Tuesdays massive ransomware outbreak was, in fact, something much worse
https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/Code in Tuesday's attack, shown on the left, was altered to permanently destroy hard drives.
QUOTE
Initially, researchers said the malware was a new version of the Petya ransomware that first struck in early 2016. Later, researchers said it was a new, never-before-seen ransomware package that mimicked some of Petya's behaviors. With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive that it's impossible for victims to recover their data.
In other words, the researchers said, the payload delivered in Tuesday's outbreak wasn't ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malwarealternatively dubbed PetyaWrap, NotPetya, and ExPetrare speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak.
"The ransomware was a lure for the media," researcher Matt Suiche of Comae Technologies, wrote in a blog post published Wednesday. "This version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon." He went on to write: "We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon."
Suiche provided the above side-by-side code comparison contrasting Tuesday's payload with a Petya version from last year. Both pieces of code take aim at two small filesthe master boot record and master file tablethat are so crucial that a disk won't function if they are missing or corrupted. But while the earlier Petya encrypts the master boot record and saves the value for later decryption, Tuesday's payload, by contrast, was rewritten to overwrite the master boot record. This means that, even if victims obtain the decryption key, restoring their infected disks is impossible.
UNQUOTE
Not Ruth
(3,613 posts)Thank me later
ret5hd
(21,320 posts)canetoad
(18,102 posts)Of malware outbreaks. Since very few* of us are using the Ukranian accounting software, the last line of the paragraph below reinforces the old rules of online safety. Beware of strange emails and attachments.
https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how
snip/
Where did it start?
The attack appears to have been seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use, according to the Ukrainian cyber police. This explains why so many Ukrainian organizations were affected, including government, banks, state power utilities and Kievs airport and metro system. The radiation monitoring system at Chernobyl was also taken offline, forcing employees to use hand-held counters to measure levels at the former nuclear plants exclusion zone. A second wave of infections was spawned by a phishing campaign featuring malware-laden attachments.
Earth Bound Misfit
(3,556 posts)Lawrence Abrams (aka Grinler) owner/admin @Bleepingcomputer.com posted a "vaccination" for this Petya/not Petya whatever it is:
https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/
Because of the ransomware's global outreach, many researchers flocked to analyze it, hoping to find a loophole in its encryption or a killswitch domain that would stop it from spreading, similar to WannaCry.
While analyzing the ransomware's inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.
The researcher's initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft.
This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.
Eliot Rosewater
(32,530 posts)War is coming, for real.
Beware.
2naSalit
(92,480 posts)that reminds me I need to download all my stuff to a thumb drive and CD today.
I keep getting massive updates from Microsoft, allegedly, that won't load or run... fortunately. When the error comes up, Microsoft doesn't recognize the error # which tells me there's something wrong with those updates.