[AusNOG] Petya 'ransomeware' attack
Kate Lance
kate at 6now.net
Wed Jun 28 11:12:56 EST 2017
Haven't seen anything on ausnog so far, so here's a summary of the latest
big attack, Petya - it's not apparently real ransomeware but something a
bit weirder.
1) The address to send bitcoins to was a single mailbox, immediately shut down
by the ISP, so no other payment method and no decryptions possible. That
breaks the entire ransomeware model.
2) It started via automatic updates of a Ukrainian accounting package called
Me-doc, one of 2 packages obligatory for tax purposes in Ukraine. Russian
companies in Ukraine mysteriously evaded it.
https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4
3) It's hit Ukraine badly - see
https://twitter.com/TetySt/status/879755007540723712/photo/1
4) Ukraine has been used as a cyberattack testbed several times, see brilliant
and very readable Wired article:
https://www.wired.com/story/russian-hackers-attack-ukraine/
5) Petya spreads laterally inside /24s then stops, ie it's very limited. It's
also disabled ridiculously easily, with the creation of a readonly file called
perfc on Windows boxes:
https://www.wordfence.com/blog/2017/06/petya-ransomware/?utm_source=list&utm_medium=email&utm_campaign=062717-2
6) MalwareTechBlog is a great source too (he found the Wannacry kill switch):
https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html
All very odd. Patch those Windows boxes. (Unix users sit back and smirk -
for now at least.)
Kate
_________________________________________________________________
Dr Kate Lance, CEO IPv6 Now Pty Ltd
Ph 0416 070 230 Dedicated to IPv6
kate at 6now.net Head Office 1800 222 085
www.6now.net Suite 1, 89 Jones St Ultimo NSW 2007
_________________________________________________________________
More information about the AusNOG
mailing list