New Cyberattack Spreads From Russia to the United States

Another Wannacry based attack "Petya", patch your Windows systems that were missed during the last Wannacry attack last month.

Microsoft Windows Patches

New cyberattack freezes computers across the globe
http://abcnews.go.com/Politics/us-nuclear-plants-computer-system-hacked/story?id=48314345

Global cyberattack exploited U.S. government-made security backdoor


Nasty Petya ransomware spreading fast (CNET News)


New Cyberattack Spreads From Russia to the United States
https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html

Global Cyberattack: What We Know and Don’t Know
https://www.nytimes.com/2017/06/27/technology/global-ransomware-hack-what-we-know-and-dont-know.html

Cyberattack spreads across the globe


Heritage Valley Health System Hit In Worldwide Cyber Attack


Cyberattack disruptions reported in Ukraine, Europe and the U.S.


Massive cyberattack hits Ukraine, Europe

 

Microsoft Windows Patches

Their page has been updated to suggest 3 files should be created to stop petya variants...perfc perfc.dat and perfc.dll

How to Enable the NotPetya/Petna/Petya Vaccine

"To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only.

For those who wish to vaccinate their computer manually, you can so using the following steps....( see article below) "

Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak
https://www.bleepingcomputer.com/ne...found-for-petya-notpetya-ransomware-outbreak/

"Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers."

"100% certainty! Create a file called perfc with no extension in %windir%. And now I celebrate with friends!"
https://twitter.com/0xAmit/status/879789734469488642
https://twitter.com/0xAmit/status/879763711199760384

 

Starting the 2nd day of this Petya outbreak...

Microsoft Windows Patches

Collection of Petya information curated on github:
https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759

Global Cyber Attack Cripples LA Port Terminal


Massive cyberattack spreads ransomware virus globally

 

A few simple lines to drop in a .cmd or .bat:

Code:

copy nul > %windir%\perfc.txt
copy nul > %windir%\perfc.dat
copy nul > %windir%\perfc.dll
attrib +R %windir%\perfc.txt
attrib +R %windir%\perfc.dat
attrib +R %windir%\perfc.dll
ren %windir%\perfc.txt perfc

Apart from installing updates, it also makes sense to check whether your network has its SMB ports open and, if so, close them in your router: Open Port Check Tool.

 

3 files are recommended to be created now: perfc perfc.dat and perfc.dll

Although the killswitches are nice, it's best to patch your OS

Microsoft Windows Patches

Turning off external access to SMB ports is good too, but the attack vector has been through internal machines compromised by social engineering - clicking on attachments, so an SMB perimeter router lock down won't help.

 

"out to irrecoverably wipe information, not hold to it to ransom."

http://www.zdnet.com/article/ransomware-in-disguise-experts-say-petya-out-to-destroy-not-ransom/

 

Another media source gives information on how to vaccinate your computer against Petya:

Create a single file to protect yourself from the latest ransomware attack
You can vaccinate your system in seconds from the Petya/NonPetya ransomware -- at least, for now.
http://www.zdnet.com/article/create-a-single-file-to-protect-yourself-from-latest-ransomware-attack/

Again, there are 3 file names suggested to be created as read-only place holders to stop the attack: perfc. perfc.dat and perfc.dll

 

"While some ransomware strains dangle the carrot in order to force you to pay up, there is no point paying in this case. The email address set to slurp up $300 blackmail payments in return for supposed decryption has been blocked."

Info on the PetrWrap/Petya ransomware: Email account in question already blocked since midday
Created at 27.June 2017, 18:15 | Category: BLOG
https://posteo.de/en/blog/info-on-t...ount-in-question-already-blocked-since-midday

"Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away. There was no press coverage at that time. We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.

During the afternoon it emerged that the “PetrWrap/Petya” malware is currently spreading quickly in many places, including Ukraine.

Here are the facts that we can contribute to “PetrWrap/Petya”:
– Since midday it is no longer possible for the blackmailers to access the email account or send emails.
– Sending emails to the account is no longer possible either.

We are in contact with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

What is ransomware?
“Ransomware” denotes malicious software, which becomes installed on a device, for example, by clicking a bad link or attachment. This primarily occurs when the device is poorly protected – when software installed there has not been updated for an extended time, for example. The malicious software prevents access to data and systems – and the user affected is requested to pay a ransom for the release of their data. Payment often does not lead to the data being released, however.

Best regards,
The Posteo Team"

 

Microsoft Windows Patches

Inside Story - How to stop cyber attacks? – Inside Story
(multiple reports)

 

Tuesday’s massive ransomware outbreak was, in fact, something much worse
Payload delivered in mass attack destroys data, with no hope of recovery.
https://arstechnica.com/security/20...s-sowing-wiper-not-profit-seeking-ransomware/

"Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying data."

Microsoft Windows Patches

 

Testing MBRFilter against Satana, Petya, and the Petya+Mischa Combo Ransomwares


MBRFilter - Protect Your PC From MBR Ransomware like Petya


Keep your Windows installation updated with Microsoft patches through Windows Update or direct installation.

Micosoft Windows Patches

 

Ukraine Blames Russian Security Services for Recent Cyber Attack
http://fortune.com/2017/07/01/ukraine-blames-russian-security-services-for-recent-cyber-attack/

"(KIEV) - Ukraine said on Saturday that Russian security services were involved in a recent cyber attack on the country, with the aim of destroying important data and spreading panic.

The SBU, Ukraine 's state security service, said the attack, which started in Ukraine and spread around the world on Tuesday, was by the same hackers who attacked the Ukrainian power grid in December 2016. Ukrainian politicians were quick to blame Russia for Tuesday's attack, but a Kremlin spokesman dismissed "unfounded blanket accusations".

Cyber security firms are trying to piece together who was behind the computer worm, dubbed NotPetya by some experts, which conked out computers, hit banks, disrupted shipping and shut down a chocolate factory in Australia.

The attack also hit major Russian firms, leading some cyber security researchers to suggest that Moscow was not behind it."

Police Suggest Petya Ransomware Attack Was a Distraction
http://fortune.com/2017/06/29/police-suggest-petya-ransomware-attack-was-a-distraction/

"The primary target of a crippling computer virus that spread from Ukraine across the world this week is highly likely to have been that country's computer infrastructure, a top Ukrainian police official told Reuters on Thursday.

Cyber security firms are trying to piece together who was behind the computer worm, dubbed NotPetya by some experts, which has paralyzed thousands of machines worldwide, shutting down ports, factories and offices as it spread through internal organizational networks to an estimated 60 countries.

Ukrainian politicians were quick on Tuesday to blame Russia, but a Kremlin spokesman dismissed "unfounded blanket accusations." Kiev has accused Moscow of two previous cyber strikes on the Ukrainian power grid and other attacks since Russia annexed Crimea in 2014."

 

Nothing new here. Ukraine is a guinea pig for there test subject.

Called Plausible Deniability, if that was true why didn't it hit FSB or Kremlin as well or Putin Owned Gas Companies??? You have to wonder right.. By attacking their own Firms to make it look like they are the victim this tactic is well known by cyber security researchers but you know they won't say this.

 

What I've learned the virus was planted in accounting software that was widely used in Ukraine. Those primaly affected outside Ukraine were companies that used same software to do trade with Ukrainian companies.

 

These details were reported on the 1st day in the first video and print news articles. The first reports came from companies in Ukraine and other users of that business software.

Although it sourced though a specific business software package update, it quickly spread, and affected thousands of servers all around the world.

Who knows if it was a chance hack of the servers at that business company, or a directed attack to gain access to ingress into Ukraine, it's all speculation.

The important thing is to do your Windows Updates for Security patches as soon as they are available to reduce your vulnerability window to as short a time as possible

 

Using Pirated Windows O/S and MS Office suites is one way to help hackers even more. There are probably more pirated Windows O/S and Office suites then even the security experts would like to admit in the former East Block nations which helps Russia do it's job more easier. So for all asking them to do Update first would be to buy legit Windows and Office and that will more or less help first.

 

Author of Original Petya Ransomware Publishes Master Decryption Key
https://www.bleepingcomputer.com/ne...a-ransomware-publishes-master-decryption-key/

Spoiler: Details...

"The author of the original Petya ransomware — a person / group going by the name of Janus Cybercrime Solutions — has released the master decryption key of all past Petya versions.

This key can decrypt all ransomware families part of the Petya family except NotPetya, which isn't the work of Janus. This list includes:

⩥ First Petya ransomware version (flashed white skull on red background during boot-up screens)
⩥ Second Petya version that also included Mischa ransomware (flashed green skull on black background during boot-up screens)
⩥ Third Petya version, also known as GoldenEye ransomware (flashed yellow skull on black background during boot-up screens)

Authenticity of Petya decryption key confirmed
Janus released the master key on Wednesday in a tweet that linked to an encrypted and password-protected file uploaded on Mega.nz.

JANUS @JanusSecretary
"They're right in front of you and can open very large doors" https://mega.nz/#!lmow0Z7D!InyOTGaodVLX2M9pMGQvHJaGpvon11FyGep10ki4LHc … @hasherezade @MalwareTechBlog

Malwarebytes security researcher Hasherezade cracked the file yesterday and shared its content:

Congratulations!
Here is our secp192k1 privkey:
38dd46801ce61883433048d6d8c6ab8be18654a2695b4723
We used ECIES (with AES-256-ECB) Scheme to encrypt the decryption password into the "Personal Code" which is BASE58 encoded.

Kaspersky Lab security researcher Anton Ivanov tested and confirmed the master key's validity.



Anton Ivanov @antonivanovm
The published #Petya master key works for all versions including #GoldenEye

This key is the private (server-side) key used during the encryption of past Petya versions. Decrypters can be built that incorporate this key. In the past, security researchers have cracked Petya encryption on at least two ocassions [ 1, 2], but with the private key in the open, decrypter will recover files much faster than the previously known methods.

Unfortunately, this decryption key won't be as useful as many people think.

Most (original) Petya campaigns happened in 2016, and very few campaigns have been active this year. Users that had their files locked have wiped drives or paid the ransom many months before. The key will only help those victims who cloned their drives and saved a copy of the encrypted data.

Decryption key is useless for NotPetya victims
This key won't help NotPetya victims because the NotPetya ransomware was created by " pirating" the original Petya ransomware and modifying its behavior by a process called patching. NotPetya used a different encryption routine and was proven to have no connection to the original Petya.

In 2016, Janus had been very active on Twitter while promoting a Ransomware-as-a-Service (RaaS) portal where other crooks could rent access to the Petya+Micha ransomware combo. Janus became active in 2017 after a long period of silence just to deny any involvement with the NotPetya outbreak.

Hashezerade believes that Janus released Petya's decryption key as a result of the recent NotPetya outbreak, and he might have decided to shut down his operation.

Janus is not the first ransomware author/group who released his master decryption key. The TeslaCrypt group did the same in the spring of 2016. Last year, Janus also hacked the servers of a rival ransomware author — Chimera ransomware — and dumped his decryption keys."

Level1 News July 11 2017: Timeshare Sex Robots Is A Really Good Band Name
4:21 - Author of Original Petya Ransomware Publishes Master Decryption Key

Spoiler: Full Show Index

Articles and references used in show:
https://www.one-tab.com/page/L5dGPtxyQKO-rBXh9nhSVw

0:48 - AT&T: Forced arbitration isn't "forced" because no one has to buy service
4:21 - Author of Original Petya Ransomware Publishes Master Decryption Key
5:51 - Wikileaks Unveils CIA Implants that Steal SSH Credentials from Windows & Linux PCs
7:16 - New attack can now decrypt satellite phone calls in "real time"
8:25 - iTWire - Systemd flaw leaves many Linux distros open to attack
9:33 - Facebook investigated by Germany's Federal Cartel Office over claims it extorts personal data from users
13:07 - Amid Unprecedented Controversy, W3C Greenlights DRM for the Web
17:27 - State Dept. Enlists Hollywood And Its Friends To Start A Fake Twitter Fight Over Intellectual Property
19:45 - Verizon Wireless disconnects some heavy data users in rural areas
21:32 - Cox expands home Internet data caps, while CenturyLink abandons them
24:44 - NHMC Motion for Extension of Time 17-108 FINAL 07.07.2017 1130AM
26:32 - OneDrive has stopped working on non-NTFS drives
27:54 - Raspberry Pi's smaller, cheaper rival: NanoPi Neo Plus2 weighs in at $25
28:54 - Samsung is reportedly developing a voice-controlled speaker to compete with Amazon Echo
30:35 - Apple Tests 3-D Face Scanning to Unlock Next iPhone
34:03 - Waymo Drops Most Patent Claims in Car Tech Fight With Uber
37:15 - Microsoft is laying off "thousands" of staff in a major global sales reorganization
38:20 - Robots are coming to a farm near you
40:34 - Press Association wins Google grant to run news service written by computers
42:53 - Stream-ripping is 'fastest growing' music piracy
46:26 - Elon Musk promises world's biggest lithium ion battery to Australia
48:40 - NPA panel pitches limiting elderly drivers to cars with automatic braking tech
50:54 - TV networks said to hide bad ratings with typos
53:35 - Quantum Breakthrough: Researchers Successfully Simulated a 45-Qubit Quantum Circuit
55:03 - Tesla shares plunge 12 percent this week on disappointing deliveries
57:32 - Wildcard Certificates Coming January 2018
58:27 - In attempt to achieve YouTube stardom, woman accidentally kills her boyfriend
1:00:13 - The Best Keyboard Ever Is Back
1:03:45 - The robot sex doll revolution may have some big downsides, experts warn