back to article Huge ransomware outbreak spreads in Ukraine and beyond

A huge ‪ransomware‬ outbreak has hit major banks, utilities and telcos in Ukraine as well as victims in other countries. Check out our full analysis of the software nasty, here. Early analysis of the attack points towards a variant of the known Petya ransomware, a strain of malware that encrypts the filesystem tables and …

  1. Doctor Syntax Silver badge

    If it's just the MBR being encrypted then presumably something like Photorec should recover files. However according to https://www.infosecurity-magazine.com/news/ukraine-businesses-petya-ransomware/ it encrypts files as well as the MBR.

    1. Robert Carnegie Silver badge

      http://www.bbc.co.uk/news/technology-40416611 has someone talking about it attacking the MFT of NTFS - that's a more severe attack than the MBR. So maybe a misunderstanding. Whatever it is, you don't want it. To Ukraine: I feel your pain, but, why not use Linux?

      1. Doctor Syntax Silver badge

        "someone talking about it attacking the MFT of NTFS - that's a more severe attack than the MBR."

        Providing the files themselves aren't corrupted something like photorec reads the sectors, tries to work out what they are and copies the results out to fresh media. Obviously it depends on the extent to which the files are fragmented. If the files are encrypted then it depends on whether they're overwritten. The only experience I had with this was with ransomware that wrote out the encrypts as new files and deleted the old ones which, of course, just marked the files' sectors as free but didn't do anything to the contents. The only problem was sorting out real images from junk heap of odds & sods from the browser cache.

      2. Anonymous Coward
        Anonymous Coward

        >why not use Linux?<

        Because they DON'T live in their mom's basement, and needs to get work done?

        1. Doctor Syntax Silver badge

          "and needs to get work done?"

          Yes, they certainly need to get work done now to recover from this.

          I take it you've no personal knowledge of Linux or other Unix-like systems. I've got a little secret for you. Most of those of us who use Linux have also had experience of Windows, including sorting out the problems it's caused for friends and family. We can actually reach an informed opinion of what actually works.

          In my case I was using Unix systems to do real work years before Windows was thought of. Lab management, logistics management, industrial control systems, all grist to the mill.

          1. notowenwilson

            Excuse my ignorance, but how do I run all my windows only software that is central to my job description on Linux? Or do I need to get a new job?

            1. herman Silver badge

              In many cases you will find that there are perfectly good alternatives that do the same thing on Linux/BSD/Apple Mac. For the rest, you can use Windows in a virtual machine with the virtual network cable unplugged, or very strongly packet filtered by the host.

              Note that there are millions of Apple Mac users out there that do not use any Windows software and get things done much more easily, securely and professionally.

              1. notowenwilson

                "Note that there are millions of Apple Mac users out there that do not use any Windows software and get things done much more easily, securely and professionally."

                Sure, but very few of them work in engineering companies that require access to top of the range CAD packages.

        2. Anonymous Coward
          Trollface

          >Because they DON'T live in their mom's basement, and needs to get work done?

          See icon, you forgot to add it.

        3. herman Silver badge

          Well, Linux, BSD and MacIntosh are very similar and share tens of thousands of software packages. So you allude that millions of Mac users for example, cannot get any work done?

          It is time to wake up and smell the coffee. There is a whole world of computing out there that you are not aware of.

      3. patrickstar

        Funny with the mandatory "stupid Windows is so insecure, use Linux!!!111" comment considering that the article clearly states that this was not relying on any Windows specific vulnerability, but rather compromising the auto-update servers of some company and then being able to move across the network due to bad admin practices. Both things would work equally well against Linux if the attackers wanted to target it instead.

  2. i1ya
    FAIL

    "Never attribute to malice that which is adequately explained by stupidity"

    My beloved country, which is Ukraine, is famous for pirated Windows and nihilist admins who often deliberately don't install patches. The horse was stolen two months ago when "Wanna Cry" was all over the news; but to some people, it's never enough to finally lock the barn door.

    1. iromko
      Thumb Down

      Re: "Never attribute to malice that which is adequately explained by stupidity"

      For a country which is target of Russian aggression, it's only natural to assume that any widespread attack on it's infrastructure was initiated by the aggressor. And only after that was disproved, other possibilities may be considered. Of course, if some administrators failed to protect their systems (big 'if', we don't really know), they should be held accountable.

      But still the blame should be placed where it belongs, on the perpetrator, not the victims.

      1. Tom Paine Silver badge

        Re: "Never attribute to malice that which is adequately explained by stupidity"

        But still the blame should be placed where it belongs, on the perpetrator, not the victims.

        Criminal negligence, negligent culpability, duty of care,.. these are things in UK law. Blame the attackers existing if you like, but really they've got more in common with a lightning strike or washing machine catching fire: these are things that, sooner or later, are going to happen, and you'd better design and build (or procure and operate) accordingly.

        Put another way: it's not my /fault/ that nature and nurture made me enjoy beer, but it's my /responsibility/ not to drink drive, or destroy my liver, or glass someone for looking at my pint all night.

        1. Bob Hoskins

          Re: "Never attribute to malice that which is adequately explained by stupidity"

          That was an extremely stupid response. Thank you.

      2. Anonymous Coward
        Anonymous Coward

        Re: "Never attribute to malice that which is adequately explained by stupidity"

        And your evidence is, what? Something bad happened in Ukraine, so the Russians must be orchestrating it?

        At some stage, Ukrainians will wake up to the fact that most of the damage done to Ukraine was not done by the wicked Russians, but by the utterly corrupt "leaders" of the country whose sole intent it to pillage the country for their own benefit. Yes, the Russians are an easy scapegoat, but when EVERY Ukrainian president has been more corrupt than Ismailov and more inept that Yeltsin, this might be a more plausible explanation.

        Ukrainians really need to find the spirit of Khemelnitskiy and rise up to free themselves from the political class, then perhaps they could work to being the most prosperous nation in Europe.

        1. iromko
          Flame

          Re: "Never attribute to malice that which is adequately explained by stupidity"

          "And your evidence is, what" - typical Russian troll response :)

          For others, here's The Register take on this: https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/?page=3

    2. find users who cut cat tail

      Re: "Never attribute to malice that which is adequately explained by stupidity"

      Pirated Windows and lazy admins may be factors. Still, Ukraine is not exactly a wealthy country and $300 is lots of money there. If your goal is to make money from the ransomware, wouldn't you rather target a country where $1000/month is considered the poverty threshold? This looks more like the ransom part is a nice benefit but not the goal.

  3. Anonymous Coward
    Anonymous Coward

    UK companies as well - know of at least two

    1. Anonymous Coward
      Anonymous Coward

      I know a very large multinational company has been hit.

      1. Anonymous Coward
        Anonymous Coward

        >I know a very large multinational company has been hit.<

        Yes, MAERSK..

        1. Anonymous Coward
          Anonymous Coward

          Nope, another. Ironically also in the logistics business.

          Can't say which, major customer of ours and we are clearing their shit up.

          1. Anonymous Coward
            Anonymous Coward

            I think I know the one. They're my company's main courier, which has meant vast parts of our shipping/logistics teams grinding to a halt as a result. Not great when you've got lots of companies expecting urgent kit from you which is now stuck in various courier warehouses...

            Edit, sod it, it's TNT. Seeing as the BBC have already ousted them...

            1. Anonymous Coward
              Anonymous Coward

              companies expecting urgent kit from you

              Yes, my past experience with TNT was that anything shipped by them would usually arrive in kit form, even if it didn't start out that way...

  4. Shane McCarrick

    Irish companies hit too

    Couple of Irish companies ringing up in a panic.........

  5. Sir Runcible Spoon Silver badge

    That's it

    I've disconnected all my work shared drives

    1. Ryan 7

      Re: That's it

      Not going to work, since by default you still have \\hostname shares both on your machine, and available to you.

      1. Sir Runcible Spoon Silver badge
        Pint

        Re: That's it

        In that case I'm logging out entirely :)

        On a side note, I can design secure networks for banks and such, but I'm just like any other clueless dingbat when it comes to securing the company laptop that I have no rights over :)

        1. Anonymous Coward
          FAIL

          Re: That's it

          "I'm just like any other clueless dingbat when it comes to securing the company laptop that I have no rights over :)"

          As it spreads via admin credentials, sounds like your IT department know EXACTLY what they are doing and a re following best practice.

          1. Sir Runcible Spoon Silver badge

            Re: That's it

            "As it spreads via admin credentials, sounds like your IT department know EXACTLY what they are doing and a re following best practice."

            Totally agree, but it does mean there isn't much *I* can do about it.

      2. Anonymous Coward
        Anonymous Coward

        Re: That's it

        Why don't you just invest in a firewall device that you can configure to block access from the Internet to all those ports Micro$oft love to keep open by default ?

        1. Tom Paine Silver badge
          Facepalm

          Re: That's it

          Why don't you just invest in a firewall device that you can configure to block access from the Internet to all those ports Micro$oft love to keep open by default ?

          Altogether, now: "OF COURSE IT'S SECURE, IT'S INSIDE THE FIREWALL!

          This is why infosec people have a job for life, and a frequent flier card at their local boozer.

        2. Sir Runcible Spoon Silver badge

          Re: That's it

          "Why don't you just invest in a firewall device that you can configure to block access from the Internet to all those ports Micro$oft love to keep open by default ?"

          Well, when my work laptop is connected, it's using split-tunnel so no naught connections to my local network at all once I've VPN'd to the corporate network.

          Once connected, my machine is effectively on a DMZ within the perimeter of the corporate security estate, and I know how leaky that is because I used to work for the company that manages it. If I can connect to a network share at the office via an SSL VPN then I can sure as hell get hit by malware using those ports to host-hop.

          So, tell me Mr AC - where exactly does the firewall fit into this? I'm more likely to be protected by the IPS solution than the firewall, since the firewall is set to allow those connections that are at risk.

          1. hmv

            Re: That's it

            If you were VPNing in through _my_ firewall (well it belongs to $work, but I'm the Evil Firewall Admin), you could SMB to the storage networks but not to and from the workstation networks. So yes the firewall would limit the chances of getting infected.

            BTW: It's not clear, but what you're describing doesn't sound like split-tunnel to me.

          2. Anonymous Coward
            Anonymous Coward

            "So, tell me Mr AC - where exactly does the firewall fit into this?"

            Well: I have an ancient external Firewall device. I block the ports used for SMB server connections which are open on my intranet from being connected to from the Internet which is then on the other side of the Firewall.

            So you just interpose the firewall between your node and the rest of the Internet.

            Of course if you need to share a drive across a network then that network needs to be similarly protected as does its transative closure.

            Otherwise you're buggered.

        3. hmv

          Re: That's it

          Hard and crunchy on the outside, soft and chewy on the inside. I'm probably paraphrasing, but that phrase was in one of the first firewall books I read back in the mid-1990s.

          Sure blocking SMB at the edge helps protect, but I would not be very surprised to learn those hardest hit by this one were those who did have protection at the edge and so were complacent about their "soft and chewy" inside.

          1. Vic

            Re: That's it

            Hard and crunchy on the outside, soft and chewy on the inside

            Armadillos!

            Vic.

  6. Anonymous Coward
    Anonymous Coward

    NHS managers shitting bricks yet?

    1. TRT Silver badge

      NHS managers NEVER shit bricks.

      They know how over stretched the service is that will be needed to repair their damaged sphincters.

    2. bitmap animal

      Re: Alternatives?

      Perhaps like the last outbreak they are compatativly safe if they're still running XP.

      1. herman Silver badge

        Re: Alternatives?

        Ayup, fortunatley the new Aunt Lizzy Aircraft Carrier is running XP.

  7. reddiesel

    dailymail..

    http://www.dailymail.co.uk/news/article-4643752/Europe-hit-new-WannaCry-virus.html

    The Daily Mail reporting same... with some dubious error messages on screens, which don't look necessarily related.

    1. Anonymous Coward
      WTF?

      Re: dailymail..

      You're using the Daily Wail as a reference? really?

      No doubt it was due to immigrants wearing above the knee skirts to school, while suffering the hell that are bi-weekly bin collections.

  8. Julian 8

    Besides patching

    Windows Server: PowerShell method (Remove-WindowsFeature FS-SMB1)

    Windows Client: PowerShell method (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)

    Not surprised about WPP - who are being named on R5 live a lot

    IBM and no idea who or what they are doing about patching these days. Used to be good

  9. DagD

    FYI...

    an OTX share has flagged the email addy:

    wowsmith123456@posteo.net

    https://otx.alienvault.com

  10. This post has been deleted by its author

  11. frank ly Silver badge

    The next stage

    The next stage in the 'war on terror' will be mandatory goverment oversight and access to Bitcoin etc. so that the miscreants can be tracked down. Does anyone know if they can already do this?

    1. Ryan 7

      Re: The next stage

      Mathematically impossible.

      1. frank ly Silver badge

        Re: The next stage

        Give me a Bitcoin administrator and a baseball bat?

        1. Destroy All Monsters Silver badge

          Re: The next stage

          It's all the work of Emmanuel Bitcoin.

          May Brother says so.

        2. zb

          Re: The next stage

          Mathematically impossible, baseball bats pshaw! The politicians think that they can solve any problem with a new law.

      2. Doctor Syntax Silver badge

        Re: The next stage

        Try telling that to HMG. OTOH the comment about a Bitcoin exchange manager and bat sounds possible.

      3. TheSkunkyMonk

        Re: The next stage

        Nah, they just can't control coins already in circulation until they find the current owner and he who has the biggest miner owns all new bitcoins.

    2. Mike Richards Silver badge

      Re: The next stage

      There have been some research papers where traffic analysis has been used to deanonymise some Bitcoin users. The researchers are usually kind enough to explain how their attack can be defeated:

      E.g. http://fc14.ifca.ai/papers/fc14_submission_71.pdf

  12. Stork Bronze badge

    Mærsk

    - should not have dropped their 32x70 for pretty Windows.

  13. mark l 2 Silver badge

    If it is just file tables / MBR then it maybe possible to recover with something that can rewrite them. I think testdisk can do this under linux and I seem to remember some utility on the UBCD Windows PE boot disk could do it also.

  14. Will Godfrey Silver badge
    Unhappy

    Place your bets

    How long before May claims this is another reason to ban encryption?

    1. Anonymous Coward
      Anonymous Coward

      Re: Place your bets

      Who Gains ?

      Probably some Government "Civil Servants" trying to justify the existence of their budget (being bored with blackmailing MPs with dodgy e-mails), or else they've been ordered to take the Populace minds' off of burning Tower blocks or Politicians discovering their new friends in the DUP have a common shared interest in small boys.

    2. sanmigueelbeer Silver badge
      Happy

      Re: Place your bets

      How long before May claims this is another reason to ban encryption?

      I bet she's going to announce a ban on the use of internet.

    3. GrumpyOldBloke

      Re: Place your bets

      From the Australian ABC ransomware-virus-hits-computer-servers-across-the-globe...

      The Federal Minister responsible for cyber security, Dan Tehan, said the Government was doing all it could to prevent further outbreaks.

      "We have been in contact with our Five Eyes partners and the national cyber security centres in those countries to get a good sense as to what is occurring," he told the ABC.

      "We are monitoring the situation, we are in touch with other countries to see what impact is happening there.

      "That is the best we can do at this stage."

      ... That is it, the best we can do at this stage. The emperor has no clothes. I guess we wait for another programmer sitting in his bedroom to work this one out.

  15. Anonymous Coward
    Anonymous Coward

    Companies in the USA have been hit

    Just ran into a friend from a big company that was sent home because of a ransomware virus. They had them turn off their systems and remove their batteries. Turned off wifi. It infected their Cisco phone system too and it is randomly calling out to people in their contacts.

    1. Tom Paine Silver badge

      Re: Companies in the USA have been hit

      Cisco UTM? Haven't heard that reported anywhere else...

      1. Anonymous Coward
        Anonymous Coward

        Re: Companies in the USA have been hit

        Our multinational client phones have been hit. Not sure of make.

        It may turn out to be soft phones on the PC's rather than the phone system itself.

  16. andre_dutra

    Add Cancer specialized Hospitals in Brazil to the list. Just made an official statement that all PCs were powerd off because of the attack.

  17. Anonymous Coward
    Anonymous Coward

    Possible Password Generator to recover files etc

    See this on Bleeping Computer ----> https://www.bleepingcomputer.com/news/security/petya-ransomwares-encryption-defeated-and-password-generator-released/

    May help people to generate password if hit by this ransomware.

    1. Doctor Syntax Silver badge

      Re: Possible Password Generator to recover files etc

      Useful if it works but AIUI that was for the original Petya. If that's the payload then fine but current reports say it isn't.

  18. dmacleo

    ug

    lucky nothing I deal with been affected yet but this seems to be spreading really fast.

  19. Mikel

    Please disconnect your Windows PC from the network

    and leave it disconnected forever.

    Sincerely,

    The Internet

    1. Gordon Fecyk
      Stop

      Make me.

      Extra-sincerely, me.

      Seriously, this attitude doesn't help any.

    2. Anonymous Coward
      Anonymous Coward

      Re: Please disconnect your Windows PC from the network

      And the rest of the word can carry on visiting Linux servers running insecure PHP and WordPress plugins.

  20. Anonymous Coward
    Anonymous Coward

    Notification

    Whoever wrote the notification on the screen in the screenshot comes across as a fluent English speaker. I'm curious: are the notifications tailored to suit the country?

    1. vir Silver badge

      Re: Notification

      A fluent English speaker, right down to the superfluous commas.

      1. Anonymous Coward
        Anonymous Coward

        Re: Notification

        I was referring to the language rather than the punctuation.

        On the whole, much better than the some of the emails I receive at work from native speakers.

      2. Sandtitz Silver badge
        Joke

        Re: Superfluous commas

        That, or the author was pedant in making sure the line lengths are matching.

        It is very important when dealing with monospace fonts!

      3. This post has been deleted by its author

  21. Doctor Syntax Silver badge

    Would it be too much to hope that Munich's Windows boxes get hit?

    1. Destroy All Monsters Silver badge

      No, Murricans might think this has something to do with CHAMBERLAIN and FOREVER HITLER and kick off an all-encompassing nuclear war against Russia, China, Syria, Iran, Qatar, Koni and The Nork.

  22. Zebo-the-Fat

    Pay the ransom?

    No, reformat and restore from off site backup :)

    1. Eltonga
      Facepalm

      reformat and restore from off site backup :)

      Yeah... let's check for first time in history whether the offsite backups were successful.

      And let's hope we didn't back up the infection vector too... and oh... that the DR are not infected as soon as we turn them on...

  23. Anonymous South African Coward Silver badge

    Shutted down two backup servers as a precaution.

    Bastards.

  24. TrevorH

    So let's get this straight, this exploits the same vulnerabilities as the last one that made headlines all over the world and crippled various organisations and yet, some people still didn't patch against it?

    sympathy-o-meter firmly pegged on 0 here.

  25. wyatt

    @OxAmit on twitter:98% sure that the name is is perfc.dll Create a file in c:\windows called perfc with no extension and #petya #Nopetya won't run! SHARE!! https://t.co/0l14uwb0p9

    1. John Brown (no body) Silver badge

      Evidence? Corroboration?

    2. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      cmd.exe (administrative elevation)

      cd\windows

      md perfc

      md perfc.dll

      exit

      sounds too good to be true... have cockblocked several nasties in the past by creating a directory (when it want to create a file) and a readonly file (when it want to create a directory) on ickdoze PC's...

      now that the cat is out of the bag, malware writers will most probably add code to check for a file/directory and take appropriate steps.

      1. dmacleo

        looks similar to this

        https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/

  26. Mike Dolan

    Except...

    It's *not* just the EternalBlue exploit. This ab(uses) psexec and other components. I've seen fully patched machines with SMBv1 disabled get infected.

    But by all means, continue in your little bubble as you obviously know all about this.

    1. wyatt

      Re: Except...

      The tear down will be interesting. Looks to be a mixture of software/exploits here.

  27. adnim Silver badge
    Joke

    The older I get

    the more I think that those who are trained to run computers aren't. And I can never see more than seven layers (or is it veils) in my mystical dream world of Unicorns, no matter how hard I try, or try to get hard.

    Joke icon...cos some don't understand satire.

    The only real downside to this is that the tax payer and consumer will foot the cost as prices or quantity/quality of product are adjusted so as not to upset share holders and the stock price.

    1. Captain Badmouth

      Re: The older I get

      "And I can never see more than seven layers (or is it veils) in my mystical dream"

      Seven pillars?

  28. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Ukraine ?

      Well, it's affecting Chernobyl radiation monitoring and a Russian bank is unable to conduct business - so he's covering his tracks well. Me, I suspect the Californians. They're evil bastards.

      1. Ramazan

        Re: Ukraine ?

        Well, if the virus is really named Petya, then it might be named so after Pyotr Poroshenko, the current president of Ukraine (Petya is diminutive form of Pyotr FYI). So, Putin or not, this one was probably targeted at Ukraine.

        1. Anonymous Coward
          Anonymous Coward

          if the virus is really named Petya

          And there is a nice hammer and sickle on the ransom page. I don't know if that calls the attribution in to doubt or if it just means they're patriotic.

          1. Destroy All Monsters Silver badge

            Re: if the virus is really named Petya

            > hammer and sickle

            Yeah but sovietism has been dead since, likle Gorbatchev.

            Anyway, Putlet cannot hold a candle to Real Russian Nationalism.

  29. MarkSitkowski

    How to stop ransomware

    Since only criminals use bitcoin, just make it illegal to trade bitcoin for real money. Then they can be traced through any banking system. Too easy, man...

    1. Eltonga
      WTF?

      Re: How to stop ransomware

      Since only criminals use bitcoin, just make it illegal to trade bitcoin for real money. Then they can be traced through any banking system. Too easy, man...

      If this is meant to be an irony, it's great. Otherwise it lets me speechless.

  30. Anonymous Coward
    Anonymous Coward

    Right !!!111

    I'm going back to: Rock 1.0

    - Ogg

    1. YetAnotherLocksmith

      Re: Right !!!111

      I wouldn't. Patch/update to Rock 2,otherwise you don't get Slate & Chalk. Either way, it's still stable, even if it is 350 million years old.

  31. Lord_Beavis
    Linux

    HA HA HA HA HA HA

    Where's your UEFI god now?

  32. Anonymous South African Coward Silver badge

    So, update.

    Seems once you get the bitcoin message (apparently it shows the same message for all computers, and not individual bitcoin addresses) it seems to be more than a smokescreen, and you can save your skin by switching off your computer as it will start to encrypt your preciouses files once it reboots. Not 100% guaranteed as newer iterations may encrypt on the fly.

    We've got a few incidents of this malware here in Sunny South Africa, and I'm trying to find out who's been hit.

    Ne'er-do-wells *sigh*

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019