Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly Spreading Across the World (vice.com) 109
A massive cyber attack has disrupted businesses and services in Ukraine on Tuesday, bringing down the government's website and sparking officials to warn that airline flights to and from the country's capital city Kiev could face delays. Motherboard reports that the ransomware is quickly spreading across the world. From a report: A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack on Tuesday that disrupted some operations (a non-paywalled source), the Ukrainian central bank said. The latest disruptions follow a spate of hacking attempts on state websites in late-2016 and repeated attacks on Ukraine's power grid that prompted security chiefs to call for improved cyber defences. The central bank said an "unknown virus" was to blame for the latest attacks, but did not give further details or say which banks and firms had been affected. "As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations," the central bank said in a statement. BBC reports that Ukraine's aircraft manufacturer Antonov, two postal services, Russian oil producer Rosneft and Danish shipping company Maersk are also facing "disruption, including its offices in the UK and Ireland."
According to local media reports, the "unknown virus" cited above is a ransomware strain known as Petya.A. Here's how Petya encrypts files on a system (video). News outlet Motherboard reports that Petya has hit targets in Spain, France, Ukraine, Russia, and other countries as well. From the report: "We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat. Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin. "If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."
According to local media reports, the "unknown virus" cited above is a ransomware strain known as Petya.A. Here's how Petya encrypts files on a system (video). News outlet Motherboard reports that Petya has hit targets in Spain, France, Ukraine, Russia, and other countries as well. From the report: "We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat. Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin. "If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."
Backup/Restore (Score:3)
Re:Backup/Restore (Score:5, Insightful)
Disconnected backup/restore.
These sorts of malware are perfectly capable of encrypting a connected external or network drive.
Re:Backup/Restore (Score:5, Interesting)
Something I was just thinking about the other day, when considering btrfs for a new install rather than ext4... wouldn't a filesystem that allows for periodic snapshotting offer some defense against ransomware, so long as the ransomware doesn't run with the privilege to delete snapshots? So it starts encrypting your files... then runs out of disk space due to all of the changes it's made since the last snapshot, becomes stuck, and all the user has to do is restore from the last snapshot.
Seems like some relatively low hanging fruit to help combat a relatively major problem. Or am I missing something?
Re: (Score:1)
Yep. You can also use ZFS for this to combat exactly the same issue.
With disk being so cheap anymore, if you know Linux you should have at least a RAID1 (ZFS RAID10 is better, and easier to grow) storage system going, and doing full bare-metal backups of everything you care about at least once a week. As well as doing test bare-metal restores to a VM once a month or so to make sure.
Re:Backup/Restore (Score:5, Informative)
Re:Backup/Restore (Score:5, Informative)
That's why you don't just rotate the snapshots, you organize them into tiers.
For example, the setup I use is: I keep yearlies, monthlies, 1-11-21th day of month, dailies, and (for two machines) 3-hourlies. Yearlies and monthlies don't expire other than manually, others keep 10 of their kind.
If you use btrfs on the backup machine -- with dedupe and compression -- all of this takes surprisingly little space compared to other forms of backup, yet any individual snapshot is available straight as a mounted filesystem, without any extra steps.
Obviously most machines have pull backups: since root privs are needed, it's the backup machine that can control the backupees.
I also have disconnected backups, although I haven't automated that yet.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: Backup/Restore (Score:2, Insightful)
Would have been nice if some government agency had found vulnerabilities, they would have tipped off the vendors to patch them. Only sociopaths would have failed to improve the world by trying to use them for their own benefit.
Re: (Score:2)
I've had a lot of interactions with bureaucrats and the like, and generally, no, I don't see much sign of sociopathy. There's certainly a kind of antipathy that creeps into a public service, and of course momentum means that things will tend to go in the same direction regardless of what the people at the top want.
Re: Backup/Restore (Score:5, Insightful)
Well, I'm up in Canada, so maybe it's different south of the border, but up here I've had meetings with Assistant Deputy Ministers, which are about two steps down from the political office-holder (the Cabinet Minister). I've had my disagreements with them, and certainly have felt they've made some decisions that I thought were, shall we say, less than optimal, but I've never seen evidence of them being bad or selfish people.
I can't say the same for some cabinet ministers (what Americans would call Secretaries), mind you. I've never directly interacted with anyone at the political level, but there have been or two whose actions I've seen that have lead to believe that if they're not outright sociopaths, then at least they're quite callous and bullying. There's an old joke in the Westminster tradition that the best cabinet minister is the cabinet minister who understands that it's not his job to micromanage his department. I have seen cabinet ministers who very much believed they had the knowledge and capability to do just that, and like a crappy CEO in a private setting, they can leave ruin and poor morale in their wake. Many years ago I saw one Ministry see an exodus of everyone from frontline public sector workers up to higher level civil servants start getting out, and that always suggests a department with very poor leadership.
That being said, I don't think even most politicians are sociopaths. I think they can get woefully out of touch with their constituents, and the problem here in Canada, as I'm sure it is in the US, is that voters will tend to vote based on team jersey in many cases rather than on anyone's record, so the same bad actors seem to be able to hang on to their jobs for a rather long time.
Re: (Score:1)
I see no evidence of your claim at all. I'm no fan of Trudeau, but the accusation seems as utterly absurd as claims by Liberals and the left that Harper was some sort of evangelical tyrant. Grow up. You can be against a politician's policies without resorting to infantile hyperbole.
Re: (Score:2)
Write a letter to Putin@thekremlin.ru thanking his hackers for their thoughtful repackaging of the zero days the NSA released to Microsoft etc when they learned that the tools/0days were going to be released publicly. It was a few months before the "patriotic" hackers released the NSA tools.
Re: (Score:2)
Several failings in that post. TLA finds vulnerabilities because they search for them, they search for them to be able to do their job. Their job is to protect their country and by extension the people. Not doing their job would mean the agency is useless.
You also don't understand what sociopaths are about. It is a mental disease/condition. It isn't a placeholder for "something I do not agree with" any more than nazi/fascist/left/right etc. It is also something a person can have - not an organization.
You do
Re: (Score:2)
Re: (Score:2)
Big Hairy Ian: Is, uh,...Is your computer a goer, eh? Know whatahmean, know whatahmean, nudge nudge, know whatahmean, say no more?
Us: I, uh, I beg your pardon?
BBC Report (Score:4, Informative)
Credit where it's due (Score:5, Insightful)
Re: (Score:2)
Holy sheep, /. editors doing their job? Has Hell frozen over? Is Linux on more devices then Windows?
Re: (Score:2)
Slashdot editors receive a lot of flak when they run dupes, or miss out on good stories. But this story about the ongoing cyber attack is literally the only one that makes sense - and I have read FT, NYT, and WSJ copies. Insightful summary, and perfectly stitched together. Kudos.
Too bad the summary leaves out a very key piece of info, which doesn't quite fit with the hype-line;
Ukrainian state power distributor Ukrenergo said its IT system had been hit by a cyber attack, but the disruption had no impact on power supplies or its broader operations.
In other words, the attack was on their administrative network, not power or grid control.
Thank you.
is it Windows, mac, linux, ios, android? (Score:4, Insightful)
Seems like the story is missing a key piece of information
Re: (Score:2)
Nah. If it were anything other than Windows the summary would have gleefully declared it.
Re: (Score:2)
I had the same question. Everything I can find shows it being Windows XP, or maybe 2k.
Still running a 15 year old insecure by design, unpatched, unsupported OS? Good luck with that.
Re: (Score:2)
For all your cynical IT news needs : https://www.theregister.co.uk/... [theregister.co.uk]
"Fresh Cyber Attack" (Score:1)
Freshness is important. I like my strawberries fresh.
Re: (Score:2)
Re: (Score:2)
Not until you showed up and showed us how sexy a truly obese man can be!
Ten years ago I posted a link to a Fat Porn FAQ on my website that got 3000+ hits per day from Slashdot. These days I have to settle for less than 300 hits per day from Slashdot. Sad.
Re: (Score:2)
Why are you posting links to fat porn FAQs?
The asshats ten years ago were meaner and less pussy-whipped than today's asshats. Then as now, they thought my weight was relevant to the discussion. The asshats kept writing the same thing over and over again, mostly variations of "You're a fat POS!!!" So I collected what was written into a "Fat Porn FAQ," where I responded to each one, and posted it on my website. I routinely posted the FAQ link as a response every time an asshat repeated something out of the FAQ. If I had monetization set up back then,
oh dear (Score:1)
Re:oh dear (Score:4, Insightful)
Petya = already defeated last year (Score:4, Interesting)
This ransomware has actually previously been defeated (April 2016), and a key generator tool was released:
https://www.bleepingcomputer.c... [bleepingcomputer.com]
fyi
Re:Petya = already defeated last year (Score:5, Informative)
This appears to be a new variant. No confirmation yet as to whether or not the previous decrypter still works.
https://isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/ [sans.edu]
"According to the Verge article, today's ransomware appears to be a new Petya variant called Petyawrap."
https://twitter.com/craiu/status/879692523102511104 [twitter.com]
The fast-spreading Petrwrap/Petya ransomware sample we have was compiled on June 18, 2017 according to its PE timestamp.
Re: (Score:1)
Re: (Score:2)
That's actually what Kaspersky is now saying. They're saying it's something new and have actually taken to calling it "NotPetya".
Re: (Score:2)
This ransomware has actually previously been defeated (April 2016), and a key generator tool was released:
https://www.bleepingcomputer.c... [bleepingcomputer.com]
fyi
That means it is based on or related to that malware, that does not mean all the same tools and counter measures will apply. From my experience you're probably fine if you're running a next gen AV product and if you're running traditional AV software, you may or may not have sigs yet.
Remember kids... (Score:2)
Re: (Score:2)
That's right kids, only by starving creimer of his ad revenues will that digital fungus finally leave!
Uh, no. My ad revenues have nothing to do with those image links. I'm quite serious about some of those image websites hosting viruses.
Re: (Score:2)
Link to a picture that will install a virus on my PC.
That would be extremely irresponsible.
You can't, because there's no such thing.
Probably because the link got deleted after I requested the page be taken down.
Re: (Score:2)
And no, "WannaCry" isn't it, you digital janitor.
There is a new version of WannaCry on the Internet. MalwareBytes on my Dell laptop blocked the automatic download of an executable file from a couple of Russian websites.
http://112.international/society/cyber-security-expert-part-of-virus-attacking-ukraine-could-be-used-in-wannacry-malware-18282.html [112.international]
Re: (Score:2)
Don't click on any dick pic links that appear on Slashdot. Most of those goes back to virus-infected websites.
Hell, I remember when the dick pics on Slashdot were 100% ASCII-based. And the dicks had wings, for some reason.
windows - eternal blue - SMB (Score:3)
they used windows... they did not turn off SMB 1... their own fault if they are a large company
John
Re: (Score:2)
Yeah. This is a good thing. If you're some kind of large company, or especially essential infrastructure, and some Internet thugs can hold you for ransom then it's good you find out now and fix the problem before somebody more serious comes along.
How stupid can some people be? (Score:2)
They're asking a ransom of $300 in cryptocurrency, according to Bloomberg.
AND they've hit Europe from Denmark... to Ukraine... to Russia's Rosneft. I expect them in court really soon... assuming that they're not killed resisting arrest.
Re: (Score:3)
Re: (Score:2)
I do not think it is run-off-the-mill individuals who are behind an attack of this magnitude.
The magnitude of the attack is not necessarily any more related to the qualifications and sponsorship of the originator than the magnitude of an Influenza epidemic is related to the size of the virus.
It's a self-reproducing, self-propagating system. The magnitude of its spread is an artifact of its own behavior, the distribution of the vulnerabilities it exploits, and the connectivity of the susceptable machines.
Re: (Score:2)
Close all TCP ports. Except maybe 22, if you need remote access. And if you leave it open, disable password access.
Re: (Score:2)
Re: (Score:2)
Changing the port number isn't going to protect you from much. Maybe from a little traffic from casual connection attempts.
Re: (Score:2)
but for me changing the port has reduced the root:root and similar attempts to like 1%; IMO with reduced noise you can see the credible threats if there are any.
Re: (Score:2)
Sure, it would do that. Telling ssh not to accept passwords at all lets you filter all those out as irrelevant and protects you against users (including yourself) who use or reuse easy passwords.
Plus you can consider all those login attempts as volunteering IP addresses for the blocklist.
Re: (Score:2)
Lemme guess! M$ windoze? /roflmao
How did you know? You must be some Zen Master computer hacker or something.... (Or just a script kiddy running the IIS attack from 10 years ago)
Re: (Score:3)
Because Ukraine is getting hit by far the hardest [twitter.com]? Because they've been the subject of a long string of crippling cyberattacks since the Donbas conflict broke out, including highly sophisticated attacks that took down public utilities - so naturally people assume that this is more along those lines?
That doesn't mean that this is targeted at Ukraine; it could just be coincidence. But those numbers certainly are skewed. That said, if it was from Russia, they didn't do a good job at preventing it from hitting
Re: (Score:3)
Interesting... ESET [twitter.com] has a very different distribution analysis than Kaspersky, and they show almost exclusively Ukrainian targets, with Russia moved way down the list.
i read (Score:1)
Companies running critical infrastructure on windows boxes learned they better not
Optimal ransom demand? (Score:2)
I think the hackers need to hire some ... I don't know ... would it be "actuaries" that could make a good estimate for the ransom amount that would yield the highest total payout? Perhaps they do and I don't know what I'm talking about, but I think $300 per machine must be way above optimal.
Remember supply & demand curves from econ 101? The lower the price, the greater the demand for your "decryption service". And in this case, the supplier's cost is negligible so the demand curve is all that matters
Re: (Score:3)
Demand goes infinite as the price approaches $0, and disappears as the price goes too high.
Demand will never exceed the number of machines infected - Not infinite. Lower, in fact, because a lot of victims don't have and will not create a bitcoin wallet even for a $1 ransom.
Easy solution (Score:2)
Re: (Score:2)
agreed however in a corporate environment people demand them for legacy apps... if thsts the case the system administrators should have turned off SMB version 1 a LONG time ago
either way there is no way that the companies should have a problem and this is a money spinning exercise for the AV companies who should be given very little money having not solved spam problems...
Human employment or Human Backup? (Score:1)