Hunt for WannaCry Ransomware Attackers
4 stars based on
61 reviews
The ransom note that gets displayed on screens of Microsoft Windows computers infected with Petya. According to multiple news reports, Ukraine appears to be among the hardest hit by Petya. National Security Agency and in April leaked online by a hacker group calling itself the Shadow Brokers.
Microsoft released a patch for the Eternal Blue exploit in March MSbut many businesses put off installing the fix. Many of those that procrastinated were hit with the WannaCry ransomware attacks in May. Organizations and individuals who have not yet applied the Windows update for the Eternal Blue wannacry ransomware exposed as a false flag attack on bitcoin should patch now. Petya seems to be primarily impacting organizations in Europe, however the malware is starting to show up in the United States.
Through its twitter accountthe Ukrainian Cyber Police said the attack appears to have been seeded through a software update mechanism built into M. Docan accounting program that companies working with the Ukranian government need to use. Nicholas Weavera security researcher at the International Computer Science Institute and a lecturer at UC Berkeleysaid Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain.
Also, he said, Petya urges victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network that can be used to host Web sites which can be very difficult to take down.
Ransomware encrypts important documents and files on infected computers and then demands a ransom usually in Bitcoin for a digital key needed to unlock the files. With most ransomware strains, victims who do not have recent backups of their files are faced with a decision to either pay the ransom or kiss their files goodbye. Ransomware attacks like Petya have become such a common pestilence that many companies are now reportedly stockpiling Bitcoin in case they need to quickly unlock files that are being held hostage by ransomware.
According to ISACAa nonprofit that advocates for professionals involved in wannacry ransomware exposed as a false flag attack on bitcoin security, assurance, risk management and governance, 62 percent of organizations surveyed recently reported experiencing ransomware inbut wannacry ransomware exposed as a false flag attack on bitcoin 53 percent said they had a formal process in place to address it.
Added quotes from Nicholas Weaver and links to an analysis by the Ukrainian cyber police. This entry was posted on Tuesday, June 27th, at 4: You can follow any comments to this entry through the RSS 2. Both comments and pings are currently closed. I see on slashdot that the one, single email address to pay the ransom has been blocked by the German ISP, so no one can pay, even if they want to.
If the money can be stopped, then it will reduce ransomware. Anyone with the ledger can see where everything goes. I rather doubt that they are immune. I think we wannacry ransomware exposed as a false flag attack on bitcoin have heard from China by now if there was real trouble. If it got in there the whole country would come to a dead stop.
If you wanted to, an individual could potentially posses the bitcoins for the futures exchange. Kaspersky has a nice technical write-up on the new Petya.
This is not news. When are the IT and security professionals going to get off their asses and put policies and procedures in place to really reduce this kind of threat? There is so much that can be done and many options are inexpensive to implement. Consider using a proxy to read your email. Not just to access your mail, but a proxy on which the email is opened and displayed where you can view it from a second machine.
That will isolate users even if they open a bad attachment. It would infect the proxy and not their machine. Why does it seem like so many computers are directly addressable from the Internet? Has everyone forgotten how to set up a DMZ? Use sub-networks with double firewalls? There are a lot of network isolation techniques. When there are massive infections like this, it tells me that too many organizations are not using network isolation. Can you really call it ransomware if it encrypts with a pseudorandom data unrelated to the corresponding key it provides?
It even encrypts the MBR. Next to impossible to recover it basically. Scott is correct, it would appear. Ukraine appears to have been deliberately targeted, with infections in other countries just collateral damage. How to find who did it: From all the data gathered, there never was any intention to make money off of the ransom part.
Everyone else is collateral damage. This makes the question of who did it. There are only two potential villains here: The governments of Russia and the US. Russia would be the easy pick, but the US CIA has the biggest reputation in the world for false flag events to force policies.
Until the next Snowden, we may not know. I think many people know exacly what is going on,but so what? Everything will be same. Mutations that just add a random number to the file can bypass the check. Putting all clues together, we see four ransomware campaigns that have targeted Ukraine, have tried to pass as other ransomware threats, have quality code, and three of which appear to have used the same server to spread.
There is no clear-cut evidence that the same person or group is behind all campaigns, but there are too many coincidences to ignore. If this malware finds running Kaspersky processes on the system, it writes junk to the first 10 sectors of the disk, and then reboots, bricking the machine completely.
A few days ago I found a message on pastefs. Follow me on Twitter. Join me on Facebook. Krebs on Security In-depth security news and investigation.
June 28, at June 28, at 1: July wannacry ransomware exposed as a false flag attack on bitcoin, at June 28, at 2: June 28, at 3: No mention of any infections in China? June 28, at 4: June 28, at 5: June 28, at 6: Brian, Kaspersky has a nice technical write-up on the new Petya.
June wannacry ransomware exposed as a false flag attack on bitcoin, at 7: June 29, at June 29, at 2: June 29, at 6: Nicholas Weaver has it right.
June 29, at 9: June 29, at 3: June 30, at 6: You can protect your system and server by blocking port number and June 30, at 4: June 30, at 7: June 30, at 8: July 3, at July 25, at 4: Lucky me I found your website by accident.
Your email account may be worth far more than you imagine.
