Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Businesses Privacy The Almighty Buck

Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly Spreading Across the World (vice.com) 109

A massive cyber attack has disrupted businesses and services in Ukraine on Tuesday, bringing down the government's website and sparking officials to warn that airline flights to and from the country's capital city Kiev could face delays. Motherboard reports that the ransomware is quickly spreading across the world. From a report: A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack on Tuesday that disrupted some operations (a non-paywalled source), the Ukrainian central bank said. The latest disruptions follow a spate of hacking attempts on state websites in late-2016 and repeated attacks on Ukraine's power grid that prompted security chiefs to call for improved cyber defences. The central bank said an "unknown virus" was to blame for the latest attacks, but did not give further details or say which banks and firms had been affected. "As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations," the central bank said in a statement. BBC reports that Ukraine's aircraft manufacturer Antonov, two postal services, Russian oil producer Rosneft and Danish shipping company Maersk are also facing "disruption, including its offices in the UK and Ireland."

According to local media reports, the "unknown virus" cited above is a ransomware strain known as Petya.A. Here's how Petya encrypts files on a system (video). News outlet Motherboard reports that Petya has hit targets in Spain, France, Ukraine, Russia, and other countries as well. From the report: "We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat. Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin. "If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."
This discussion has been archived. No new comments can be posted.

Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly Spreading Across the World

Comments Filter:
  • by Big Hairy Ian ( 1155547 ) on Tuesday June 27, 2017 @09:37AM (#54698271)
    Say no more
    • Re:Backup/Restore (Score:5, Insightful)

      by 93 Escort Wagon ( 326346 ) on Tuesday June 27, 2017 @09:52AM (#54698337)

      Disconnected backup/restore.

      These sorts of malware are perfectly capable of encrypting a connected external or network drive.

      • Re:Backup/Restore (Score:5, Interesting)

        by Rei ( 128717 ) on Tuesday June 27, 2017 @10:02AM (#54698385) Homepage

        Something I was just thinking about the other day, when considering btrfs for a new install rather than ext4... wouldn't a filesystem that allows for periodic snapshotting offer some defense against ransomware, so long as the ransomware doesn't run with the privilege to delete snapshots? So it starts encrypting your files... then runs out of disk space due to all of the changes it's made since the last snapshot, becomes stuck, and all the user has to do is restore from the last snapshot.

        Seems like some relatively low hanging fruit to help combat a relatively major problem. Or am I missing something?

        • by Anonymous Coward

          Yep. You can also use ZFS for this to combat exactly the same issue.

          With disk being so cheap anymore, if you know Linux you should have at least a RAID1 (ZFS RAID10 is better, and easier to grow) storage system going, and doing full bare-metal backups of everything you care about at least once a week. As well as doing test bare-metal restores to a VM once a month or so to make sure.

          • Re:Backup/Restore (Score:5, Informative)

            by JaredOfEuropa ( 526365 ) on Tuesday June 27, 2017 @11:46AM (#54699133) Journal
            Careful with just doing mirrors and/or rotating snapshots / tapes: by the time the ransomware reveals itself, your backup process may already have cheerfully overwritten your files in backup with encrypted versions.
            • Re:Backup/Restore (Score:5, Informative)

              by KiloByte ( 825081 ) on Tuesday June 27, 2017 @04:28PM (#54701021)

              That's why you don't just rotate the snapshots, you organize them into tiers.

              For example, the setup I use is: I keep yearlies, monthlies, 1-11-21th day of month, dailies, and (for two machines) 3-hourlies. Yearlies and monthlies don't expire other than manually, others keep 10 of their kind.

              If you use btrfs on the backup machine -- with dedupe and compression -- all of this takes surprisingly little space compared to other forms of backup, yet any individual snapshot is available straight as a mounted filesystem, without any extra steps.

              Obviously most machines have pull backups: since root privs are needed, it's the backup machine that can control the backupees.

              I also have disconnected backups, although I haven't automated that yet.

              • Yeah, the beginning of time, yearly, monthly, weekly, daily, hourly, helps immensely. Never used dedupe though. Also, you NEED some kind of alerting. Otherwise, you're at the mercy of human detection, which is insurmountably ignorant of old data.
          • This right here. Saved my bacon so many times.Clients don't like missing emails, so they like getting spam and actually OPEN the files. Good thing we had configured a regex alert whenever one of those files were created. Saved a lot of hours of recovery.
    • Re: Backup/Restore (Score:2, Insightful)

      by Anonymous Coward

      Would have been nice if some government agency had found vulnerabilities, they would have tipped off the vendors to patch them. Only sociopaths would have failed to improve the world by trying to use them for their own benefit.

      • by phayes ( 202222 )

        Write a letter to Putin@thekremlin.ru thanking his hackers for their thoughtful repackaging of the zero days the NSA released to Microsoft etc when they learned that the tools/0days were going to be released publicly. It was a few months before the "patriotic" hackers released the NSA tools.

      • by Megol ( 3135005 )

        Several failings in that post. TLA finds vulnerabilities because they search for them, they search for them to be able to do their job. Their job is to protect their country and by extension the people. Not doing their job would mean the agency is useless.
        You also don't understand what sociopaths are about. It is a mental disease/condition. It isn't a placeholder for "something I do not agree with" any more than nazi/fascist/left/right etc. It is also something a person can have - not an organization.

        You do

    • Also, detection? According to the news, none of the regular virus scanners are detecting this new variant, and of course once they are able to detect this one (WannaCry is now reliably detected) the next variant is released into the wild. But any process that scans for known vulnerable services should be suspect, as should any process that reads and then modifies a large number of files, especially in locations like the user folder.
    • Big Hairy Ian: Is, uh,...Is your computer a goer, eh? Know whatahmean, know whatahmean, nudge nudge, know whatahmean, say no more?

      Us: I, uh, I beg your pardon?

  • BBC Report (Score:4, Informative)

    by Big Hairy Ian ( 1155547 ) on Tuesday June 27, 2017 @09:40AM (#54698279)
  • by Anonymous Coward on Tuesday June 27, 2017 @09:40AM (#54698281)
    Slashdot editors receive a lot of flak when they run dupes, or miss out on good stories. But this story about the ongoing cyber attack is literally the only one that makes sense - and I have read FT, NYT, and WSJ copies. Insightful summary, and perfectly stitched together. Kudos.
    • Holy sheep, /. editors doing their job? Has Hell frozen over? Is Linux on more devices then Windows?

    • by goombah99 ( 560566 ) on Tuesday June 27, 2017 @10:32AM (#54698589)

      Seems like the story is missing a key piece of information

      • by ceoyoyo ( 59147 )

        Nah. If it were anything other than Windows the summary would have gleefully declared it.

      • I had the same question. Everything I can find shows it being Windows XP, or maybe 2k.

        Still running a 15 year old insecure by design, unpatched, unsupported OS? Good luck with that.

    • by Cederic ( 9623 )

      For all your cynical IT news needs : https://www.theregister.co.uk/... [theregister.co.uk]

  • Freshness is important. I like my strawberries fresh.

  • it's not a fucking cyber attack if the secretary opens an attachement called picture.exe
  • by AdamD1 ( 221690 ) <adam&brainrub,com> on Tuesday June 27, 2017 @10:06AM (#54698405) Homepage

    This ransomware has actually previously been defeated (April 2016), and a key generator tool was released:

    https://www.bleepingcomputer.c... [bleepingcomputer.com]

    fyi

  • Don't click on any dick pic links that appear on Slashdot. Most of those goes back to virus-infected websites.
  • by johnjones ( 14274 ) on Tuesday June 27, 2017 @10:14AM (#54698469) Homepage Journal

    they used windows... they did not turn off SMB 1... their own fault if they are a large company

    John

    • by ceoyoyo ( 59147 )

      Yeah. This is a good thing. If you're some kind of large company, or especially essential infrastructure, and some Internet thugs can hold you for ransom then it's good you find out now and fix the problem before somebody more serious comes along.

  • They're asking a ransom of $300 in cryptocurrency, according to Bloomberg.

    AND they've hit Europe from Denmark... to Ukraine... to Russia's Rosneft. I expect them in court really soon... assuming that they're not killed resisting arrest.

    • by Max_W ( 812974 )
      I do not think it is run-off-the-mill individuals who are behind an attack of this magnitude.
      • I do not think it is run-off-the-mill individuals who are behind an attack of this magnitude.

        The magnitude of the attack is not necessarily any more related to the qualifications and sponsorship of the originator than the magnitude of an Influenza epidemic is related to the size of the virus.

        It's a self-reproducing, self-propagating system. The magnitude of its spread is an artifact of its own behavior, the distribution of the vulnerabilities it exploits, and the connectivity of the susceptable machines.

  • by Anonymous Coward

    Companies running critical infrastructure on windows boxes learned they better not

  • I think the hackers need to hire some ... I don't know ... would it be "actuaries" that could make a good estimate for the ransom amount that would yield the highest total payout? Perhaps they do and I don't know what I'm talking about, but I think $300 per machine must be way above optimal.

    Remember supply & demand curves from econ 101? The lower the price, the greater the demand for your "decryption service". And in this case, the supplier's cost is negligible so the demand curve is all that matters

    • by gnick ( 1211984 )

      Demand goes infinite as the price approaches $0, and disappears as the price goes too high.

      Demand will never exceed the number of machines infected - Not infinite. Lower, in fact, because a lot of victims don't have and will not create a bitcoin wallet even for a $1 ransom.

  • Don't run Windows!!! Christ, how many critical pieces of infrastructure are built around the most insecure OS in history? Wake up, people!!
    • agreed however in a corporate environment people demand them for legacy apps... if thsts the case the system administrators should have turned off SMB version 1 a LONG time ago

      either way there is no way that the companies should have a problem and this is a money spinning exercise for the AV companies who should be given very little money having not solved spam problems...

           

  • Maybe I'm wrong, but a lot of problems could be stopped by humans, or human intervention. As far as I know they aren't cyborgs yet, and are still immune to digital viruses. Sure you might spend a few bucks more on a human, but I see advantages to doing this.

No spitting on the Bus! Thank you, The Mgt.

Working...