 whole numbersRegistered User regular
    I think it would depend.

    Like... assuming they are running bitlocker, which is volume based, it could still probably trash the FAT because it is going to be found at a predictable location within a partition. It doesn't need to read it to write garbage to it.

    If you are using actual full disk encryption, like... where you can have hidden partitions and you can't even see how many partitions exist without decrypting, who fucking knows? If you can get around the MBR being fuckered and decrypt the data on the disks, there are going to be partition it wouldn't have been able to find to screw with.

    They moistly come out at night, moistly.
  • redxredx I(x)=2(x)+1 whole numbersRegistered User regular
    Echo wrote: »
    Yeah, you could identify files using the raw bits'n'bytes in some cases. Far from everything though.

    On that note, how would it work with full-disk encryption?

    My understanding is encryption would protect your files from being opened/read by a virus but they could just write over the data or make it hard to access by destroying the boot record, if that is what they were doing. Still recoverable possibly.

    My experience with viruses comes from basic home network work though, where I basically just prefer to remove the hard drive and replace it entirely if it has been compromised so I do not really know technical details. I have tried to recover data from a drive with a damaged boot sector though and managed to get a massive dump of files I had the original user go through.

    Part of the reason for asking everyone not to turn on their devices may be to protect existing data from being destroyed before it can be backed up.

    Right, so when the machines get infected,
    they create a scheduled task the reboots the machine in 1 hour
    rewrites the MBR so it will load a malicious kernel that will encrypt stuff and try to solicit money
    it spends an hour attempting to spread horizontally
    reboots
    loads the malicious kernel
    then it encrypts stuff

    if it never gets to the point where it reboots, all the data is still fine. You just mount it in a situation where it is not used to boot a computer, and all the files are still there.

    They moistly come out at night, moistly.
  • MayabirdMayabird Pecking at the keyboardRegistered User regular
    Russian hackers have been directly attacking American nuclear power plants and possibly other energy companies too. The American grid is already too fragile as it is, breaking down for any minor disruption, without direct attacks to try to take it down.

  • MayabirdMayabird Pecking at the keyboardRegistered User regular
    edited July 2017
    Is this thread only for the really big cyberattacks or can any sort of cyber-security stuff go in here?

    Because Trump Hotels has been hacked, again, a third major incident in three years, this one taking place over months and targeting credit cards and info on high-value targets that come to curry favor at Trump's court. It's likely that as with prior hacking incidents, Trump Hotels has been covering it up. Whether it's standard incompetence as usual, or now with an added flavor of selling out America to Putin remains to be seen.

    Mayabird on
  • Desktop HippieDesktop Hippie Registered User regular
    Haven't all foreign diplomats and dignitaries been sent to stay at Trump's Hotel in DC while they're in the US?

Sign In or Register to comment.