Global ransomware attack [Petya, er, NotPetya] causes turmoil

[rmstock]

The Ukrainian government appears to be among the worst hit by a new ransomware virus that struck across Europe on Tuesday (pictured, a supermarket in Kharkov)
Cyber attack hits CHERNOBYL radiation system: 'Goldeneye' ransomware strikes across the globe, with US drug firm Merck, advertising giants WPP and Ukrainian power grid among victims
* New ransomware attack hit computers around the globe on Tuesday
* Ukraine is worst hit so far, with Chernobyl radiation monitoring system affected
* Country's deputy leader said all computers are down in 'unprecedented' attack
* Companies in UK, US, France, Norway, Denmark have also confirmed issues 
* IT experts dubbed new virus GoldenEye and say it is similar to 'WannaCry'
By CHRIS PLEASANCE and SCOTT CAMPBELL FOR MAILONLINE
PUBLISHED: 15:02 BST, 27 June 2017 | UPDATED: 11:36 BST, 28 June 2017
http://www.dailymail.co.uk/news/article-4643752/Europe-hit-new-WannaCry-virus.html

  "Hackers have unleashed a major cyber attack causing huge disruption to
   companies and governments across the globe including in the UK, US and
   Russia.
   
   The Petya ransomware hijacks victims' computers before encrypting their
   files and holding them hostage until a fee is paid.
   
   Chernobyl's radiation monitoring system has been hit by the attack with
   its sensors shut down while UK advertising giant WPP, the largest
   agency in the world, among dozens of firms affected.
   
   The ransomware appears to have been spread through popular accounting
   software and specifically targeted at bringing down business IT systems.
   
   The outage began in Ukraine as the country's power grid, airport,
   national bank and communications firms were first to report problems,
   before it spread rapidly throughout Europe.
   
   Companies in the US, Germany, Norway, Russia, Denmark and France are
   among those to have confirmed issues so far.
   
   
    Users are being shown a message saying their data has been encrypted,
   with some asking for £300 in anonymous currency Bitcoin to retrieve it
   (pictured, an ATM in Ukraine)

   It comes just weeks after the WannaCry attack which paralysed the NHS
   and left hundreds of thousands of users around the world unable to
   access their data.
   
   More than 200,000 victims in 150 countries were infected by that
   software, which originated in the UK and Spain last month, before
   spreading globally.
   
   But cyber security experts have warned that this time the virus is much
   more dangerous because it has no 'kill switch' and is designed to
   spread rapidly though networks.
   
   Marcus Hutchins, who foiled the previous WannaCry attack by discovering
   a way to stop it from infecting new computers, told MailOnline that
   even if users pay the fee their files could now be lost forever.
   
   [Video]
   Major organisations among those affected by worldwide cyber attack
   http://www.dailymail.co.uk/video/video/video-1491609/Major-organisations-affected-worldwide-cyber-attack.html

   

   New cyberattack causes mass disruption globally

   
   Rozenko Pavlo, the Ukrainian deputy Prime Minister, tweeted this image
   of his computer screen - saying 'all computers of the government' had
   been affected
   
   He said: 'The company that hosts the email account which the ransomware
   asks you to contact has closed the account. There's no way to get files
   back.
   
   'It's early days - we don't know if we can find a fix yet. But if it's
   decryptable we will find a way.'
   
   Hutchins, 22, continued: 'Everyone's looking at this right now and I'm
   working with other researchers.
   
   'I was just praying it wasn't the Wannacry exploit again. Ideally we'll
   have to find a way to decrypt the files or else people are not going to
   get them back.'
   
   The ransomware targets computers using the Windows XP operating system
   which have not installed the latest security updates released by
   Microsoft.
   
   
   Marcus Hutchins, pictured, foiled the previous WannaCry attack by
   discovering a way to stop it from infecting new computers
   
   Experts fear that could mean major infrastructure such as healthcare
   systems and power networks using archaic technology will be the worst
   affected.
   
   One security researcher going by the name BleepingComputer told
   MailOnline that x-ray machines and other critical medical devices could
   be deactivated in hospitals, adding: 'We're going to see wide-scale
   damage.'
   
   He continued: 'The biggest computers that may have an issue are those
   running old legacy hardware or software systems such as healthcare and
   control systems for industrial services.
   
   hings like that that are running on archaic operating systems simply
   because they don't have the ability to upgrade.
   
   'There was a power plant infected by this which is really scary because
   those are the most vulnerable types of systems.'
   
   Russia's Rosneft oil company and steel firm Evraz, Danish shipping
   giant A.P. Moller-Maersk, and global law firm DLA Piper confirmed
   issues, along with French industrial group Saint-Gobain.
   
      What is GoldenEye?
     
      IT experts have dubbed the new virus GoldenEye, and say it appears to
      be a more-potent version of ransomware that started circulating
      recently.
     
      GoldenEye is in turn a variant of even older code called Petya, which
      scrambles files on computer's hard drive, requiring a code to unlock it.
     
      Petya is particularly effective because, rather than scrambling files
      one by one, it blocks access to a whole hard drive in one go, analyst
      hasherezade  wrote previously.
     
      Another analyst, Bogdan Botezatu, told ABC that GoldenEye is a
      'worm'-type virus, spreading from machine to machine automatically,
      with no need for human interaction.
     
       'It's like somebody sneezing into a train full of people,' said
      Botezatu. 'You just have to exist there and you're vulnerable.'
     
      Others said GoldenEye appears to be exploiting the same Windows
      weakness used by WannaCry in order to spread itself rapidly.
   
   
   Radiation checks at the Chernobyl nuclear disaster site in Ukraine were
   being carried out manually after the wave of cyber attacks.
   
   A spokesman said: 'Due to the temporary disconnection of Windows
   systems, radiation monitoring of the industrial site is being carried
   out manually.'
   
   Rozenko Pavlo, Ukraine's deputy Prime Minister, posted an image of his
   locked computer, saying 'all computers of the government' had fallen
   victim to the virus.
   
   An image he uploaded shows a black screen covered in white text which
   warns that 'one of your disks contains errors and needs to be repaired'.
   
   The screen also warns not to turn the computer off otherwise all data
   will be lost.
   
   He called the attack 'unprecedented', though said vital services would
   not be affected.
   
   Another screen with red text warns that files on the computer have been
   encrypted and will only be released if a payment of £300 in anonymous
   online currency Bitcoin is made.
   
   Oleksandr Turchynov, head of Ukraine's national security council,
   immediately pointed the finger at Moscow, saying: 'Already on first
   analysis it is possible to talk of Russian fingerprints.'
   
   Anders Rosendahl, a spokesman for Copenhagen-based AP Moller-Maersk,
   said: 'We are talking about a cyberattack.'
   
   'It has affected all branches of our business, at home and abroad.' 
   
   
   WPP, the world's largest advertising firm based in London, confirmed
   that it had also fallen victim to the new virus
   
   
   Anders Rosendahl, a spokesman for Copenhagen-based AP Moller-Maersk,
   said: 'We are talking about a cyberattack'
   
   There's very little information about who might be behind the
   disruption, but technology experts who examined screenshots circulating
   on social media said it bears the hallmarks of ransomware.
   
   Cyber security expert Daniel Gallagher told MailOnline: 'We are still
   in the early stages of determining the scope of impact, though there
   are indications that it is rapidly spreading.
   
   'I think we will see a different kind of impact, since Wannacry had the
   side effect of forcing a lot of locations to patch their computers.
   
   'The areas we will likely see impacted could be some of the worst
   though.
   
   'They will be the locations that for some reason or another could not
   afford to patch in a timely manner.
   
   
   The virus is similar in nature to the 'WannaCry' bug that hit computers
   around the world last month, and is thought to have originated in North
   Korea
   
   'Places that may have industrial controls or other critical
   infrastructure that can't easily be taken offline to upgrade.'
   
   Such viruses hold data to ransom, scrambling it until a payment is
   made, usually requesting virtual currency Bitcoin because it cannot be
   traced to a user.
   
   The world is still recovering from a previous outbreak of ransomware,
   called WannaCry or WannaCrypt, which spread rapidly using digital
   break-in tools originally created by the U.S. National Security Agency
   and recently leaked to the web.
   
   While experts cannot definitively say where that attack originated,
   information hidden in the code used to run in pointed to the
   involvement of North Korea.
   
      WannaCry: The previous cyber attack that crippled the world
     
      What is ransomware?
     
      Ransomware is a type of malicious software that criminals use to attack
      computer systems.
     
      Hackers often demand the victim to pay ransom money to access their
      files or remove harmful programs.
     
      The aggressive attacks dupe users into clicking on a fake link –
      whether it's in an email or on a fake website, causing an infection to
      corrupt the computer.
     
      In some instances, adverts for pornographic website will repeatedly
      appear on your screen, while in others, a pop-up will state that a
      piece of your data will be destroyed if you don't pay.
     
      In the case of the NHS attack, the ransomware used was called Wanna
      Decryptor or 'WannaCry' Virus.
     
     
   
      What was the WannaCry virus?
     
      The WannaCry virus targets Microsoft's widely used Windows operating
      system.
     
      The virus encrypts certain files on the computer and then blackmails
      the user for money in exchange for the access to the files.
     
      It leaves the user with only two files: Instructions on what to do next
      and the Wanna Decryptor program itself.
     
      When opened the software tells users that their files have been
      encrypted and gives them a few days to pay up or their files will be
      deleted.
     
      It can quickly spread through an entire network of computers in a
      business or hospital, encrypting files on every PC.
     
      How to protect yourself from ransomware
     
      Thankfully, there are ways to avoid ransomware attacks, and Norton
      Antivirus has compiled a list of prevention methods:
     
      1. Use reputable antivirus software and a firewall
     
      2. Back up your computer often
     
      3. Set up a popup blocker
     
      4. Be cautious about clicking links inside emails or on suspicious
      websites
     
      5. If you do receive a ransom note, disconnect from the Internet
     
      6. Alert authorities
   
   Britain's National Cyber Security Centre blamed the attack on the
   Lazarus Group, a gang of hackers in the employ of Kim Jong-un's regime.
   
   Pieces of code used in the WannaCry virus were identical to those used
   in previous attacks by the Lazarus Group, such as the Sony Pictures
   hack, analysts said.
   
   Time stamps contained within the code also seemed to suggest it
   originated in North Korea's timezone.
   
   However, it is possible that another, as-yet unidentified group was
   able to get hold of the code behind previous North Korea hacks, copied
   it, and is now using it for its own nefarious purposes.
   
      How attackers are holding the world to ransom
     
      Rosneft
     
      Russia's top oil producer said its servers had been hit been a
      large-scale cyber attack but its oil production was unaffected.
     
      Maersk
     
      The Danish shipping giant, which handles one out of seven containers
      shipped globally, said a cyber attack had caused outages at its
      computer systems across the world.
     
      Maersk's port operator APM Terminals was also hit. 17 shipping
      container terminals run by APM Terminals had been hacked, including two
      in Rotterdam and 15 in other parts of the world. Staff at the firm's
      Maidenhead office were sent home this afternoon.
     
      WPP
     
      The world's biggest advertising company - which is based in Britain -
      said computer systems within several of its agencies had been hit by a
      suspected cyber attack.
     
      Merck
     
      The pharmaceutical company said in a tweet its computer network was
      compromised as part of a global hack.
     
      Russian banks
     
      Russia's central bank said there had been 'computer attacks' on Russian
      banks and that in isolated cases their IT systems had been infected.
     
      All Russian branches of the Home Credit consumer lender are closed
      because of a cyber attack, an employee of a Home Credit call centre in
      Russia said.
     
      Ukrainian banks and power grid
     
      A number of Ukrainian banks and companies, including the state power
      distributor, were hit by a cyber attack that disrupted some operations,
      a spokesman said.
     
      Ukraine's international airport
     
      Yevhen Dykhne, director of the capital's Boryspil Airport, said it had
      been hit. 'In connection with the irregular situation, some flight
      delays are possible,' Dykhne said in a post on Facebook.
     
      Saint Gobain
     
      The French construction materials company said it had been a victim of
      a cyber attack and it had isolated its computer systems to protect data.
     
      Deutsche Post
     
      The German postal and logistics company said systems of its Express
      division in the Ukraine have in part been affected by a cyber attack.
     
      Metro
     
      The German firm said its wholesale stores in the Ukraine had been hit
      by a cyber attack and the retailer was assessing the impact.
     
      Mondelez International
     
      The food company said employees in different regions were experiencing
      technical problems but it was unclear whether this was due to a cyber
      attack.
     
      Evraz
     
      The Russian steelmaker said its information systems had been hit by a
      cyber attack but its output was not affected.
     
      Norway
     
      A ransomware cyber attack is taking place in Norway and is affecting an
      unnamed international company, the Nordic country's national security
      authority said.
   
   Read more:
   hasherezade (@hasherezade) on Twitter
   New cyberattack causes mass disruption in Europe - ABC News
   

   
https://twitter.com/Spy_Stations/status/879684814676295681

Security
Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide
This isn't ransomware – it's merry chaos
By Iain Thomson in San Francisco 28 Jun 2017 at 03:19
https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/

Security
Huge ransomware outbreak spreads in Ukraine and beyond
Petya or cattle?
By John Leyden 27 Jun 2017 at 14:48
https://www.theregister.co.uk/2017/06/27/ransomware_outbreak_hits_ukraine/

NFOSECURITY MAGAZINE HOME » NEWS » UKRAINE BUSINESSES HIT BY PETYA RANSOMWARE
27 JUN 2017 NEWS
Ukraine Businesses Hit by Petya Ransomware
Dan Raywood Contributing Editor, Infosecurity Magazine
Email Dan Follow @DanRaywood
https://www.infosecurity-magazine.com/news/ukraine-businesses-petya-ransomware/

Technology
Global ransomware attack causes turmoil
28 June 2017
From the section Technology
http://www.bbc.com/news/technology-40416611

Schroedinger's Pet(ya)
By GReAT on June 27, 2017. 6:57 pm
INCIDENTS
DATA ENCRYPTION FINANCIAL MALWARE MALWARE DESCRIPTIONS MBR PETYA RANSOMWARE VULNERABILITIES AND EXPLOITS
https://securelist.com/schroedingers-petya/78870/

[rmstock]

What is Petya Ransomware and how does it spread?
by Lawrence Systems / PC Pickup , Published on Jun 28, 2017
https://www.youtube.com/watch?v=YJgY2RhHwLg
  "What is Petya Ransomware and how does it spread?
   GitHub Link
   https://gist.github.com/vulnersCom/65...
   Fireeye Link
   https://www.fireeye.com/blog/threat-r... "

[rmstock]

Some claim it's a hoax, but its not :

08:49:
  "What some super smart guys at Microsoft already have determined is
   that there is the EternalBlue and DoublePulsar backdoor build into this
   particular binary [petya.dll] already. Albeit the data is actually
   encoded , its actually XOR-ed , using a particular key, its a single
   byte key of cc and hex and that is to evade anti-virus detection for
   this signature of DoublePulsar and the presence of EternalBlue. So
   again super smart guys have written a script in either pro which can
   decode the code and un-XOR it, for giving a better word, in order to
   actually prove that point , which take for granted what we know within
   the security community that its the same propagation method thats being
   employed to distribute this malware, the same as WannaCry was indeed."

Quick Behavioural Analysis of Petya / Petrwrap Ransomware
by Colin Hardy , Published on Jun 27, 2017
https://www.youtube.com/watch?v=vtDgA_aasfc
  "Here I show you some very quick analysis of Petya / Petrwrap Ransomware
   in my malware lab. This is being distributed and propagating using
   EternalBlue / DoublePulsar which is very similar to the WannaCry
   ransomware recently observed.

   Sample information:
   MD5: 71b6a493388e7d0b40c83ce903bc6b04
   SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

   Follow me on twitter:
   https://twitter.com/cybercdh

   Protect yourself:
   Patch your Windows Systems!
   Make sure you have offsite backups!
   Get an Incident Response plan

   Useful further technical information:
   https://t.co/YeDNDlOzR5 "

[rmstock]

DAHBOO77 has some very interesting geo political information
for who is behind this attack. The Dutch Prime Minister Mark Rutte
in a criminal fashion ignored the outcome of a Dutch referendum
to reconsider the Association Agreement with the Ukraine, and still signed
off on free VISA's for the Ukraine into the Netherlands, even strong arming
the upper chamber (Eerste Kamer) where Dutch senators were forced to have it ratified recently.

MAJOR 'PETYA' RANSOMWARE CYBER ATTACK GOES GLOBAL
by DAHBOO77 , Published on Jun 27, 2017
https://www.youtube.com/watch?v=OqZo-3Mh4PA
  "The US-based division of the global pharmaceutical giant Merck has been
   hit by the 'Petya' ransomware attack that has crippled computer systems
   across the world on Tuesday.
   "We confirm our company's computer network was compromised today as
   part of global hack," Merck said in a statement on Tuesday. "Other
   organizations have also been affected. We are investigating the matter
   and will provide additional information as we learn more."

   Learn More:
   https://www.rt.com/usa/394294-ransomw...

   http://www.zerohedge.com/news/2017-06...

   http://www.zerohedge.com/news/2017-06...  "

[rmstock]

The following is super duper cooked up stuff to me, but to some `initiated'
crock killers, the finga prints of masonry are all over the place :

Petya Global Ransomware Hoax Coded 7 33 Freemasonry
by Johnny SuperTramp 2 , Published on Jun 27, 2017
https://www.youtube.com/watch?v=LCSul6OUyg8
  "WannaCry and Petya are the same hand and it has freemasonry all over
   it, as a coded hoax."

[rmstock]