Agree with this......
Estonia cyber attack of 2007 was child's play compare to this. The latest attack was probing of deep penetration.
Why major companies like MS or FireEye are pointing to this is interesting...
The deep probing refers to the coupling of LSADump with the malware.....
Again.....Kaspersky knew of multiple attack vectors.......how and why???
There was speculation, however, among some experts that once the new virus had infected one computer it could spread to other machines on the same network, even if those devices had received a security update."Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process," it said in a technical blog post.Over the next days we will see more attack avenues come out.....Russian security firm Kaspersky said a Ukrainian news site for the city of Bakhumut was also hacked and used to distribute the ransomware to visitors, encrypting data on their machines.
Petya/notpetya apparently a sabotage program that wipes stuff.
https://blog.comae.io/petya-2017-is-...-9ea1d8961d3b#
Petya.2017 is a wiper not a ransomware
THIS is the important part of the article....Ransomware-as-a-service soon to be renamed Lure-as-a-Service
TL;DR: The ransonware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.
What’s the difference between a wiper and a ransomware#?
The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.
Yesterday, we provided a preliminary analysis where we demonstrated that the 27th June 2017 version of Petya leveraged SMB exploits ETERNALBLUE and ETERNALROMANCE.
Today, we spent more time to understand how the files could be retrieved and how the actual MBR and MFT was being encoded.
Fortunately, there are multiple excellent existing analysis from 2016 Petya that have been published last year in multiple languages such as French, or English [1, 2]. Today, Microsoft published a very descriptive analysis of the 2017 Petya but for some reasons missed the below part.
542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c07 73d859a8ae2bbf (2016)
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b 30f6b0d7d3a745 (27th 2017)
After comparing both implementation, we noticed that the current implemented that massively infected multiple entities Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk.
The first sector block is being reversibly encoded by XORed with the 0x7 key and saved later in the 34th block. But since it replaces it with a new bootloader (41f75e5f527a3307b246cadf344d2e07f50508cf75c9c2ef8 dc3bae763d18ccf) of 0x22B1 bytes it basically sets v19 to 0x19 (25).
16.0: kd:x86> ? 0x22B1 - (0x22B1 & 0x1FF) + 0x1024
Evaluate expression: 12836 = 00003224
16.0: kd:x86> ? 0x00003224 >> 9
Evaluate expression: 25 = 00000019
That would mean that 24 sector blocks following the first sector block are being purposely overwritten, they are not read or saved anywhere. Whereas the original 2016 Petya version correctly reads each sector block and reversibly encode them.
2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas, 2017 Petya does permanent and irreversible damages to the disk.
On the left, we can see the current version of Petya clearly got rewritten to be a wiper and not a actual ransomware.
We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.
Lately, the number of attacks against Ukraine increased from Power Grids being shut down to the car a top military intelligence officer exploding yesterday — the day Petya.2017 infected Ukraine.
The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack.[/B]
Last edited by OUTLAW 09; 06-28-2017 at 07:05 PM.
Actually this has been now confirmed by the CEO of Kaspersky......Originally Posted by OUTLAW 09
Eugene Kaspersky
@e_kaspersky
Update on #NotPetya #ExPetr: threat actors CAN'T decrypt files. Don't pay ransom. It won't help ->
Interesting use of the two words..."threat actors"......
Airport in Oslo is completely grounded due to #NotPetya attacks. No check in, no bag drop. Thousands of people stranded.
NOTE....if my assumptions are correct this malware is a totally new class of malware attack thus the name Petya in any form simply does not fit.....MAYBE the following suggestion.....
MassiveCoordinatedCyberInvasion works well even as a hashtag.....
What happened in Ukraine is long pass the concept of "a cyber attack".....
Last edited by OUTLAW 09; 06-29-2017 at 07:18 AM.
WHY is the "big boys" in IT anti viral security are still lagging after this attack on Ukraine.....
Right now individual IT analysts and small IT security companies are providing far more insight into this attack than "the big boys" who will at some point release massive reports and take all the credit.....
It was the "small guys" who immediately called this attack a true cyber attack by a state sponsored group ie Russia......based on the first single target...Ukraine...
From yesterday.....
Email of the attacker is down. And the code itself look more like a wiper than an encoder. cf below: #Petya
Posting Permissions
Bookmarks