Russian Info, Cyber and Disinformation (Jan-June 2017).

[OUTLAW 09]

This paragraph from a security organization points to what I am saying....

Do not open unsolicited emails or messages from unknown senders – Many ransomware variants are distributed through phishing attacks or email attachments. Increased mindfulness when handling ‘suspect’ emails can be effective in combating ransomware

So if this version is one designed to attack the Windows SMBv1 vulnerability and phishing was not the delivery system ..what was it then???

AND if many MS users conducted their MS March 2017 patching session then they should not have been affected.....WHICH after the Wannacry attack actually did occur especially in Ukraine and other countries that got hit by Wannacry.....

So how did this ransomware sidestep phishing and sidestep the MS patch??

AND why did it not trigger a large number of anti viral software packages.....

[OUTLAW 09]

But this from a rather good security blogsite tends to confirm what I am saying as well....

Security firm Symantec confirmed that Petya uses the “Eternal Blue” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agency and in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.

Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but many businesses put off installing the fix. Many of those that procrastinated were hit with the WannaCry ransomware attacks in May. U.S. intelligence agencies assess with medium confidence that WannaCry was the work of North Korean hackers.

Russian security firm Group-IB reports that Petya bundles a tool called “LSADump,” which can gather passwords and credential data from Windows computers and domain controllers on the network.

Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley, said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain.
Weaver noted that Petya’s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim.
Also, he said, Petya urges victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network that can be used to host Web sites which can be very difficult to take down.
“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” Weaver said. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”

Here is the problem....Wannacry was declared by US IC probably NSA with a degree of confidence that it was released by NK.....

Our active ongoing research in assistance to two Ukrainian IT companies indicated control servers sitting deep inside Russia which we took offline to their surprise....but wait NSA stated the previous attack was by NK....

What is the connection now between NK state sponsored military hacking and individuals sitting deep inside Russia....??? Criminals working for RIS and or on their own OR outright RIS......

This my assumption as well....so any of the above combination of who was using it in Russia....
“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware”

If we accept that Ukraine has been the test bed by Russian state sponsored hacking of critical infrastructure since 2015 with three attacks and if we accept there have been other such attacks by Russian hackers in Baltic power grids and if we accept that Ukraine is in fact the Russian cyber attack testbed.....then this comment cements the concept of a deliberate cyber attack using ransomware as a disguise...

The attack if one looks at the Ukrainian networks hit....reads like a military air strike target list except just on an economics level.....banks, telecos, major fuel companies causing a shortage of fuel, food markets, airports, government agencies, news media, power grids and power generation, etc...ALL designed to create a certain level of civilian panic

The connection between a COL in the Ukrainian SOF Military Intelligence who had just returned from the Minsk front line and who was responsible for the collection of evidence of Russian military involvement for The Hague ICC is killed by a car bomb in Kyiv in the early morning timeframe and the "so called phishing attack" started almost immediately after that attack is not just a single lonely coincidence....

This was a deliberate and well thought out cyber attack using a new strain of NK released previous ransomware being used by Russians in Russia to sent a Russian warning to the West.....

REMEMBER NK military is also in the business of making money for the government and if the price is right software always changes hands in the middle of the night these days....either to criminal gangs or to state sponsored groups...

BTW...this is exactly what we saw yesterday...this type of data being exfiltrated out of attacked networks...thus making it not so easy but doable..tracking it to their control and command servers....which in this case ended in Russia.....

Russian security firm Group-IB reports that Petya bundles a tool called “LSADump,” which can gather passwords and credential data from Windows computers and domain controllers on the network.

This type of gathered data is important for future attacks on the compromised networks...

[OUTLAW 09]

This is key as it indicates that while the ransomware was the issue this was running in the background....LSADump which was programed into the malware this indicating that hackers were in actual control of the malware attack.....

Effects#
Lsadump is a hacking tool. These tools, even though they are not by nature viruses, are considered as dangerous to victims of attacks.

Means of transmission

Lsadump does not spread automatically using its own means. It needs the attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Further Details
Lsadump has the following additional characteristics:
It is written in the programming language Visual C++ 6.
It is 32768 bytesi in size.

I am still puzzled though by the Kaspersky statement yesterday that defines this malware as something new...

They also stated that it was an complex attack using multiple attack vectors...meaning different attack methods and directions BUT that their anti viral detector picked it up under a generic filter......

Which is strange that a generic detector was available to detect a not previously seen in the wild totally new strain that they were not aware of....that comment in itself is unusual even for Kaspersky.

Also sitting outside of the malware attack zone they were quick to state and stated early before much was known at the time ...a complex attack from multiple attack vectors......

[OUTLAW 09]

Local kill switch has been found in Petya malware.
https://twitter.com/ptsecurity/statu...6638731591680#

This is what Russian military jargon types would call an "asymmetric response".

[OUTLAW 09]

Shadowbrokers (~ adversary intel agency), tagging Petya, seem to escalate by threatening dump against ex-NSA member
https://web.archive.org/web/20170628...ice-july-2017#

[OUTLAW 09]

.@CarbonDynamics:
Petya is fake Ransomware, not designed to make money, but to spread fast and cause max damage

"Petya" attackers knew that M.E.DOC will impact mostly Ukraine, all other infections are "side effect". Not Criminal act but Cyberwar

M.E.DOC was doing an upgrade and evidently the Russian hackers got their malware into the upgrade routine thus it hit all of Ukraine at virtually the same time....no analysis so far indicates that it came in via phishing BUT it does indicate the possibility of a direct hack and malware injection into the upgrading code patch.....

THIS supports my assumption that this was in fact a Russian state sponsored attack directed straight at Ukraine....

TASS is authorized to declare: Russian also suffered a cyberattack but due to superiority of Russian cybersecurity expertise, no outages.

BUT WAIT...the only confirmed attacks were really just written press releases with not a single Russian citizen complaining of anything unusual happening.

Rosneft the Russian state owned oil company was the only real company "complaining" but indicators seem to point to actually nothing happening to their networks...

So how does one explain the simple fact that Ukraine next door to Russia and Russia has not a truly recorded hacking attack and or malware attack....

Kaspersky mentioned some customers were attacked in Russia BUT does not name them.....

Assumption...Russia knew the attack was coming.

THAT was the reason Kaspersky had a generic filter to detect it and was able to suddenly rush a new filter quickly to their customers...it was already known to them....

BUT WAIT.....only a single malware attack reported in the Russian occupied eastern Ukraine.....that is strange...SO it can be assumed Russia knew the attack was coming....

[OUTLAW 09]

.@CarbonDynamics:
Petya is fake Ransomware, not designed to make money, but to spread fast and cause max damage

MEDoc is a Ukrainian-only tax accounting program. Exploiting its vulnerabilities proves that Ukrainian IT structures were targeted by #Petya

THIS was not another so called NK Petya ransomware attack....