Latest EternalBlue Attack: NotPetya is a wiper disguised as Ransomware

[Delicieuxz]

Wouldn't it have been smarter to not block the email, but to log all the IPs that access it? Blocking the email doesn't sound to me like it's going to help anyone, as it doesn't stop the BTC address from being able to receive money. I think in fairness to people who need their data, the email should stay accessible - but monitored. Also, blocking the email and making an announcement lets the person doing this know that the email provider is working with law enforcement, giving the person a chance to hide and take extra precautions.

[GoodBytes]

3 minutes ago, Delicieuxz said:

Wouldn't it have been smarter to not block the email, but to log all the IPs that access it? Blocking the email doesn't sound to me like it's going to help anyone, as it doesn't stop the BTC address from being able to receive money. I think in fairness to people who need their data, the email should stay accessible - but monitored. Also, blocking the email and making an announcement lets the person doing this know that the email provider is working with law enforcement, giving the person a chance to hide and take extra precautions.

Why should the mail provider provide service at each ransomware?

It is not their fault if companies/people don't update their systems. For those infected, shit happens, have backups next time, and keep your system updated.

[Delicieuxz]

8 minutes ago, GoodBytes said:

Why should the mail provider provide service at each ransomware?

It is not their fault if companies/people don't update their systems. For those infected, shit happens, have backups next time, and keep your system updated.

Doesn't make sense. Email providers don't have to provide service to anyone - should they shut down all email accounts?

 

In the case of an email used to unlock ransomwared systems, it doesn't cost the provider to leave the account alone, and it also isn't benefiting the source of the ransomware to leave the email accessible, since all they use it for is providing unlocks for people after receiving payment. They will continue to receive payments even with the email account disabled, and the only losers are the people whose machines were affected. Also, leaving it accessible is an opportunity to monitor the activity on the account to get clues as to who / where the person responsible for the ransomware is.

 

Also, your lack of empathy for people losing their data is noted, and a bit surprising. You have no idea what kind of stuff people could be losing. And if they're willing to pay a large sum to get it back, then it has to have some important value that puts it above an attitude of "who cares"?

[verytiny]

10 minutes ago, Delicieuxz said:

Wouldn't it have been smarter to not block the email, but to log all the IPs that access it? Blocking the email doesn't sound to me like it's going to help anyone, as it doesn't stop the BTC address from being able to receive money. I think in fairness to people who need their data, the email should stay accessible - but monitored. Also, blocking the email and making an announcement lets the person doing this know that the email provider is working with law enforcement, giving the person a chance to hide and take extra precautions.

i thought so too. i'm pretty sure the email provider got too excited at the thought of stopping a ransomware outbreak and was all like *teleports behind you* NOTHING PERSONNEL KID without first considering the ramifications

[GoodBytes]

11 minutes ago, Delicieuxz said:

In the case of an email used to unlock ransomwared systems, it doesn't cost the provider to leave the account alone, and it also isn't benefiting the source of the ransomware to leave the email accessible, since all they use it for is providing unlocks for people after receiving payment. They will continue to receive payments even with the email account disabled, and the only losers are the people whose machines were affected. Also, leaving it accessible is an opportunity to monitor the activity on the account to get clues as to who / where the person responsible for the ransomware is.

Yes it does. Image. If you are a mail provider, you would not like that your service is being used for bad. Do you want all ransomware to use your mail service (you don't get money from ads, not to mention that ad agency might not want to do business with you anymore)

 

Quote

Also, your lack of empathy for people losing their data is noted, and a bit surprising. You have no idea what kind of stuff people could be losing.

The only empathy I have in this story, is for the IT personnel working at these companies where they punish downtime of system that may occur by updating systems. As for individuals affected, shit happens. I don't have W.D (or whatever) offering me free professional data recovery if my HDD fails and I have no backups.

[NumLock21]

Man what's with these ransomwares and who came up with the stupid name. PetyaWrap.

Sound like some new burrito you would get at McDonalds.

 

They should ring up NSA to help them come up with better names, like NSA's QuantumHand. Now this name sound serious and a lot more scary than PetyaWrap.

[ttam]

1 hour ago, mynameisjuan said:

 

Thats not true at all. Well known sites are getting compromised primarily by ads, or the lack of monitoring them. "Common sense browsing" is no longer a thing.

It's a physical item that has been downloaded and run.

I've been part of a panel that is researching this problem at Cray (a super-computer company) with companies like Microsoft, Google, Amazon and Dell.

[TAHIRMIA]

If this is using Eternal Blue then most people who updated to avoid WannaCry should be fine now? Or is there another update?

 

[Doobeedoo]

Oh wow more ransomware and parts of W10 source code leaked, not good times.

[WMGroomAK]

Just as an update:

 

According to Bleeping Computers, security researchers has found a 'vaccine' to prevent system infection, but have not found a killswitch for the attack yet.  

 

https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/

Quote

To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only.  For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you. 

 

There is a step-by-step on the article on how to do this, however, it is important to note that this is only for the current version of the ransomware.

 

At the same time, it is being strongly speculated that the initial infection may have originated from a tainted software package from Ukranian based M.E.Doc compromised by an unknown attacker.

 

https://www.bleepingcomputer.com/news/security/petya-ransomware-outbreak-originated-in-ukraine-via-tainted-accounting-software/

 

43 minutes ago, TAHIRMIA said:

If this is using Eternal Blue then most people who updated to avoid WannaCry should be fine now? Or is there another update?

If you've updated your computer, you should be safe from being infected via the SMBv1 route that EternalBlue exploits, however, this also appears to be spreading via some basic email phishing techniques, so I would just try to be extra cautious on my web browsing & email habits until it resolves itself.

[ZackBarletto]

2 hours ago, mynameisjuan said:

Id be fine with it. If the IT staff had half a brain they would have backups and images ready to deploy. Could have all systems back up and running within 30 mins

Unfortunately its not always up to the IT department ;/

 

But of course I agree. Any company that understands the risks and how to solve them shouldn't have any problem with this.

 

[TAHIRMIA]

29 minutes ago, WMGroomAK said:

-Snip-

This is probably why it isn't so big. Most people are already patched...And if they're not it's pretty much their fault. We shouldn't really be giving them any sympathy 

[captain_to_fire]

6 hours ago, WMGroomAK said:

I guess this is a good welcome to the wild world of the future of exploits and not having your systems up to date with patches...  Of course, this may cause bitcoin prices to jump again.

People who disabled Windows Updates probably deserves it. 

 

It's also a lesson to everyone not to trust built in Windows Defender. 

[captain_to_fire]

2 hours ago, NumLock21 said:

Man what's with these ransomwares and who came up with the stupid name. PetyaWrap.

Sound like some new burrito you would get at McDonalds.

 

They should ring up NSA to help them come up with better names, like NSA's QuantumHand. Now this name sound serious and a lot more scary than PetyaWrap.

The malware creators are probably at Taco Bell or Chipotle when they came up with a malware name. 

Edited June 27, 2017 by hey_yo_
added a gif

[NumLock21]

The media is calling it "Goldeneye". Can't tell if that is related to this or something else. 

 

Just like when they call Apple's iphone coil whine, "hissing". 

[BuckGup]

So when will companies actually put security on SCADA? Dell has tracked over 70X the number of attacks on SCADA systems since 2010.

[Princess Luna]

It's funny how people still open dubious links from dubious emails these days.

[WMGroomAK]

31 minutes ago, NumLock21 said:

The media is calling it "Goldeneye". Can't tell if that is related to this or something else. 

 

Just like when they call Apple's iphone coil whine, "hissing". 

Best guess is that the media picked up some information from a Malwarebytes Researcher and misinterpreted it...  On one of the Bleeping Computers articles it mentions that:

https://www.bleepingcomputer.com/news/security/petya-ransomware-outbreak-originated-in-ukraine-via-tainted-accounting-software/

Quote

This is one of the reasons why so many researchers have started a trend on social media, calling the ransomware NotPetya, after so many reports have referenced it as Petya.

 

Nevertheless, Malwarebytes researcher Hasherezade, an expert in all things Petya, attributes the NotPetya strain to the same author who created the original Petya, Mischa, and GoldenEye ransomware strands.

So while originally researchers were thinking that this was a strain of the Petya ransomware, they have since said it is using some of the code from Petya and is more of it's own little bug...

[Huuskari]

7 minutes ago, Princess Cadence said:

It's funny how people still open dubious links from dubious emails these days.

It doesn't spread trough email. It uses different Internet protocols, mainly protocols that are used by companies like SAMBA.

[leadeater]

4 hours ago, Delicieuxz said:

Doesn't make sense. Email providers don't have to provide service to anyone - should they shut down all email accounts?

 

In the case of an email used to unlock ransomwared systems, it doesn't cost the provider to leave the account alone, and it also isn't benefiting the source of the ransomware to leave the email accessible, since all they use it for is providing unlocks for people after receiving payment. They will continue to receive payments even with the email account disabled, and the only losers are the people whose machines were affected. Also, leaving it accessible is an opportunity to monitor the activity on the account to get clues as to who / where the person responsible for the ransomware is.

 

Also, your lack of empathy for people losing their data is noted, and a bit surprising. You have no idea what kind of stuff people could be losing. And if they're willing to pay a large sum to get it back, then it has to have some important value that puts it above an attitude of "who cares"?

It's an email account used for illegal activity, yes shut it down. It'll be a lot easier to track who's it is from the existing historical logs than having to wade through tons of logs from people emailing it for unlock codes.

[captain_to_fire]

1 hour ago, WMGroomAK said:

Best guess is that the media picked up some information from a Malwarebytes Researcher and misinterpreted it...  On one of the Bleeping Computers articles it mentions that:

https://www.bleepingcomputer.com/news/security/petya-ransomware-outbreak-originated-in-ukraine-via-tainted-accounting-software/

While reading that article and saw the words "tainted software", my first reaction was that it's an infection caused by pirated software but it was a botched software update of an accounting software. Now how and why did a ransomware was able to get bundled with an over the air update is beyond me. 

[SCHISCHKA]

i said something like this at the time of wannacry. exploits were well published. Patches were released and what appears to be a trend with MS patches, one month later a worm or malware appears on the internet. There was plenty of media coverage so what is the excuse to be infected? #victimblaming

[SCHISCHKA]

6 hours ago, Princess Cadence said:

It's funny how people still open dubious links from dubious emails these days.

Someone I talked to recently was convinced that the poor english and stupidity of scam emails are intentional so they only get contacted by dumb people. Its hard to disagree because I dont see how an educated person could believe there is a humanitarian crises in the nigerian royal family.

[Master Disaster]

15 hours ago, WMGroomAK said:

So in the latest use of the EternalBlue exploit kit that has been released to the wild, there is a new Ransomware that follows in the footsteps of the WannaCry ransomware being dubbed PetyaWrap.  So far this ransomware has hit several large companies across the globe, including Merck Pharmaceuticals, Maersk Shipping, DLA Piper and more...  The main differences between this ransomware attack and WannaCry is that this one is encrypting at the file system level as opposed to the individual files, it is stealing usernames and passwords from the systems and so far, there appears to be no kill switch.

 

https://arstechnica.com/security/2017/06/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide/

https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/

 

I guess this is a good welcome to the wild world of the future of exploits and not having your systems up to date with patches...  Of course, this may cause bitcoin prices to jump again.

 

EDIT Adding BitCoin Address:

 

Thanks to @The Benjamins for providing the below link to the BitCoin Blockchain address:

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

 

As of this edit, it appears to have collected about 2.14 Bitcoins worth of transactions...

 

EDIT 2: Thanks to @verytiny for bringing up an announcement from Posteo that they have blocked the email address that was being used and are working with local Federal Authorities.

https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomware-email-account-in-question-already-blocked-since-midday

 

In addition, one of the bits of information concerning how this bug is spreading listed on ArsTechnica consists of it using boobytrapped phishing emails and PSExec command line tools so that if it is able to penetrate a computer by any one vector, it can then spread throughout the network.

 

EDIT 3:  According to Bleeping Computers, security researchers has found a 'vaccine' to prevent system infection, but have not found a killswitch for the attack yet.  

 

https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/

 

There is a step-by-step on the article on how to do this, however, it is important to note that this is only for the current version of the ransomware.

 

At the same time, it is being strongly speculated that the initial infection may have originated from a tainted software package from Ukranian based M.E.Doc compromised by an unknown attacker.

 

https://www.bleepingcomputer.com/news/security/petya-ransomware-outbreak-originated-in-ukraine-via-tainted-accounting-software/

 

 

 

 

[WereCat]

Looks like it did hit a chocolate factory in my country too (Slovakia).

http://www.dsl.sk/article.php?article=19920

 

No time for translation, sorry.