Latest EternalBlue Attack: NotPetya is a wiper disguised as Ransomware

[You_are_a_cunt]

Why exactly are people paying the ransom?

 

 

Also, if someone manages to catch it, send me a copy to reverse enginerd it

[Delicieuxz]

8 hours ago, leadeater said:

It's an email account used for illegal activity, yes shut it down. It'll be a lot easier to track who's it is from the existing historical logs than having to wade through tons of logs from people emailing it for unlock codes.

The illegal part is hijacking people's PCs, installing malware on them, and extorting people for money to unlock it. The email part comes after all of that, and is only providing the means for people to retrieve their PC. It doesn't target the person responsible for the malware at all to prevent only the part where people get their data back, and only makes the email provider responsible for ensuring that people lose their money without getting their data back. The only way it harms the ransomware source is if they feel guilty for not unlocking people's PCs after they've paid.

 

And if the email's left accessible, it's still the same level of easy to read its access logs from the beginning to see who used it then. Closing access only ensures that later access isn't there to possibly show variations or slip-ups.

 

 

26 minutes ago, revsilverspine said:

Why exactly are people paying the ransom?

Because they have something important on their PC, obviously.

 

The notion that most PC users even know the concept of backup up their drives is surprising, coming from supposed IT or tech workers - who know that notion is BS. I think would be akin to someone thinking that people who don't know what an interference engine is, or how to change the timing belt on their vehicle are unbelievably stupid. Some of these same people have espoused on these forums, multiple times, the idea that the average PC user is extremely tech illiterate. So, why would they then take the diametrically-opposed stance of saying 'no empathy for people who didn't do what 1% or less of people know about doing'? I think it's just snobbery, or shilling for Windows 10 by suggesting that if a person isn't on it, and using forced-updates, then they deserve to be attacked - which obviously isn't truthful.

[leadeater]

24 minutes ago, Delicieuxz said:

The illegal part is hijacking people's PCs, installing malware on them, and extorting people for money to unlock it. The email part comes after all of that, and is only providing the means for people to retrieve their PC. It doesn't target the person responsible for the malware at all to prevent only the part where people get their data back, and only makes the email provider responsible for ensuring that people lose their money without getting their data back. The only way it harms the ransomware source is if they feel guilty for not unlocking people's PCs after they've paid.

 

And if the email's left accessible, it's still the same level of easy to read its access logs from the beginning to see who used it then. Closing access only ensures that later access isn't there to possibly show variations or slip-ups.

Receiving money from illegal activity is illegal, closing down the email account is the correct and legal thing to do. Aiding and abetting crime is illegal, there isn't any other response that should be done other than to close down any and all means to pay and process this.

 

If it's profitable then it will continue, doesn't really matter how critical the data is that got encrypted paying isn't an option. Only having one copy of that data isn't an option, there isn't any argument to be had to support allowing the continuation of email accounts associated with this activity they all fail basic scrutiny.

 

If the hardware that stores that 'critical data' failed or was destroyed you would have no recovery option.

[SCHISCHKA]

6 minutes ago, leadeater said:

Receiving money from illegal activity is illegal, closing down the email account is the correct and legal thing to do.

If it is illegal to close the email account under the applicable laws, enforcement of this would require a complaint by the email account holder because it is not something you call emergency services for. This would reveal their identity.

[leadeater]

Just now, SCHISCHKA said:

If it is illegal to close the email account under the applicable laws, enforcement of this would require a complaint by the email account holder because it is not something you call emergency services for. This would reveal their identity.

Very few countries don't have laws making aiding and abetting crime illegal, even less email provides don't have in their terms of service the right to terminate your account immediately if you are committing a crime.

[SCHISCHKA]

2 minutes ago, leadeater said:

Very few countries don't have laws making aiding and abetting crime illegal, even less email provides don't have in their terms of service the right to terminate your account immediately if you are committing a crime.

Interesting. Every web host I have paid for has had a clause about hosting sites for crime and pornography, not necessarily mentioning the email service that is attached to the whole web hosting package

[leadeater]

7 minutes ago, SCHISCHKA said:

Interesting. Every web host I have paid for has had a clause about hosting sites for crime and pornography, not necessarily mentioning the email service that is attached to the whole web hosting package

It seems the email service in question holds some strong moral opinions just basing what it's saying on the front of their website. Also

 

Quote

5.2 Customers are also responsible for third parties who use the services within their account (whether authorised or unauthorised). This does not apply when the unauthorised access had nothing to do with the customer. The obligation is on the customers to prove they had nothing to do with the usage.

Quote

10. Applicable law

The complete legal relationship between Posteo and its customers is exclusively governed by the law of the Federal Republic of Germany. Appealing to the United Nations Convention on Contracts for the International Sale of Goods (UN CISG) is barred.

https://posteo.de/en/site/terms (this is posteo.net)

 

It simply comes down to if people want "Crime doesn't pay" to mean anything then you have to show it with real action and be stead fast with it.

[Delicieuxz]

36 minutes ago, leadeater said:

Receiving money from illegal activity is illegal, closing down the email account is the correct and legal thing to do. Aiding and abetting crime is illegal, there isn't any other response that should be done other than to close down any and all means to pay and process this.

I can see that a company might be concerned that the email account is assisting criminal activity, but the email account has no involvement in receiving money. Money is being sent to a BTC address, and will have been sent before a victim sends an email asking for an unlock. Once the ransomware source gets an email saying payment has been made, they look at their BTC account transaction history, and if they see the emailer's BTC address as having sent money, then they inform them of an unlock for their PC through email.

 

Closing the email doesn't stop the crime of extorting money, and doesn't stop money from being sent. In effect, it does nothing to impact the crime. It only impacts resolution of the crime.

 

Quote

If it's profitable then it will continue, doesn't really matter how critical the data is that got encrypted paying isn't an option.

The profitability of this attack won't likely be much affected by the closing of the email account, and there are plenty of other ways to communicate encrypted messages that could be used in other attacks. In short, I don't think this does anything to discourage these types of attacks.

 

Also, I think that's putting ideology before the purpose of the ideology. The thing that makes ransomware bad is that it attacks people's data. So, the ultimate goal is to prevent people's data from being lost. That goal isn't served by preventing the recovery of people's data. And for all you know, an invention that changes the world, or some discovery that saves peoples lives could be lost.

 

To say the email should not be available for data recovery is like saying anti-virus programs shouldn't be available because they're aiding and abetting crime by enabling a solution to malware.

[leadeater]

6 minutes ago, Delicieuxz said:

-snip-

You're stilling missing the point, the email address is aiding and abetting crime.

 

I 100% support peoples data been lost. It would have been if the hardware that held the data failed, got destroyed, got stolen, burnt down in a fire, damaged by a flood, got deleted by mistake, need I got on? It's gone.

 

Again I do not support anyone's ability to get their data back in a crypto attack.

 

Please don't come back to me with examples of critical data needs to be gotten back or conflated life threatening examples, particularly the last one because that almost doesn't exist. It'll just turn in to a debate over how that could come about back and forward, just see my above statement.

[Mihle]

Some of the affected compaines:
Danish company Maesk
Pharmaceutical company Merck (US)
UK advertizing firm WPP
A major shipping firm in the Netherlands
Russian oil company Rosneft
Multiple state owned companies and telecommunication companies in Ukraine
Chocolate factory in Australia

Also reported affected in these countries, but I dont know what companies:
Spain
Israel
Germany
France
India
Poland
Italy

[Princess Luna]

11 hours ago, Huuskari said:

It doesn't spread trough email. It uses different Internet protocols, mainly protocols that are used by companies like SAMBA.

these viruses still initially get installed by conventional means (like downloading virus exe files from emails) and only SPREAD within a network via the smb exploit.

[leadeater]

1 hour ago, Delicieuxz said:

To say the email should not be available for data recovery is like saying anti-virus programs shouldn't be available because they're aiding and abetting crime by enabling a solution to malware.

No that isn't the same, anti-virus is removing or preventing the virus/malware without transferring funds to the person committing the crime, that is solving the problem without committing a crime or supporting the criminal activity.

 

Anything that involves transferring money, assets or anything of value to the criminal party to get the data back I do not support. Any other means of data recovery I do support, like security firms cracking the encryption and releasing an unlock program.

[LAwLz]

Periodic reminder that we should all thank the NSA for making this possible. Without their obsession with creating backdoors and keeping very big vulnerabilities a secret, this would never have happened.

Please keep this in mind whenever someone says that we should make government backdoors mandatory in software.

[suicidalfranco]

9 minutes ago, LAwLz said:

Periodic reminder that we should all thank the NSA for making this possible. Without their obsession with creating backdoors and keeping very big vulnerabilities a secret, this would never have happened.

Please keep this in mind whenever someone says that we should make government backdoors mandatory in software.

B-b-but "we have nothing to hide"

[NumLock21]

2 hours ago, Mihle said:

Some of the affected compaines:
Danish company Maesk
Pharmaceutical company Merck (US)
UK advertizing firm WPP
A mayor shipping firm in the Netherlands
Russian oil company Rosneft
Multiple state owned companies and telecommunication companies in Ukraine
Chocolate factory in Australia

Also reported affected in these countries, but I dont know what companies:
Spain
Israel
Germany
France
India
Poland
Italy

Let's hope they already infected those fake ms and irs scammers.

[WMGroomAK]

Well this is interesting.  According to an update from Ars Technica, antivirus researchers are determining that this malware attack was not a ransomware attack but a wiper attack with the ransomware note as more of a red herring to try and throw people off.  Welcome to the digital nuclear arms race where pretty soon all countries will have digital WMDs and be threatening all the other countries with digital Mutually Assured Destruction of critical systems.

 

https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/

 

Quote

Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying data.

...

In other words, the researchers said, the payload delivered in Tuesday's outbreak wasn't ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak.

 

"The ransomware was a lure for the media," researcher Matt Suiche of Comae Technologies, wrote in a blog post published Wednesday. "This version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon." He went on to write: "We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon."

 

Suiche provided the above side-by-side code comparison contrasting Tuesday's payload with a Petya version from last year. Both pieces of code take aim at two small files—the master boot record and master file table—that are so crucial that a disk won't function if they are missing or corrupted. But while the earlier Petya encrypts the master boot record and saves the value for later decryption, Tuesday's payload, by contrast, was rewritten to overwrite the master boot record. This means that, even if victims obtain the decryption key, restoring their infected disks is impossible.

I'll try to update the original post and title with this information as soon as possible...

[dfsdfgfkjsefoiqzemnd]

A local hacker had also expressed his concerns regarding that.  He said that the virus/worm part was well designed but the ransomware demand part seemed like an afterthought to him.

The whole Petya (or NotPetya) thing could be a test for something far bigger. 

[Not_Sean]

What people don't seem to get is most of the times its out of IT dept. hands on recovery. When i did internal IT for Audi SA. we had 19 dealerships and around 1800 Computers. 

 

The few heads had data drives for backups on their laptops but no way would we get budget approved to do backup's on sales and service peoples computers, now here is where the problem comes in, Yes if they got hit its not really a big deal, our data bases are on secure servers and all we would have to do is just reload the system and point the software to the database all good right, well not when you need to do that on 1800 Computers spread out through 300km 

 

The other issue people are forgetting is large companies are always lazy AF with software and development. the amount of times i've gone out on calls because the Parts system isn't working because windows or java or .net updated is to damn high, we basically for a long time had to disable all updates as we didn't have the bandwidth or staff to handle all the little BS issues that came with it. Its the same for many companies, even look at that aircraft carrier running XP, they doing it as their software works perfectly on there so why re-invent the wheel for millions in costs. 

 

I'm not agreeing with any of the above but we are run by profit margins and IT is always hated as we are already just a cost center. 

[Delicieuxz]

2 hours ago, WMGroomAK said:

Well this is interesting.  According to an update from Ars Technica, antivirus researchers are determining that this malware attack was not a ransomware attack but a wiper attack with the ransomware note as more of a red herring to try and throw people off.  Welcome to the digital nuclear arms race where pretty soon all countries will have digital WMDs and be threatening all the other countries with digital Mutually Assured Destruction of critical systems.

 

https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/

 

I'll try to update the original post and title with this information as soon as possible...

 

2 hours ago, Captain Chaos said:

A local hacker had also expressed his concerns regarding that.  He said that the virus/worm part was well designed but the ransomware demand part seemed like an afterthought to him.

The whole Petya (or NotPetya) thing could be a test for something far bigger. 

 

So then, disabling the email people can use to unlock their data truly would be doing absolutely nothing to discourage the attacker, and would only be unnecessarily compounding victimization upon innocent people who were attacked and paid to get their data unlocked.

[dfsdfgfkjsefoiqzemnd]

Indeed, it doesn't matter. 

 

As for the people who paid to get their data unlocked, there's little to unlock if the first sectors of the disk are wiped.  They were never going to get their data back anyway. 

[Delicieuxz]

14 hours ago, LAwLz said:

Periodic reminder that we should all thank the NSA for making this possible. Without their obsession with creating backdoors and keeping very big vulnerabilities a secret, this would never have happened.

Please keep this in mind whenever someone says that we should make government backdoors mandatory in software.

The software companies who choose to put backdoors into their software are just as responsible as the NSA, as are companies that give the NSA information about exploits before fixing them, as Microsoft does.

[mach]

I hate to see someone blaming the victims for not having backups like they deserve being attacked.

Backups are expensive. If you only have few hundred gigs of data then it's easy to grab a cheap external drive, copy everything and call it a day. 

But for the people having many TBs of data, doing the simplest copy&paste backup would cost hundreds or even thousands of dollars in hard drives. Not to mention the effort and time needed to sync the data periodically to make the backup effective. 

If I have the money I'd love to have all the safety measures in the world but the reality is I don't.

[Prysin]

On 2017-6-27 at 7:15 PM, Mornincupofhate said:

The only thing this does is leads to more "I use a mac because it can't get viruses"

until more people gets macs..... and we all know who buys mac, right? yeah, thats right! Hipsters.

And who else is often hipsters? Anti vaxers!

 

So will they download this digital vaccine? probably not, it may after all cause digital autism!

[Prysin]

On 2017-6-28 at 11:48 AM, leadeater said:

If the hardware that stores that 'critical data' failed or was destroyed you would have no recovery option.

That's what the government wants you to believe!!

 

WARNING: The quoted username may contain lead, a chemical known to the State of California to cause cancer, birth defects and other reproductive harm. Please wash hands after typing up a response, and avoid infuriation from being proven wrong if the debate is heating up the quoted user. For more information, go to www.P65Warnings.ca.gov.

[You_are_a_cunt]

Well that's an interesting turn of events.

Realistically, the data can be recovered if all it does is mess up only specific sectors