[AusNOG] Petya 'ransomeware' attack

Barry Raveendran Greene bgreene at senki.org
Wed Jun 28 12:27:14 EST 2017


Thanks for the walk through Kate. Saves me a reading through the flurry of messages this morning. :-)

> On Jun 28, 2017, at 9:12 AM, Kate Lance <kate at 6now.net> wrote:
> 
> Haven't seen anything on ausnog so far, so here's a summary of the latest
> big attack, Petya - it's not apparently real ransomeware but something a
> bit weirder.
> 
> 1) The address to send bitcoins to was a single mailbox, immediately shut down
> by the ISP, so no other payment method and no decryptions possible. That
> breaks the entire ransomeware model.
> 
> 2) It started via automatic updates of a Ukrainian accounting package called
> Me-doc, one of 2 packages obligatory for tax purposes in Ukraine. Russian
> companies in Ukraine mysteriously evaded it.
> https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4
> 
> 3) It's hit Ukraine badly - see
> https://twitter.com/TetySt/status/879755007540723712/photo/1
> 
> 4) Ukraine has been used as a cyberattack testbed several times, see brilliant
> and very readable Wired article:
> https://www.wired.com/story/russian-hackers-attack-ukraine/
> 
> 5) Petya spreads laterally inside /24s then stops, ie it's very limited. It's
> also disabled ridiculously easily, with the creation of a readonly file called
> perfc on Windows boxes:
> https://www.wordfence.com/blog/2017/06/petya-ransomware/?utm_source=list&utm_medium=email&utm_campaign=062717-2
> 
> 6) MalwareTechBlog is a great source too (he found the Wannacry kill switch):
> https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html
> 
> All very odd. Patch those Windows boxes. (Unix users sit back and smirk -
> for now at least.)
> 
> Kate
> _________________________________________________________________
> 
> Dr Kate Lance, CEO                               IPv6 Now Pty Ltd
> Ph 0416 070 230                                 Dedicated to IPv6
> kate at 6now.net 	                         Head Office 1800 222 085
> www.6now.net                 Suite 1, 89 Jones St Ultimo NSW 2007
> _________________________________________________________________
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170628/2f4019c3/attachment.sig>


More information about the AusNOG mailing list