Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Government Privacy The Almighty Buck The Internet

The Petya Ransomware Is Starting To Look Like a Cyberattack in Disguise (theverge.com) 182

Further research and investigation into Petya ransomware -- which has affected computers in over 60 countries -- suggest three interesting things: 1. Ukraine was the epicentre of the attack. According to Kaspersky, 60 percent of all machines infected were located within Ukraine. 2. The attackers behind the attack have made little money -- around $10,000. Which leads to speculation that perhaps money wasn't a motive at all. 3. Petya was either "incredibly buggy, or irreversibly destructive on purpose." An anonymous reader shares a report: Because the virus has proven unusually destructive in Ukraine, a number of researchers have come to suspect more sinister motives at work. Peeling apart the program's decryption failure in a post today, Comae's Matthieu Suiche concluded a nation state attack was the only plausible explanation. "Pretending to be a ransomware while being in fact a nation state attack," Suiche wrote, "is in our opinion a very subtle way from the attacker to control the narrative of the attack." Another prominent infosec figure put it more bluntly: "There's no fucking way this was criminals." There's already mounting evidence that Petya's focus on Ukraine was deliberate. The Petya virus is very good at moving within networks, but initial attacks were limited to just a few specific infections, all of which seem to have been targeted at Ukraine. The highest-profile one was a Ukrainian accounting program called MeDoc, which sent out a suspicious software update Tuesday morning that many researchers blame for the initial Petya infections. Attackers also planted malware on the homepage of a prominent Ukraine-based news outlet, according to one researcher at Kaspersky. Ars Technica has more.
This discussion has been archived. No new comments can be posted.

The Petya Ransomware Is Starting To Look Like a Cyberattack in Disguise

Comments Filter:
  • Russians (Score:5, Interesting)

    by 110010001000 ( 697113 ) on Wednesday June 28, 2017 @03:50PM (#54707523) Homepage Journal
    So the Russians did it?
    • Re:Russians (Score:4, Insightful)

      by Oswald McWeany ( 2428506 ) on Wednesday June 28, 2017 @03:58PM (#54707597)

      So the Russians did it?

      They would be the logical assumption. No one gains more by destabalising Ukraine.

      • Re:Russians (Score:5, Informative)

        by skids ( 119237 ) on Wednesday June 28, 2017 @05:05PM (#54708251) Homepage

        Moreover, Russia has been engaging in a sustained cyber-warfare campaign in Ukraine, up to and including taking down the power grid and hacking cells of military personnel to gain information on troop positions. Making it look like ransomware was probably more an afterthought in hopes that paranoid firewall admins worldwide would block Ukrainian IP addresses... they really don't care that it eventually gets attributed to them.

        I rolled my eyes this morning when I heard the company of origin was in the Ukraine and was not very surprised to see this article today.

      • by Anonymous Coward

        There's a damn good chance it was perpetrated by the UK / US:

        1. Further de-stabilise Ukraine (oh well, collateral damage)
        2. MAIN GOAL: blame gets put onto Russia, placing a greater wedge between two neighbors
        3. BONUS POINTS: internationally entrenching Russia further into a pariah state

        After all: subterfuge is the name of the game.

        Heck, we'd also do it to the Chinese if we could, except they might decide to respond by dum

      • by rtb61 ( 674572 )

        What the fuck, fuckity, fuck, fuck insane bullshit are you claiming. Fucking prisons across the globe with millions of inhabitants and many of them would not only destabilise their own country to get rich, they would also rape, kill and eat you, if it would make them more powerful.

        Like all attacks it is worse in the country of origin where career criminals, who would not only destabilise their own country but kill everyone who tried to stop them, launched it. The Ukraine could not be more corrupt run by fa

    • So the Russians did it?

      Who has most to gain from russia being blamed for something petty with no gains in it for them whatsoever? I mean, what is the motive? All that is gonna cause is systems being hardened and exploitable resource being exhausted.

      Besides, if it was the russians they'd have setup a decryption system that won't get disconnected in 5 minutes after it becoming public to milk all possible cash out of it.

      • Re:Russians (Score:4, Insightful)

        by Oswald McWeany ( 2428506 ) on Wednesday June 28, 2017 @04:06PM (#54707681)

        Who has most to gain from russia being blamed for something petty with no gains in it for them whatsoever?

        No one really. No one really gains from Russia being blamed if it wasn't Russia. There is no reason to frame Russia.

        I mean, what is the motive?

        Oh, you mean, like, besides destabalising the country they are trying to stealthily reclaim, that they've already illegally stolen territory from.

        • by johanw ( 1001493 )

          To frame someone is the core buisiness of the CIA.

          • The CIA are more than capable of getting their hands dirty, wouldn't make any sense for them to attack a country they're hoping to stay independent just to make someone else randomly look bad.

            • Re: (Score:2, Informative)

              You understand the concept of Occam's RAzor, right?

              Which explanation is more parsimonious?

              1. Russia waged a damaging cyberattack on Ukraine, a country it is already effectively at war with and which it has already annexed territory from.
              2. The CIA waged a cyberattack on Ukraine, a country the United States is friendly, even allied with, causing Ukraine businesses considerable damage, to make the Russians look bad.

              I want you to tell me which explanation is the more parsimonious.

              • Russia certainly needs no help looking bad
        • > No one really gains from Russia being blamed if it wasn't Russia.

          This is incorrect. The US is attempting to pick a fight with Russia, and this is another pinprick. Why we are trying to pick this fight I do not know.

      • Re:Russians (Score:5, Insightful)

        by MightyMartian ( 840721 ) on Wednesday June 28, 2017 @04:13PM (#54707739) Journal

        You are aware, I trust, that Ukraine and Russia are effectively at war, right? Why this need for convoluted conspiracy theories when the most parsimonious explanation is that Russia waged a cyberattack on Ukraine? Maybe Russia didn't give a flying fuck whether anyone could eventually decrypt the data or not, if hte point is just to cause damage. It's like asking "Why didn't they send in the Army Corp of Engineers to rebuild the bridge they just bombed to oblivion?" answer being, they just wanted to bomb the bridge to oblivion.

        • Re: (Score:2, Troll)

          by NettiWelho ( 1147351 )

          You are aware, I trust, that Ukraine and Russia are effectively at war, right?

          So why expend your limited resource on forcing a couple of ukrainian grocery shops to re-image their cash register computers?

          Why this need for convoluted conspiracy theories when the most parsimonious explanation is that Russia waged a cyberattack on Ukraine?

          Because I know from first hand experience government lies all the fucking time.

          • by Anonymous Coward

            As anyone with a brain knows, 60% of all Ukrainian businesses includes a lot more than a few "grocery shops" having trouble with their "cash register computers", you Russian troll.

          • by Anonymous Coward

            So why expend your limited resource on forcing a couple of ukrainian grocery shops to re-image their cash register computers?

            Why hurt the Ukrainian economy when one of your primary goals for the past several years has been to hurt the Ukrainian economy?

            You're right, I can't figure that one out.

            I also can't figure out why a country that has waged one cyberattack after the next against Ukraine, basically using it as a cyberwarfare testing ground, would... launch yet another cyberattack against Ukraine.

            Also, I

          • Cyberwarfare isn't conventional warfare. It's not like you can run out of electrons. Russia has a group of hackers, and writing malware is a part of their job. When you think about how much it costs to keep the rebels armed and maintain an ununiformed Russia force in rebel areas of Ukraine, a cyberattack is so much bloody cheaper.

            As to your explanation for your bizarre conspiracy theory, that really doesn't answer the question at all. You've come up with a very convoluted conspiracy whose only defense seems

            • Meant to say:

              "Well, I don't trust them either, but I trust conspiracy theories that fail Occam's Razor *EVEN LESS*."

            • Cyberwarfare isn't conventional warfare. It's not like you can run out of electrons. Russia has a group of hackers, and writing malware is a part of their job. When you think about how much it costs to keep the rebels armed and maintain an ununiformed Russia force in rebel areas of Ukraine, a cyberattack is so much bloody cheaper.

              As to your explanation for your bizarre conspiracy theory, that really doesn't answer the question at all. You've come up with a very convoluted conspiracy whose only defense seems to be "I don't trust the three letter agencies." Well, I don't trust them either, but I trust conspiracy theories that fail Occam's Razor.

              Russia has everything to gain by destabilizing Ukraine, whether that be militarily, or via fucking up their computers. Welcome to the face of modern warfare.

              "my bizarre conspiracy theory"

              Just look at whos weapons are being used in these attacks

              "NotPetya ransomware also uses two NSA exploits leaked by the Shadow Brokers in April 2017. These are ETERNALBLUE (also used by WannaCry) and ETERNALROMANCE.""

          • You are aware, I trust, that Ukraine and Russia are effectively at war, right?

            So why expend your limited resource on forcing a couple of ukrainian grocery shops to re-image their cash register computers?

            Why this need for convoluted conspiracy theories when the most parsimonious explanation is that Russia waged a cyberattack on Ukraine?

            Because I know from first hand experience government lies all the fucking time.

            The only government lying about Russia's stance toward the Ukraine is Russia. Many independent commentators yesterday were suggesting that it appears to be a disruption campaign disguised as ransomware.

        • Re: (Score:2, Interesting)

          by edis ( 266347 )

          point is just to cause damage

          Not the only point. Days before this outbreak, I happened to read articles, plain stating, that Ukraine is a country turned by Russia into test battlefield of cyberwar (and other kinds of modern war, as per their definition, BTW). Which was proved once again. Russia flexes its muscles both in operation, in damage, and in getting away with it. The same pattern of pushing the limits where they did their dirty act, yet remain difficult to name and be punished - it repeats all over. This pattern is by now well

      • Dude, the russians messed with the election because PUTIN DISLIKES HILARY.
        They're the epitome of petty...

    • We need a new Southpark with "Blame Russia"
    • by gweihir ( 88907 )

      Likely, but the question is _which_ Russians. Do not forget that this may well be counted as "terrorism" by some metrics and states are understandably reluctant to be labelled as supporting that. My guess would be some misguided Russian "patriots" did this and the only support from Putin they have is that the Russian government will not try very hard to find them.

      • by edis ( 266347 )

        Yep, as we know by now, there are enough of "misguided Russian patriots", spending their vacations by participating in very reasonably coordinated warfare against Ukraine, that itself chose distancing.

        • by gweihir ( 88907 )

          If you count this one as "coordinated warfare", then you are out of your mind.

          • by edis ( 266347 )

            What do you say? :-) Having primary channel of distribution being chosen with quite a sophistication, effective and country-targeted, please show some respect to the buddies over there. Didn't it work well, after all? Dirty deeds, but done well.

    • As a child I read story. There was young a boy tending sheep. He loved to watch the people drop everything and scurry out to protect him and the sheep he yelled "Wolf!". It was great fun until one day he saw the wolf, cried "WOLF!", and no one came so the wolf ate him.

      Shouting "RUSSIA ATTACKS!" is a valid strategy to undermine the current US republican-dominated government and Trump specifically. The people doing this need to understand that there can be expensive and painful consequences if it turns o

  • How did the NSA go from "No Such Agency" to one that can't keep control over tools like this? What in the hell happened?
  • by Frosty Piss ( 770223 ) * on Wednesday June 28, 2017 @03:59PM (#54707605)

    I suspect that Russia's growing use of "cyber war" tactics against its enemies will eventually backfire in the political arena. They really can't expect that governments, both friend and foe, will not start to lean on them in a more forceful way. I think and all-out âoecyber warâ between a growing number of countries would be very very very bad for everyone.

    • When then president Obama was informed Russia was doing whatever it could to damage or help defeat Hillary Clinton and get Trump elected, he approved covert measures to plant cyber bombs into Russia's infrastructure [washingtonpost.com]. They would be used if the U.S. and Russia escalated the attacks on one another.

      They were still in the planning stages when Obama left office, but enough was done that the incoming president could follow up and use them, if necessary. Which was never done. After the changing of administrations

      • . After the changing of administrations, the new president promptly shelved these plans. As a goodwill gesture towards Russia, or possibly a way of saying thanks for the help.

        why not both?

      • by Mal-2 ( 675116 )

        After the changing of administrations, the new president promptly shelved these plans. As a goodwill gesture towards Russia, or possibly a way of saying thanks for the help.

        Or he said he did, with the same intentions but not the cost. I think it's more likely those plans are perhaps de-emphasized, but not completely abandoned. I don't think his Not Invented Here syndrome runs that deep.

    • by gweihir ( 88907 )

      That is why I do not think this actually is anything done officially or with official sanctioning. Putin (very much unlike Trump) is not stupid at all and does understand this game very well, because he is a long-time high-level player. His morals may be questionable, but not his smarts.

      My take is that this is some Russian "patriots" and that the only thing they will get from Putin is that the Russian authorities will not try very hard to find these criminals. That is as long as they make very sure to not t

  • The attackers behind the attack have made little money -- around $10,000. Which leads to speculation that perhaps money wasn't a motive at all.

    Slashdot yesterday [slashdot.org]

    The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files.

    So that would take care of both point 2 and point 3

    Or are you guys just interested in perpetuating propaganda now? (Yeah I know.. silly rhetorical question...)

    • That's one way of looking at it; this is another:

      Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley, said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain.

      Weaver noted that Petyaâ(TM)s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim.

      Also, he said, Petya urges victims to communicate

  • Now everything is "nation-sponsored", so-called expert now throw this at everything without handing a single proof of it's claims, and sometimes not even making sense.
    • by gweihir ( 88907 )

      There are historically a lot of loud-mouths and incompetents in the IT security space. This has unfortunately not changed.

    • and sometimes not even making sense

      As a matter of interest, what part of this doesn't make sense?

  • 1. Considering (as far as I know) one of the main propagation method for Petya was through a compromise accounting software mostly used in Ukraine, it's not surprising that Ukraine was the most affected.
    2. The fact that very few people paid the ransom is completely irrelevant.
    3. I'm pretty sure most of these ransomware are made by teenagers and amateurs. Buggy malware is very common.

    So the question is, who are those "researchers" and what evidence do they have? More importantly, are those "researchers" poli

    • Re: (Score:3, Insightful)

      Because Russia would never try to screw around with the computers of a country that it has a) effectively invaded and b) already annexed a piece of its territory. Oh no, to suggest that is somehow to betray "political motivation."

      • by qaz123 ( 2841887 )
        One being able of having a motive to do something doesn't mean he did that. Not to mention there are several possible motives.
  • This sounds more like a skiddie modifying the source without understanding it and screwing up than a targeted attack. The code only damages the MFT, which is annoying but most of the time reversible. A nation state level attacker would've been much more thorough.

  • vaccine (Score:5, Insightful)

    by Rudisaurus ( 675580 ) on Wednesday June 28, 2017 @04:28PM (#54707919)
    According to BleepingComputer.com [bleepingcomputer.com], you can vaccinate against NotPetya by creating and adding 3 write-protected files to your C:\Windows folder: perfc, perfc.dat, and perfc.dll.

    Content doesn't matter but "Read-only" status does.
    • Be warned that the NotPetya read-only perfc file vaccination method only skips encryption on local system, it does not stop NotPetya from searching and infecting other systems over the network using psexec/WMIC/LSAdump. Sophos claims the psexec/WMIC/LSAdump network infection method will infect fully patched Windows 10 systems.
      • Via Sophos [sophos.com]:

        In cases where the SMB exploit fails, Petya tries to spread using PsExec under local user accounts. (PsExec is a command-line tool that allows users to run processes on remote systems.) It also runs a modified mimikatz LSAdump tool that finds all available user credentials in memory.

        It attempts to run the Windows Management Instrumentation Command-line (WMIC) to deploy and execute the payload on each known host with relevant credentials. (WMIC is a scripting interface that simplifies the us
    • Re:vaccine (Score:5, Funny)

      by 93 Escort Wagon ( 326346 ) on Wednesday June 28, 2017 @06:12PM (#54708663)

      you can vaccinate against NotPetya by creating and adding 3 write-protected files to your C:\Windows folder: perfc, perfc.dat, and perfc.dll.

      I'm royally screwed, then. Not only does my Mac not have that folder - it won't even let me create a C: drive!

      • by Anonymous Coward

        you can vaccinate against NotPetya by creating and adding 3 write-protected files to your C:\Windows folder: perfc, perfc.dat, and perfc.dll.

        I'm royally screwed, then. Not only does my Mac not have that folder - it won't even let me create a C: drive!

        You need to install Linux first.

      • That's a poor excuse. Don't let the fact that you have to run software that isn't available on other platforms stop you from using this malware. You can always run Petya in a Windows VM and share the folders back to your mac machine. You too could have the full experience.

      • you can vaccinate against NotPetya by creating and adding 3 write-protected files to your C:\Windows folder: perfc, perfc.dat, and perfc.dll.

        I'm royally screwed, then. Not only does my Mac not have that folder - it won't even let me create a C: drive!

        Typical Mac user. Sheesh. Any semi-competent Linux user would tell you to install Wine (or buy Cider) first. At least us Linux users do not expect our hands to be held all the time. ;)

        • Typical Mac user. Sheesh. Any semi-competent Linux user would tell you to install Wine (or buy Cider) first. At least us Linux users do not expect our hands to be held all the time. ;)

          Hey, good point. But I couldn't get it to run in a Crossover Wine bottle either, though. However I have filed a bug report with Codeweavers, and I've up-voted Petya as well... so hopefully soon I can join the fun!

  • The reason the individuals behind the attack didn't make money and all those customers are hosed is because the email address was blocked by the email provider. That was confirmed yesterday. The rest is speculation and hyperbole by idiots without a clue.

    Basically this is what happened: some idiot got their hands on some code, thought he was going to get rich and got immediately blocked by taking out his communication. The "attack" was poor because the criminals are idiots.

    • by MightyMartian ( 840721 ) on Wednesday June 28, 2017 @05:19PM (#54708365) Journal

      How was the attack poor? Sure, they didn't make any money, but they fucked up a lot of Ukraine businesses. Mission accomplished, I'd say.

      • by guruevi ( 827432 )

        They didn't get paid, the entire premise of the ransomware failed because they chose an e-mail provider that decided they wouldn't support them. The goal wasn't to fuck anything up, it was to ransom the data and hope a portion of their "victims" didn't have a good backup plan and paid up.

        The businesses technically fucked themselves by a series of bad decisions, first of all, not having backups, not having a competent IT person, running (unpatched) Windows on public systems and/or blindly installing some sof

  • Cyberattack? Not really. People have already forgotten that the ISP responsible for receiving emails of people desiring to pay the ransom was BLOCKED by the ISP so nobody could pay. This accounts in large part for why the hackers (wherever and whoever they are) didn't collect much money. Anyway, what with all the cyber attacks and ransomware going around I'm still amazed that after all this time, those machines infected STILL HAVE NOT upgraded their OS. It sure pays to do so. But what do I know---I'm n
    • Blocking the email would not have blocked payments. Victims were supposed to notify them of the transaction numbers after via email. Also it rekt the MFT table.
      • by shubus ( 1382007 )
        Agreed! If the victims couldn't email those guys then they'd never get the keys to unlock their files. I do wonder if anyone ever got their unlock keys.
  • Malware that flows around the internet and infects random nations?
    No security service or nation would allow their own side, nation, interests to be at any risk from random malware.
    Malware thats in the wild doing stuff to a lot of nations is not a national cyber event.
    Its just malware and a slow news day.
    Read up on how nations really consider and use their cyber assets. Nations take care to ensure the system, user or server is the only thing thats accessed.

    Lets do some reading
    The Inside Story of How
  • It was Ukrainian cybercriminals who wanted to make money but failed to do that because their email was blocked: http://www.news.com.au/technol... [news.com.au] The reason Ukraine was the epicenter of the attack was because the criminals was from Ukraine and therefore had better access to Ukrainian targets or knew them better
  • http://www.bbc.com/news/techno... [bbc.com]

    The tax software's update mechanism got compromised.

    Mikko Hypponen, a security expert at F-Secure, is saying - "If you do business in Ukraine, the software (MEDoc) appears to be de facto,"

    Microsoft is saying : "Active infections of the ransomware initially started from the legitimate MEDoc update process,"

  • I thought there were lots of reports of infections in Russia? Seems like a dangerous move.

    But in general I think Russia's flagrant hacking is really going to come back to bite them. I believe the US is much better at this than Russia. And even if you disagree with that, I don't think any reasonable person would disagree that the US plus its major allies (ie Canada, UK, Germany, etc) are vastly better at this.

    I think the only argument you could make is, well they're already attacking Russia and now
  • If this was an attack on the Ukraine, it was almost certainly launched by Russia, who would not want Kaspersky to reveal that it was an attack. Yet they have. So I'm guessing that the DoJ investigation isn't going to find that Kaspersky is working for Russia. Except for selling them software.
  • As I read on Krebs' site, the stupid malware, unlike other malware that generates a unique email to arrange payment, used one, and only one email address. On finding this, the German ISP that the email was on blocked the email.

    The result was that if you *wanted* to pay, you couldn't contact the scum to do so.

    No, it was some wannabee idiot(s) who put it out there. And I'm still expecting them in court really soon... or "killed resisting arrest", since it sure seemed like Rosneft (that's the Russian mostly st

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...