Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly Spreading Across the World (vice.com)

Posted by msmash on from the security-woes dept.

A massive cyber attack has disrupted businesses and services in Ukraine on Tuesday, bringing down the government's website and sparking officials to warn that airline flights to and from the country's capital city Kiev could face delays. Motherboard reports that the ransomware is quickly spreading across the world. From a report: A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack on Tuesday that disrupted some operations (a non-paywalled source), the Ukrainian central bank said. The latest disruptions follow a spate of hacking attempts on state websites in late-2016 and repeated attacks on Ukraine's power grid that prompted security chiefs to call for improved cyber defences. The central bank said an "unknown virus" was to blame for the latest attacks, but did not give further details or say which banks and firms had been affected. "As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations," the central bank said in a statement. BBC reports that Ukraine's aircraft manufacturer Antonov, two postal services, Russian oil producer Rosneft and Danish shipping company Maersk are also facing "disruption, including its offices in the UK and Ireland."

According to local media reports, the "unknown virus" cited above is a ransomware strain known as Petya.A. Here's how Petya encrypts files on a system (video). News outlet Motherboard reports that Petya has hit targets in Spain, France, Ukraine, Russia, and other countries as well. From the report: "We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat. Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin. "If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

58 of 109 comments (clear)

  1. Backup/Restore by Big+Hairy+Ian · · Score: 2

    Say no more

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    1. Re:Backup/Restore by 93+Escort+Wagon · · Score: 4, Insightful

      Disconnected backup/restore.

      These sorts of malware are perfectly capable of encrypting a connected external or network drive.

      --
      #DeleteChrome
    2. Re: Backup/Restore by Anonymous Coward · · Score: 2, Insightful

      Would have been nice if some government agency had found vulnerabilities, they would have tipped off the vendors to patch them. Only sociopaths would have failed to improve the world by trying to use them for their own benefit.

    3. Re:Backup/Restore by Rei · · Score: 4, Interesting

      Something I was just thinking about the other day, when considering btrfs for a new install rather than ext4... wouldn't a filesystem that allows for periodic snapshotting offer some defense against ransomware, so long as the ransomware doesn't run with the privilege to delete snapshots? So it starts encrypting your files... then runs out of disk space due to all of the changes it's made since the last snapshot, becomes stuck, and all the user has to do is restore from the last snapshot.

      Seems like some relatively low hanging fruit to help combat a relatively major problem. Or am I missing something?

      --
      "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
    4. Re: Backup/Restore by phayes · · Score: 1

      Write a letter to Putin@thekremlin.ru thanking his hackers for their thoughtful repackaging of the zero days the NSA released to Microsoft etc when they learned that the tools/0days were going to be released publicly. It was a few months before the "patriotic" hackers released the NSA tools.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    5. Re: Backup/Restore by MightyMartian · · Score: 1

      I've had a lot of interactions with bureaucrats and the like, and generally, no, I don't see much sign of sociopathy. There's certainly a kind of antipathy that creeps into a public service, and of course momentum means that things will tend to go in the same direction regardless of what the people at the top want.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    6. Re:Backup/Restore by JaredOfEuropa · · Score: 1

      Also, detection? According to the news, none of the regular virus scanners are detecting this new variant, and of course once they are able to detect this one (WannaCry is now reliably detected) the next variant is released into the wild. But any process that scans for known vulnerable services should be suspect, as should any process that reads and then modifies a large number of files, especially in locations like the user folder.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    7. Re:Backup/Restore by Anonymous Coward · · Score: 1

      Yep. You can also use ZFS for this to combat exactly the same issue.

      With disk being so cheap anymore, if you know Linux you should have at least a RAID1 (ZFS RAID10 is better, and easier to grow) storage system going, and doing full bare-metal backups of everything you care about at least once a week. As well as doing test bare-metal restores to a VM once a month or so to make sure.

    8. Re:Backup/Restore by JaredOfEuropa · · Score: 4, Informative

      Careful with just doing mirrors and/or rotating snapshots / tapes: by the time the ransomware reveals itself, your backup process may already have cheerfully overwritten your files in backup with encrypted versions.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    9. Re: Backup/Restore by MightyMartian · · Score: 4, Insightful

      Well, I'm up in Canada, so maybe it's different south of the border, but up here I've had meetings with Assistant Deputy Ministers, which are about two steps down from the political office-holder (the Cabinet Minister). I've had my disagreements with them, and certainly have felt they've made some decisions that I thought were, shall we say, less than optimal, but I've never seen evidence of them being bad or selfish people.

      I can't say the same for some cabinet ministers (what Americans would call Secretaries), mind you. I've never directly interacted with anyone at the political level, but there have been or two whose actions I've seen that have lead to believe that if they're not outright sociopaths, then at least they're quite callous and bullying. There's an old joke in the Westminster tradition that the best cabinet minister is the cabinet minister who understands that it's not his job to micromanage his department. I have seen cabinet ministers who very much believed they had the knowledge and capability to do just that, and like a crappy CEO in a private setting, they can leave ruin and poor morale in their wake. Many years ago I saw one Ministry see an exodus of everyone from frontline public sector workers up to higher level civil servants start getting out, and that always suggests a department with very poor leadership.

      That being said, I don't think even most politicians are sociopaths. I think they can get woefully out of touch with their constituents, and the problem here in Canada, as I'm sure it is in the US, is that voters will tend to vote based on team jersey in many cases rather than on anyone's record, so the same bad actors seem to be able to hang on to their jobs for a rather long time.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    10. Re:Backup/Restore by DontBeAMoran · · Score: 1

      Big Hairy Ian: Is, uh,...Is your computer a goer, eh? Know whatahmean, know whatahmean, nudge nudge, know whatahmean, say no more?

      Us: I, uh, I beg your pardon?

      --
      #DeleteFacebook
    11. Re:Backup/Restore by DontBeAMoran · · Score: 1

      Burn your shit in dvds NOW or somebody else will masturbate looking at your data, or WORSE.

      ...there's way too much information to decode the encrypted files. You get used to it, though. Your brain does the translating. I don't even see the code. All I see is blonde, brunette, redhead.

      --
      #DeleteFacebook
    12. Re:Backup/Restore by KiloByte · · Score: 4, Informative

      That's why you don't just rotate the snapshots, you organize them into tiers.

      For example, the setup I use is: I keep yearlies, monthlies, 1-11-21th day of month, dailies, and (for two machines) 3-hourlies. Yearlies and monthlies don't expire other than manually, others keep 10 of their kind.

      If you use btrfs on the backup machine -- with dedupe and compression -- all of this takes surprisingly little space compared to other forms of backup, yet any individual snapshot is available straight as a mounted filesystem, without any extra steps.

      Obviously most machines have pull backups: since root privs are needed, it's the backup machine that can control the backupees.

      I also have disconnected backups, although I haven't automated that yet.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    13. Re: Backup/Restore by Megol · · Score: 1

      Several failings in that post. TLA finds vulnerabilities because they search for them, they search for them to be able to do their job. Their job is to protect their country and by extension the people. Not doing their job would mean the agency is useless.
      You also don't understand what sociopaths are about. It is a mental disease/condition. It isn't a placeholder for "something I do not agree with" any more than nazi/fascist/left/right etc. It is also something a person can have - not an organization.

      You don't like it? Then work on changing what those organizations do instead of posting here as a coward. But try to realize what cost this open policy will have.

    14. Re:Backup/Restore by whitlocktj · · Score: 2

      This right here. Saved my bacon so many times.Clients don't like missing emails, so they like getting spam and actually OPEN the files. Good thing we had configured a regex alert whenever one of those files were created. Saved a lot of hours of recovery.

    15. Re:Backup/Restore by whitlocktj · · Score: 1

      Yeah, the beginning of time, yearly, monthly, weekly, daily, hourly, helps immensely. Never used dedupe though. Also, you NEED some kind of alerting. Otherwise, you're at the mercy of human detection, which is insurmountably ignorant of old data.

  2. BBC Report by Big+Hairy+Ian · · Score: 3, Informative

    http://www.bbc.co.uk/news/tech...

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  3. Credit where it's due by Anonymous Coward · · Score: 5, Insightful

    Slashdot editors receive a lot of flak when they run dupes, or miss out on good stories. But this story about the ongoing cyber attack is literally the only one that makes sense - and I have read FT, NYT, and WSJ copies. Insightful summary, and perfectly stitched together. Kudos.

    1. Re:Credit where it's due by UnknownSoldier · · Score: 1

      Holy sheep, /. editors doing their job? Has Hell frozen over? Is Linux on more devices then Windows?

    2. Re:Credit where it's due by Cederic · · Score: 1

      For all your cynical IT news needs : https://www.theregister.co.uk/...

    3. Re:Credit where it's due by Mr+D+from+63 · · Score: 1

      Slashdot editors receive a lot of flak when they run dupes, or miss out on good stories. But this story about the ongoing cyber attack is literally the only one that makes sense - and I have read FT, NYT, and WSJ copies. Insightful summary, and perfectly stitched together. Kudos.

      Too bad the summary leaves out a very key piece of info, which doesn't quite fit with the hype-line;

      Ukrainian state power distributor Ukrenergo said its IT system had been hit by a cyber attack, but the disruption had no impact on power supplies or its broader operations.

      In other words, the attack was on their administrative network, not power or grid control.

      Thank you.

  4. oh dear by schleimkeim · · Score: 1

    it's not a fucking cyber attack if the secretary opens an attachement called picture.exe

    1. Re:oh dear by JaredOfEuropa · · Score: 3, Insightful

      It's not a home invasion if the intruder presents himself as a delivery man / pizza guy, and you subsequently open the door.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  5. Petya = already defeated last year by AdamD1 · · Score: 3, Interesting

    This ransomware has actually previously been defeated (April 2016), and a key generator tool was released:

    https://www.bleepingcomputer.c...

    fyi

    --
    Because I can! [Brainrub.com]
    1. Re:Petya = already defeated last year by Anonymous Coward · · Score: 5, Informative

      This appears to be a new variant. No confirmation yet as to whether or not the previous decrypter still works.

      https://isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/
      "According to the Verge article, today's ransomware appears to be a new Petya variant called Petyawrap."

      https://twitter.com/craiu/status/879692523102511104
      The fast-spreading Petrwrap/Petya ransomware sample we have was compiled on June 18, 2017 according to its PE timestamp.

    2. Re:Petya = already defeated last year by BartWillems · · Score: 1

      What if it's not Petya? It certainly didnt look like what was shown in the youtube video.

    3. Re:Petya = already defeated last year by chispito · · Score: 1

      This ransomware has actually previously been defeated (April 2016), and a key generator tool was released:

      https://www.bleepingcomputer.c...

      fyi

      That means it is based on or related to that malware, that does not mean all the same tools and counter measures will apply. From my experience you're probably fine if you're running a next gen AV product and if you're running traditional AV software, you may or may not have sigs yet.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    4. Re:Petya = already defeated last year by Rei · · Score: 1

      That's actually what Kaspersky is now saying. They're saying it's something new and have actually taken to calling it "NotPetya".

      --
      "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
  6. Remember kids... by __aaclcg7560 · · Score: 1

    Don't click on any dick pic links that appear on Slashdot. Most of those goes back to virus-infected websites.

    1. Re:Remember kids... by __aaclcg7560 · · Score: 1

      That's right kids, only by starving creimer of his ad revenues will that digital fungus finally leave!

      Uh, no. My ad revenues have nothing to do with those image links. I'm quite serious about some of those image websites hosting viruses.

    2. Re:Remember kids... by __aaclcg7560 · · Score: 1

      Link to a picture that will install a virus on my PC.

      That would be extremely irresponsible.

      You can't, because there's no such thing.

      Probably because the link got deleted after I requested the page be taken down.

    3. Re:Remember kids... by __aaclcg7560 · · Score: 1

      And no, "WannaCry" isn't it, you digital janitor.

      There is a new version of WannaCry on the Internet. MalwareBytes on my Dell laptop blocked the automatic download of an executable file from a couple of Russian websites.

      http://112.international/society/cyber-security-expert-part-of-virus-attacking-ukraine-could-be-used-in-wannacry-malware-18282.html

    4. Re:Remember kids... by Jeremi · · Score: 1

      Don't click on any dick pic links that appear on Slashdot. Most of those goes back to virus-infected websites.

      Hell, I remember when the dick pics on Slashdot were 100% ASCII-based. And the dicks had wings, for some reason.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
  7. windows - eternal blue - SMB by johnjones · · Score: 2

    they used windows... they did not turn off SMB 1... their own fault if they are a large company

    John

    1. Re:windows - eternal blue - SMB by ceoyoyo · · Score: 1

      Yeah. This is a good thing. If you're some kind of large company, or especially essential infrastructure, and some Internet thugs can hold you for ransom then it's good you find out now and fix the problem before somebody more serious comes along.

  8. Re:A cyber attack? by __aaclcg7560 · · Score: 1

    God knows Slashdot fanbois love their daily dose of fat porn.

  9. How stupid can some people be? by whitroth · · Score: 1

    They're asking a ransom of $300 in cryptocurrency, according to Bloomberg.

    AND they've hit Europe from Denmark... to Ukraine... to Russia's Rosneft. I expect them in court really soon... assuming that they're not killed resisting arrest.

    1. Re:How stupid can some people be? by Max_W · · Score: 2

      I do not think it is run-off-the-mill individuals who are behind an attack of this magnitude.

    2. Re:How stupid can some people be? by Ungrounded+Lightning · · Score: 1

      I do not think it is run-off-the-mill individuals who are behind an attack of this magnitude.

      The magnitude of the attack is not necessarily any more related to the qualifications and sponsorship of the originator than the magnitude of an Influenza epidemic is related to the size of the virus.

      It's a self-reproducing, self-propagating system. The magnitude of its spread is an artifact of its own behavior, the distribution of the vulnerabilities it exploits, and the connectivity of the susceptable machines.

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  10. is it Windows, mac, linux, ios, android? by goombah99 · · Score: 3, Insightful

    Seems like the story is missing a key piece of information

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:is it Windows, mac, linux, ios, android? by ceoyoyo · · Score: 1

      Nah. If it were anything other than Windows the summary would have gleefully declared it.

    2. Re:is it Windows, mac, linux, ios, android? by farble1670 · · Score: 1

      I had the same question. Everything I can find shows it being Windows XP, or maybe 2k.

      Still running a 15 year old insecure by design, unpatched, unsupported OS? Good luck with that.

  11. Re:A cyber attack? by __aaclcg7560 · · Score: 1

    Not until you showed up and showed us how sexy a truly obese man can be!

    Ten years ago I posted a link to a Fat Porn FAQ on my website that got 3000+ hits per day from Slashdot. These days I have to settle for less than 300 hits per day from Slashdot. Sad.

  12. Re:Ha ha by bobbied · · Score: 1

    Lemme guess! M$ windoze? /roflmao

    How did you know? You must be some Zen Master computer hacker or something.... (Or just a script kiddy running the IIS attack from 10 years ago)

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  13. i read by Anonymous Coward · · Score: 1

    Companies running critical infrastructure on windows boxes learned they better not

  14. Re:Political agenda much by Rei · · Score: 2

    Because Ukraine is getting hit by far the hardest? Because they've been the subject of a long string of crippling cyberattacks since the Donbas conflict broke out, including highly sophisticated attacks that took down public utilities - so naturally people assume that this is more along those lines?

    That doesn't mean that this is targeted at Ukraine; it could just be coincidence. But those numbers certainly are skewed. That said, if it was from Russia, they didn't do a good job at preventing it from hitting their own systems.

    --
    "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
  15. Optimal ransom demand? by moeinvt · · Score: 1

    I think the hackers need to hire some ... I don't know ... would it be "actuaries" that could make a good estimate for the ransom amount that would yield the highest total payout? Perhaps they do and I don't know what I'm talking about, but I think $300 per machine must be way above optimal.

    Remember supply & demand curves from econ 101? The lower the price, the greater the demand for your "decryption service". And in this case, the supplier's cost is negligible so the demand curve is all that matters. Demand goes infinite as the price approaches $0, and disappears as the price goes too high. Seem like the sweet spot on that curve would be considerably lower than $300.

    1. Re:Optimal ransom demand? by gnick · · Score: 2

      Demand goes infinite as the price approaches $0, and disappears as the price goes too high.

      Demand will never exceed the number of machines infected - Not infinite. Lower, in fact, because a lot of victims don't have and will not create a bitcoin wallet even for a $1 ransom.

      --
      He's getting rather old, but he's a good mouse.
  16. Re:Political agenda much by Rei · · Score: 2

    Interesting... ESET has a very different distribution analysis than Kaspersky, and they show almost exclusively Ukrainian targets, with Russia moved way down the list.

    --
    "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
  17. Easy solution by GerryGilmore · · Score: 1

    Don't run Windows!!! Christ, how many critical pieces of infrastructure are built around the most insecure OS in history? Wake up, people!!

    1. Re:Easy solution by johnjones · · Score: 1

      agreed however in a corporate environment people demand them for legacy apps... if thsts the case the system administrators should have turned off SMB version 1 a LONG time ago

      either way there is no way that the companies should have a problem and this is a money spinning exercise for the AV companies who should be given very little money having not solved spam problems...

           

  18. Re: A cyber attack? by __aaclcg7560 · · Score: 1

    Why are you posting links to fat porn FAQs?

    The asshats ten years ago were meaner and less pussy-whipped than today's asshats. Then as now, they thought my weight was relevant to the discussion. The asshats kept writing the same thing over and over again, mostly variations of "You're a fat POS!!!" So I collected what was written into a "Fat Porn FAQ," where I responded to each one, and posted it on my website. I routinely posted the FAQ link as a response every time an asshat repeated something out of the FAQ. If I had monetization set up back then, I would've retired by now.

  19. Human employment or Human Backup? by Neuronwelder · · Score: 1

    Maybe I'm wrong, but a lot of problems could be stopped by humans, or human intervention. As far as I know they aren't cyborgs yet, and are still immune to digital viruses. Sure you might spend a few bucks more on a human, but I see advantages to doing this.

  20. Re:Immediate action to take by ceoyoyo · · Score: 1

    Close all TCP ports. Except maybe 22, if you need remote access. And if you leave it open, disable password access.

  21. Re:Immediate action to take by behrooz0az · · Score: 1

    never use the default port for ssh

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  22. Re:Immediate action to take by ceoyoyo · · Score: 1

    Changing the port number isn't going to protect you from much. Maybe from a little traffic from casual connection attempts.

  23. Re:Immediate action to take by behrooz0az · · Score: 1

    I don't own many servers so this is completely anecdotal,
    but for me changing the port has reduced the root:root and similar attempts to like 1%; IMO with reduced noise you can see the credible threats if there are any.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  24. Re:Immediate action to take by ceoyoyo · · Score: 1

    Sure, it would do that. Telling ssh not to accept passwords at all lets you filter all those out as irrelevant and protects you against users (including yourself) who use or reuse easy passwords.

    Plus you can consider all those login attempts as volunteering IP addresses for the blocklist.