Latest EternalBlue Attack: NotPetya is a wiper disguised as Ransomware

[Jinchu]

22 minutes ago, revsilverspine said:

Well that's an interesting turn of events.

I have to agree. Is this how future war looks like? 

[leadeater]

35 minutes ago, Prysin said:

That's what the government wants you to believe!!

 

WARNING: The quoted username may contain lead, a chemical known to the State of California to cause cancer, birth defects and other reproductive harm. Please wash hands after typing up a response, and avoid infuriation from being proven wrong if the debate is heating up the quoted user. For more information, go to www.P65Warnings.ca.gov.

Well that was mostly in reference to home users and the "we should give people a way to pay for unlocks". Pretty sure if your house burnt down or someone stole your computer with the only copy of the data there ain't no rain dances and ritual sacrifices that is going to get the data back .

 

Personal responsibility and liability is a thing and that is also what insurance is for if you can't cover yourself due the value of the item(s) being too high. Life can suck, shit happens but don't go around paying criminals for dubious odds of getting something back, don't be suckered twice.

[dfsdfgfkjsefoiqzemnd]

3 hours ago, mach said:

Backups are expensive. If you only have few hundred gigs of data then it's easy to grab a cheap external drive, copy everything and call it a day. 

But for the people having many TBs of data, doing the simplest copy&paste backup would cost hundreds or even thousands of dollars in hard drives. Not to mention the effort and time needed to sync the data periodically to make the backup effective. 

True, but then again one should know that full well when one starts hoarding data. 

 

Backing up my 12TB of videos (it's easy to get that much if you make full-quality rips of your blu-ray collection) costs me around €540 (3x 5TB external drive, which was €179 when I bought them).  I don't really need that backup as I still have the original DVDs and blu-rays, but it takes less time in the office to earn that kind of money than it does to re-rip everything.  So this is just for convenience. 

The rest of my data is regularly backed up 3 times on 1TB 2.5" HDDs (one for off-site storage), for which I paid another €300

Then there's even more redundant backups of the most important data on a couple of 64GB USB sticks (one for off-site storage on a different location than the HDD) and annual backups on blu-ray discs. 

 

That puts me at around €900 in backups indeed.  I don't think I ever did the math before though, and TBH I don't even care.  If I need to send one dead HDD to a specialized firm for data recovery, it could cost me more than what I now paid for all those backups. 

If something goes wrong, I just format the entire NAS or replace the dead HDDs/SSDs and let the PC copy the files back overnight.  Sounds a lot nicer than losing everything. 

[King_of_Oz]

These articles from the verge and cnet cover it well:

 

Verge article:

https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russia

 

(The ransomeware is also known as Petya)

 

Quote

It leads to an uncomfortable question: what if money wasn’t the point? What if the attackers just wanted to cause damage to Ukraine? It’s not the first time the country has come under cyberattack. (These attacks have typically been attributed to Russia.) But it would be the first time such an attack has come in the guise of ransomware, and has spilled over so heavily onto other countries and corporations.

 

CNet article:

 

https://www.cnet.com/news/petya-goldeneye-wannacry-ransomware-global-epidemic-just-started/

 

Quote

Thousands of computers around the world are getting locked up by a fast-spreading ransomware. Big businesses are getting hit. An entire hospital is shut out of its system. Suddenly, it's everywhere: the next big ransomware attack.

 

 

@LinusTech, a potential WAN show topic?

 

 

Follow up topic:

 

 

 

[SomeSin]

Our office in Ukraine got hit by that. Seems like it sniffed through M.E.doc software (absolute standard there for bookkeeping reports to government). M.E.doc said that they were hacked, so their update contained virus. Ukraine, in general, was hit the hardest (due to additional and VERY strong vector of attack).

 

No severe dmg was done, but that was fcking scary - Ukrainian biggest airport Borispyl (KBP) was hit, Chernobyl Nuclear Power Plant was somewhat hit (automatic radiation lvl control was down for awhile), some banks (including National Bank of Ukraine) etc. Everything is getting online now, but it was really scary for them for a moment.

[SCHISCHKA]

Shipping companies have been hit stalling logistics. Another delay from cryptocurrency sucking stocks of gpu

[captain_to_fire]

1 hour ago, leadeater said:

Life can suck, shit happens but don't go around paying criminals for dubious odds of getting something back, don't be suckered twice.

Too bad the FBI even recommended paying the ransom. 

_____________________________

 

For the rest, there are few ransomware with a decryptor available for free which doesn't require paying a ransom. Check out No More Ransom Project.

[Ezzy-525]

On 6/27/2017 at 8:23 PM, suicidalfranco said:

why is russia hacking russia?

 

It's called an illusion Michael.

[SCHISCHKA]

3 minutes ago, hey_yo_ said:

Too bad the FBI even recommended paying the ransom. 

_____________________________

 

For the rest, there are few ransomware with a decryptor available for free which doesn't require paying a ransom. Check out No More Ransom Project.

That is from 2015. It would be better to reference FBI directly 

https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise

Quote

The FBI doesn’t support paying a ransom in response to a ransomware attack. Said Trainor, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

What's funny is your article that recommends paying ransom is from 2015 and the FBI article I linked says they saw a spike in ransomware the same year they were telling people to pay the ransom. 

What has changed is they went from shitting out anything to actually measuring the problem, one report they did, from memory, was less than a quarter of people who pay get their data back

 

 

[captain_to_fire]

1 minute ago, SCHISCHKA said:

That is from 2015. It would be better to reference FBI directly 

https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise

What's funny is your article that recommends paying ransom is from 2015 and the FBI article I linked says they saw a spike in ransomware the same year they were telling people to pay the ransom. 

What has changed is they went from shitting out anything to actually measuring the problem, one report they did, from memory, was less than a quarter of people who pay get their data back

 

 

Linus actually referenced that old FBI notion in his video "Ransomware as fast as possible".

 

I wasn't aware of FBI's updated stance regarding ransomware payments. But then, I'm glad they've changed opinions on that matter. Just imagine the cash trickling up to the top when everyone decides to pay a ransom. "You want the photos and videos of the grand kids back, just pay 2 bitcoins nana."

[WkdPaul]

@King_of_Oz

Threads merged.

[YoloSwag]

On 6/28/2017 at 2:46 AM, lots of unexplainable lag said:

So exactly why are port control computers and nuclear station monitoring computers connected to any network that has an internet connection in the first place? That shit should be locked behind 4 doors with separate keys, all with armed checkpoints. Same goes for hospital computers. The only way to access files on any of these systems should be on-site, and the computers connected to that shouldn't have an internet connection.

I was thinking about something like those mission impossible things where the network is local and in a vault or something.

 

The only way anyone is getting into it, is if their name is 'Tom Cruise' and supported by significantly lesser paid individuals.

[WMGroomAK]

5 hours ago, revsilverspine said:

Realistically, the data can be recovered if all it does is mess up only specific sectors

While the data still remains on the disks and the actual files are not encrypted, what appears to be the problem is that this wiper destroys the original Master File Table and makes that unrecoverable so the drive and OS may have the information still, but doesn't know where that information is stored.  If you have a backup of the MFT, then it should be possible to recover the data on the disk up to that MFT backup, however at that point you might as well have a full redundant backup.

 

4 hours ago, SCHISCHKA said:

Shipping companies have been hit stalling logistics. Another delay from cryptocurrency sucking stocks of gpu

 

4 hours ago, SomeSin said:

Our office in Ukraine got hit by that. Seems like it sniffed through M.E.doc software (absolute standard there for bookkeeping reports to government). M.E.doc said that they were hacked, so their update contained virus. Ukraine, in general, was hit the hardest (due to additional and VERY strong vector of attack).

 

No severe dmg was done, but that was fcking scary - Ukrainian biggest airport Borispyl (KBP) was hit, Chernobyl Nuclear Power Plant was somewhat hit (automatic radiation lvl control was down for awhile), some banks (including National Bank of Ukraine) etc. Everything is getting online now, but it was really scary for them for a moment.

This to me seems to be one of the bigger issues with these kind of attacks in that it ends up disrupting the logistic chains, which can take days to months to recover from being offline and that can throw systems into disarray.  It's a funny thing that we rely on our logistic chains to run smoothly, however, we take it for granted that it'll run well until such a time as something goes wrong and we wonder why the store is out of produce or our Amazon package hasn't left the last destination for several days.

[leadeater]

8 hours ago, hey_yo_ said:

Too bad the FBI even recommended paying the ransom. 

Advice they later reversed, they currently do not recommend paying. Not that I really give a damn what the FBI says anyway.

[Master Disaster]

Just an update on this one, according to DanOCT it was supposed to be ransomware but there's a bug in the encryption code that causes the encryption process to corrupt the data. Apparently its not a deliberate "killer" but as it encrypts the FAT & MFT (and corrupts them) there is almost zero chance of recovering anything after its finished.

 

Its actually based on another ransomware that was released in 2016 and in the original version the encryption works and file recovery is possible. Of course the creators might have deliberately added the encryption bug, who knows on that one.

 

I wonder how it would cope with a GUID & UEFI system though, no FAT, no MFT, just a 100mb FAT32 partition with the bootloader stored on it. Of course it still corrupts your files anyway but I'm betting it wouldn't destroy the bootloader.

 

Oh, and the coders made it so it encrypts the FAT & MFT last so if you restart during the fake chkdsk (that's actually encrypting everything) its possible to recover, you might lose some stuff but the quicker you restart the more you save.

[2FA]

10 minutes ago, Master Disaster said:

Just an update on this one, according to DanOCT it was supposed to be ransomware but there's a bug in the encryption code that causes the encryption process to corrupt the data. Apparently its not a deliberate "killer" but as it encrypts the FAT & MFT (and corrupts them) there is almost zero chance of recovering anything after its finished.

 

Its actually based on another ransomware that was released in 2016 and in the original version the encryption works and file recovery is possible. Of course the creators might have deliberately added the encryption bug, who knows on that one.

 

I wonder how it would cope with a GUID & UEFI system though, no FAT, no MFT, just a 100mb FAT32 partition with the bootloader stored on it. Of course it still corrupts your files anyway but I'm betting it wouldn't destroy the bootloader.

 

Oh, and the coders made it so it encrypts the FAT & MFT last so if you restart during the fake chkdsk (that's actually encrypting everything) its possible to recover, you might lose some stuff but the quicker you restart the more you save.

How the hell does he know it's not intentional is my question. The exploits were implemented meticulously while the "ransom" part was very sloppy. https://arstechnica.com/security/2017/06/notpetya-developers-obtained-nsa-exploits-weeks-before-their-public-leak/

[Master Disaster]

3 minutes ago, DeadEyePsycho said:

How the hell does he know it's not intentional is my question. The exploits were implemented meticulously while the "ransom" part was very sloppy. https://arstechnica.com/security/2017/06/notpetya-developers-obtained-nsa-exploits-weeks-before-their-public-leak/

Well I'm guessing he's reversed engineered it and is making an informed guess. I do say in my post that its possible they added the bug deliberately.

[2FA]

Just now, Master Disaster said:

Well I'm guessing he's reversed engineered it and is making an informed guess. I do say in my post that its possible they added the bug deliberately.

That's a pretty big fucking bug to miss when testing...

[WMGroomAK]

31 minutes ago, Master Disaster said:

Just an update on this one, according to DanOCT it was supposed to be ransomware but there's a bug in the encryption code that causes the encryption process to corrupt the data. Apparently its not a deliberate "killer" but as it encrypts the FAT & MFT (and corrupts them) there is almost zero chance of recovering anything after its finished.

Thanks for the update...  At this time, it is a little bit nebulous on whether the fact that this served as a wiper was truly an accident on the part of the programmer(s) or whether this was a deliberate issue written in and the ransomware note was a red herring to garner media attention...  From most of the articles that I've read, I think that the majority of security researchers are thinking that this was a deliberate attack from a foreign entity with backing.  The other question/issue is that whoever wrote this appears to have close ties to the 'ShadowBrokers' as they apparently were able to integrate the NSA exploits really well into their code and the deployment vector code appears to have been the best developed part of the attack.  

[Ltexprs]

On 6/27/2017 at 1:15 PM, Mornincupofhate said:

The only thing this does is leads to more "I use a mac because it can't get viruses"

Any computer regardless of OS can get a virus. But the only reason Macs "don't" get viruses is because of its market share compared to Windows. If I we're to create a virus I would likely focus on Windows, but that doesn't mean Macs are safe. 

[Mornincupofhate]

53 minutes ago, Ltexprs said:

Any computer regardless of OS can get a virus. But the only reason Macs "don't" get viruses is because of its market share compared to Windows. If I we're to create a virus I would likely focus on Windows, but that doesn't mean Macs are safe. 

You totally didn't get what I was saying. 

[themctipers]

stop making me scared of switching back to windows 10.

[Epsilonsama]

For normal users that do backups and keep said backups separate from their day to day PC this should not be much of an issue.  The problem is if a big company or goverment institution gets infected.  The amount of work needed to restore said computers costs quite a bit of money. Basically for us end users, make sure your system is up to date and keep a backup of your important files away from any network.  I personally besides my NAS have a 128gb USB flash drive for backing up things I can't lose.   I always carry said drive with me in case my house get's broken in or something else happens.  I also make sure to encrypt said flash drive of course.

[vorticalbox]

block the email address what a great idea,! disable victims only way to get their files back. 

[dfsdfgfkjsefoiqzemnd]

Just now, vorticalbox said:

block the email address what a great idea,! disable victims only way to get their files back. 

They were never going to get their data back anyway.