The Petya ransomware is starting to look like a cyberattack in disguise

[tao]

The haze of yesterday’s massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hack’s reach touched some of the country’s most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.

 

 

The ostensible purpose of all that damage was to make money — and yet there’s very little money to be found. Most ransomware flies under the radar, quietly collecting payouts from companies eager to get their data back and decrypting systems as payments come in. But Petya seems to have been incapable of decrypting infected machines, and its payout method was bizarrely complex, hinging on a single email address that was shut down almost as soon as the malware made headlines. As of this morning, the Bitcoin wallet associated with the attack had received just $10,000, a relatively meager payout by ransomware standards.

 

It leads to an uncomfortable question: what if money wasn’t the point? What if the attackers just wanted to cause damage to Ukraine? It’s not the first time the country has come under cyberattack. (These attacks have typically been attributed to Russia.) But it would be the first time such an attack has come in the guise of ransomware, and has spilled over so heavily onto other countries and corporations.

 

Because the virus has proven unusually destructive in Ukraine, a number of researchers have come to suspect more sinister motives at work. Peeling apart the program’s decryption failure in a post today, Comae’s Matthieu Suiche concluded a nation state attack was the only plausible explanation. “Pretending to be a ransomware while being in fact a nation state attack,” Suiche wrote, “ is in our opinion a very subtle way from the attacker to control the narrative of the attack.”

 

Another prominent infosec figure put it more bluntly: “There’s no fucking way this was criminals.”

 

 

There’s already mounting evidence that Petya’s focus on Ukraine was deliberate. The Petya virus is very good at moving within networks, but initial attacks were limited to just a few specific infections, all of which seem to have been targeted at Ukraine. The highest-profile one was a Ukrainian accounting program called MeDoc, which sent out a suspicious software update Tuesday morning that many researchers blame for the initial Petya infections. Attackers also planted malware on the homepage of a prominent Ukraine-based news outlet, according to one researcher at Kaspersky.

 

In each case, the infections seem to specifically target Ukraine’s most vital institutions, rather than making a broader attempt to find lucrative ransomware targets. These initial infections are particularly telling because they were directly chosen by whoever set the malware in motion. Computer viruses often spread farther than their creators intended, but once Petya was on the loose, the attackers would have had no control over how far it reached. But the attackers had complete control over where they planted Petya initially, and they chose to plant it by some of the most central institutions in Ukraine.

 

 

The broader political context makes Russia a viable suspect. Russia has been engaged in active military interventions in Ukraine since former president Viktor Yanukovych was removed from power in 2014. That has included the annexation of Crimea and the active movement of troops and equipment in the eastern region of the country, but also a number of more subtle activities. Ukraine’s power grid came under cyberattack in December 2015, an attack many interpreted as part of a hybrid attack by Russia against the country’s infrastructure. That hybrid-warfare theory extends to more conventional guerrilla attacks: the same day that Petya ripped through online infrastructure, Ukrainian colonel Maksim Shapoval was killed by a car bomb attack in Kiev.

 

All that evidence is still circumstantial, and there’s no hard link between yesterday’s attacks and any nation state. It could be Ukraine simply presented a soft target, and the attackers screwed up their payment and decryption systems out of simple carelessness. Functional or not, the software involved still has strong ties to traditional ransomware systems, and even if the attackers didn’t make much money off ransom payments, Petya was still collecting credentials and other data from infected machines, which could be valuable fodder for future attacks. That has led researchers like F-Secure’s Sean Sullivan to hold off on nation-state suspicions. “Maybe there’s multiple ways they’re working the money angle, but I think ultimately it’s about money,” Sullivan told me. “Tigers don’t change their stripes.”

 

Still, the line between common criminals and state agents can be difficult to parse. A recent indictment in the Yahoo hacking case charged Russian officials alongside freelance hackers, and the division of labor was often unclear. Criminals can be enlisted as privateers, or agents can adopt criminal tactics as a way of disguising themselves. If the suspicions around Petya are correct, that line may be growing even thinner, as globe-spanning attacks get lost in the fog of war. With no clear path to a firm attribution, we may never be able to prove who was responsible for this week’s attacks, or what they hoped to achieve. For anyone digging out a Petya-bricked computer system, that clean getaway is adding insult to injury.

 

< Here >

 

 

 

[Pete 12]

Just update your OS and , more important, backup on a regular base and you wont get hurt............. !

[straycat19]

4 hours ago, adi said:

As of this morning, the Bitcoin wallet associated with the attack had received just $10,000, a relatively meager payout by ransomware standards.

 

But the people who paid aren't very happy.  Call it an expensive lesson in extortion and blackmail.  You never pay because you never get what you paid for and a daily backup is cheap.  Even a 40TB NAS unit can be had for under $3000 and you never have to pay anyone who might encrypt your files.  And if you don't need that much storage it gets even cheaper.  There is no reason not to have a backup of some kind, if nothing else, then just your data instead of a full image backup.

[steven36]

9 hours ago, Pete 12 said:

Just update your OS and , more important, backup on a regular base and you wont get hurt............. !

This outbreak  was nowhere as bad as wantacry  and the op is more political than anything else  and trying  to place the blame on Russia  than it is about helping anyone ... And it was already exposed  that the media is just a money racket and they make up lies  about countries and people because fake news sells and gets lots of hits . They should stop writing this crap unless they have real proof . This could simply been avoided by

 

Quote

 

Don't open emails or attachments without confirming they are safe and you know the sender. This should be common practice.

 

 

They need too make employees of businesses  take cybersecurity hygiene classes  , It stupid dont they ever read the news about ransomware and how you can be infected ? It looks like the media failed at blaming Russia for the elections so now they focus  on something else to sell the news without any proof! Every time this happens they place the blame on this country or that country  before the researchers have confirmed who was responsible witch makes me sick ! It's like watching a Biography movie were it's based on true events but it has been changed too fiction too protect the truth ..

 

Today with vpns , tor and other things  the researchers dont even know really  who done it they can only guess  so in this regards there sol  they can only  figure whos exploit they used  witch is for sale on the darknet ....

 

 

[UnknownOne]

seems like a way to force an increase in bitcoin's value..

[steven36]

Now  here is a example of a helpful post

 

Quote

 

What is the Petya ransomware spreading across Europe? WIRED explains

The Petya ransomware has been spotted predominantly in Ukraine but security researchers have also seen it in other European countries

 

In May, the WannaCry ransomware virus quickly spread around the world infecting hundreds of thousands of computers and locking their owners out of files. Now, another piece of malware is infecting machines at scale.

 

A new strain of malicious code dubbed Petya (often referred to as Petrwrap, and Notpetya) was first spotted encrypting computers in Ukraine before reportedly infecting systems in Spain, Germany, Israel, the UK, Netherlands and the US.

 

It has impacted a number of industries, with governments, shipping firms, a petroleum giant and even the Chernobyl nuclear reactor all reporting instances of Petya. "It's massive," Christiaan Beek, a lead scientist and principal engineer at McAfee, told WIRED about the situation in Ukraine. "Complete energy companies, the power grid, bus stations, gas stations, the airport, and banks are being targeted."

The security researcher continued that he believes Petya has been designed for "speed, and is spreading around like crazy". Kaspersky Lab's global research director Costin Raiu tweeted to say the majority of infections seen by his firm had taken place in Ukraine, the Russian Federation, and Poland.

 

Meanwhile, other experts have confirmed the ransomware has been seen in multiple locations and (like with WannaCry) when a computer is locked, a $300 bitcoin fee must be paid to decrypt the locked systems. The bitcoin wallet listed in the demands has received multiple payments, with a relatively paltry sum of £5,800 being collected at the time of writing. However, email client Posteo, which hosts the account where bitcoin payments are being sent, has closed the address listed in the ransom note. This effectively means those who want to pay the ransom, can't. In a statement, the German firm says it "does not tolerate any misuse of our platform".

 

What is the Petya ransomware?

Malware under the name of Petya has existed since 2016, with Symantec saying the version used in this cyberattack has been modified and can spread via a worm.

Researchers have said that although some of the code is shared from the previous versions of Petya, this version is different. It has also been dubbed NotPetya, as a result. Kaspersky says the malware is different to Petya and has been altered for the current attack. Researchers from the firm added it has been designed to have "plausibly deniable cover of ransomware".

So far, reports of the Petya ransomware are still emerging and a full picture is not known. This increases the potential of early analysis being wrong, and more detailed inspection of the code will reveal greater details of the developing picture. As a result, WIRED will update this story as more information is confirmed.

 

 

Despite the many uncertainties about the ransomware, reports have continued about its spread. UK marketing firm WPP tweeted to say it had been hit "by a suspected cyberattack". The UK's National Crime Agency said it is monitoring the situation and working with other companies around the world. The National Cyber Security Centre similarly said it is "monitoring the situation closely", while the NHS, which was hit hard by WannaCry, said it wasn't suffering from any "significant" incidents following the spread.

Which companies have been hit by Petya?

In one of the most high-profile occurrences of Petya ransomware, Ukrainian vice prime minister Rozenko Pavlo tweeted an image of a computer that had been infected and said the "whole network 'fell down'". Press agency AFP then reported that Chernobyl's radiation monitoring system has been switched to manual following an attack.

Shipping firm Maersk said it suffered a cyberattack and that its IT systems are offline "across multiple sites and business units" due to the incident. Russian petroleum company Rosneft also tweeted it had been hit by a cyberattack and has contacted law enforcement authorities.

As the day has progressed, the malware has spread to the US. Pharmaceutical company Merck said it had been hit as part of the global cyberattack.

 

How does Petya ransomware spread?

The ransomware, like the majority of strains of the malware, is said to be locking computers that are infected and encrypting files on them. "'If you see this text, then your files are no longer accessible, because they have been encrypted," screenshots of the ransomware say. They also demand bitcoin to be decrypted.

Security companies are confident the Petya ransomware uses the same software exploit in Microsoft products that WannaCry was able to exploit. Symantec says it has confirmed the ransomware is using the EternalBlue vulnerability that is believed to have been developed by the NSA. As well as this the Petya strain uses the EternalRomance exploit and has been traced back to Ukrainian software called MeDoc.

 

Both Symantec and F-Secure say that although Petya does encrypt systems, it is slightly different to other types of ransomware. "Petya is a new ransomware with an evil twist: instead of encrypting files on disk, it will lock the entire disk, rendering it pretty much useless," F-Secure explains. "Specifically, it will encrypt the filesystem’s master file table (MFT), which means the operating system is not able to locate files."

 

Beek adds that Petya has not been disguised with a lot of sophistication. "It is using a fake certificate that is derived from Microsoft's Sysinternal tools," he says. "It's not heavily obfuscated I would say, so it is easy to read through the functionality of the ransomware."

How to avoid the Petya ransomware?

The advice for protecting yourself against Petya applies to many types of malware – make sure you system and apps are updated. The EternalBlue tools exploit flaws in out-of-date software so maintaining your systems will limit these attacks.

 

It's also worth investing in at least two anti-virus programs – one free, and one paid for. This is optional but will give you added protection. Set these programs to run regular scans of your system and emails.

 

Don't open emails or attachments without confirming they are safe and you know the sender. This should be common practice.

 

http://www.wired.co.uk/article/petya-malware-ransomware-attack-outbreak-june-2017

No bs   just facts. of what they know so far.