Windows 10: New global ransomware attack hits East Europe and spreading

Forgive me if this is a silly question, but how does the malware get into one's computer? Infected executable attachment, drive-by download, download via malicious link in an email..?

 

In this particular case it appears to have infiltrated a software update.

 

Think it was document file (rtf) pretending that came from government office. Dencal is right... file pretending to be software update...

After the first computer in your local network is infected, there is no need to open anything, if computers are not updated, malicious code will infect any vulnerable system without user interfering. This code is more advanced - it would detect any saved passwords and propagate through network shares, etc.

 

Thanks for that, dencal. I was wondering the same. In researching, I see somewhat as to how it’s spreading. Via the Malwarebytes article sited above:

Petya-esque ransomware is spreading across the world - Malwarebytes Labs | Malwarebytes Labs

Also linked in that article:

https://www.forbes.com/sites/thomasb.../#5b40a4b73c8b

Hmm. George Soros area/territory. *Think

Of course EternalBlue is donated by our lovely NSA via getting hacked. Shouldn’t be creating such software in the first place. *sarc

EternalBlue - Wikipedia

It’s good to see you seek the motive. That’s the key.

Yes, it is scary. War Games flic coming to past perhaps?

Perhaps the ultra-rich globalists crippling economies and/or creating scare tactics to ultimately gain control over the free Internet. And no, I don’t wear a tinfoil hat. Globalization is a real movement and has been for quite some time. In fact since towards the end of the Industrial Age.

Here's the start of it in the US. Then onto the World Bank. Control your money via debt = Control all.

Federal Reserve System, Jekyll island, History, Aldrich Plan, J. Pierpont Morgan, Historical, Dr. A. Piatt Andrew, Henry P. Davison, National City Bank, Frank A. Vanderlip, Kuhn, Loeb, Co., Paul M. Warburg, Nelson W. Aldrich

It’s suspicious Malwarebytes caught this “in the zero hour”? Then be the first to report it to promote their product? IMO rather coincidental.

Then I see some of the fanboyz come on to promote the product. *really

 

Tony, I guess you should add me to your 'Fanboyz' list. Your insinuation about Malwarebytes, is nothing more than speculation. I am not sure why you would suspect a company that is well thought of on this forum and in the industry without any evidence, other than they found it first. For them to use it as a selling point is nothing new. I am sure if Norton or Kaspersky had found it first they would have used it as well. That's what businesses do, isn't it? Give you a reason to buy your product rather than a competitor's product. I can't sit here and tell you Malwarebytes was not involved in some way, because there is no evidence. Just as there is no evidence at all that they were.

This thread is about an attack, most likely by some foreign actor, for some reason we don't know for sure. Maybe just flexing their muscles, or maybe targeted at some specific business/country and done in a way to hide who the target actually was. I'm sure it doesn't surprise anyone that it started in Russia.

 

Have you run a scan after creating those files to ensure Kaspersky does not remove them if created manually?

The reason behind the batch files being detected by Kaspersky may have something to do with the fact the batch file comes from a foreign source. Try creating your own batch file and testing it.

Personally I believe the target includes nations' computers who use outdated software and misconfigured machines running the SMB v1 protocol, mostly civilians and poorly operated IT in businesses.... and this is clearly a wake up call to all IT organizations among those affected. The attack has by far been more successful than anticipated I am certain, and there are various more boxes to infect that are still vulnerable. Use computer savvy individuals are in a tight-nit community that remains aware of the cyber world and it's news.

Industrial espionage? Perhaps. It's hard to draw any conclusions as of yet other than the fact it originated in a Ukraine Account Firm accountable for XData ransomware distribution. The malware seems ambiguous without naming any companies to infect, but originated here.

It has affected super markets, to government and country infrastructure.

 

Petya analysis shows, that it wasn't designed as Ransomware, but wiper. Posted on Blog by Anton Ivanov

 

The exploits were pushed out on the dark web by who, who knows. Now they have a github that people can pull and look at the products they have created. Norse corp. tracks active attacks. It is on their website about what they do and the map gives you insight into what is going on in real time. The majority of attacks I am seeing today are smtp. Port 23, 25, 4444 and 8080 are the main ports. 4444 is how they are getting into Port 135.

 

Fascinating interactive dissassembly analysis, I appreciate you sharing that.

This is horrible, simply the key for each person is randomly generated using Base and then never to be found and used for decryption. Normally the article explains the installation ID will be sent to the command and control center for decryption by the threat actor (attackers and creators of the malware). However, it uses Base algorithms using the WindowsCryptGenRandom function.

This function uses a seed, the numbers to use to formulate a random number and add to the seed by finding random bits generated by hardware from process IDs to keyboard hooks and other statistics. This result is used to seed the pseudorandom number generator and find a truly random number, never to be used to decrypt the files attacked by the wiper.

Amazing find!

 

No NAS should be using SMBv1, since Samba no longer allows you to set anyhting lower than SMBv2. You can only choose SMBv2, SMBv2 Large MTU, SMBv3. SMBv4 still has issues, so you do not see it widely used on commercial NAS's.

 

This should be enough for people to start making system backups. Drives are cheap these days. I find that the two questions we see on here is a system screwed up because of a messed up system upgrade, or someone needing to recover a drive image when their hard drive goes bad. If something using embedded or Windows 10 iOT got infected, that is a part of Microsoft's fault for not implementing a basic protection engine, along with a way to back up files to a protected storage medium.

This whole mess will teach organizations to now use standard across the board backups for all workstations, start locking down port rules and not allowing programs to be downloaded through emails. Pretty bad that we manage our home systems better than employers, banks and hospitals do. Worse part is that they now allow all users an across the board administrator access, because the IT/LAN coordinators do not know or understand basic security logic and only do what the person on the Helpdesk is reading from a script for the most part.

 

Interesting thanks for posting Andre *Smile

 

And here's another one from ZDNet this morning, Andre.

Ransomware in disguise: Experts say Petya out to destroy not ransom | ZDNet

It just gets worse and worse and worse . . .

 

I've read all these now. It seems to me to get this you need to do all of these:

1. Don't install an upgrade for an accounting software popular in the Ukraine (yeah right)
2. Try to upgrade your Windows through Windows Update (although the SMB error fixed since March)
3. Don't run as an administrator account even though everyone since 2000BC knew this was idiotic. (You have to run as admin for this to work)
4. Look again. If you are still running as local Admin then you deserve it.

If I'm right though then anyone impacted deserves it as they are idiots.

Upgrade your system and don't run as Admin. That is all.

 

and backup your data and save copies in safe place. Don't forget, that bad guys could hack any company in the world... and update (for software that needs admin rights) could come from legit software company..