Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack; Reports Claim the Ransomware Is Quickly Spreading Across the World (vice.com)

Posted by msmash on from the security-woes dept.

A massive cyber attack has disrupted businesses and services in Ukraine on Tuesday, bringing down the government's website and sparking officials to warn that airline flights to and from the country's capital city Kiev could face delays. Motherboard reports that the ransomware is quickly spreading across the world. From a report: A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack on Tuesday that disrupted some operations (a non-paywalled source), the Ukrainian central bank said. The latest disruptions follow a spate of hacking attempts on state websites in late-2016 and repeated attacks on Ukraine's power grid that prompted security chiefs to call for improved cyber defences. The central bank said an "unknown virus" was to blame for the latest attacks, but did not give further details or say which banks and firms had been affected. "As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations," the central bank said in a statement. BBC reports that Ukraine's aircraft manufacturer Antonov, two postal services, Russian oil producer Rosneft and Danish shipping company Maersk are also facing "disruption, including its offices in the UK and Ireland."

According to local media reports, the "unknown virus" cited above is a ransomware strain known as Petya.A. Here's how Petya encrypts files on a system (video). News outlet Motherboard reports that Petya has hit targets in Spain, France, Ukraine, Russia, and other countries as well. From the report: "We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat. Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin. "If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

19 of 109 comments (clear)

  1. Backup/Restore by Big+Hairy+Ian · · Score: 2

    Say no more

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    1. Re:Backup/Restore by 93+Escort+Wagon · · Score: 4, Insightful

      Disconnected backup/restore.

      These sorts of malware are perfectly capable of encrypting a connected external or network drive.

      --
      #DeleteChrome
    2. Re: Backup/Restore by Anonymous Coward · · Score: 2, Insightful

      Would have been nice if some government agency had found vulnerabilities, they would have tipped off the vendors to patch them. Only sociopaths would have failed to improve the world by trying to use them for their own benefit.

    3. Re:Backup/Restore by Rei · · Score: 4, Interesting

      Something I was just thinking about the other day, when considering btrfs for a new install rather than ext4... wouldn't a filesystem that allows for periodic snapshotting offer some defense against ransomware, so long as the ransomware doesn't run with the privilege to delete snapshots? So it starts encrypting your files... then runs out of disk space due to all of the changes it's made since the last snapshot, becomes stuck, and all the user has to do is restore from the last snapshot.

      Seems like some relatively low hanging fruit to help combat a relatively major problem. Or am I missing something?

      --
      "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
    4. Re:Backup/Restore by JaredOfEuropa · · Score: 4, Informative

      Careful with just doing mirrors and/or rotating snapshots / tapes: by the time the ransomware reveals itself, your backup process may already have cheerfully overwritten your files in backup with encrypted versions.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    5. Re: Backup/Restore by MightyMartian · · Score: 4, Insightful

      Well, I'm up in Canada, so maybe it's different south of the border, but up here I've had meetings with Assistant Deputy Ministers, which are about two steps down from the political office-holder (the Cabinet Minister). I've had my disagreements with them, and certainly have felt they've made some decisions that I thought were, shall we say, less than optimal, but I've never seen evidence of them being bad or selfish people.

      I can't say the same for some cabinet ministers (what Americans would call Secretaries), mind you. I've never directly interacted with anyone at the political level, but there have been or two whose actions I've seen that have lead to believe that if they're not outright sociopaths, then at least they're quite callous and bullying. There's an old joke in the Westminster tradition that the best cabinet minister is the cabinet minister who understands that it's not his job to micromanage his department. I have seen cabinet ministers who very much believed they had the knowledge and capability to do just that, and like a crappy CEO in a private setting, they can leave ruin and poor morale in their wake. Many years ago I saw one Ministry see an exodus of everyone from frontline public sector workers up to higher level civil servants start getting out, and that always suggests a department with very poor leadership.

      That being said, I don't think even most politicians are sociopaths. I think they can get woefully out of touch with their constituents, and the problem here in Canada, as I'm sure it is in the US, is that voters will tend to vote based on team jersey in many cases rather than on anyone's record, so the same bad actors seem to be able to hang on to their jobs for a rather long time.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    6. Re:Backup/Restore by KiloByte · · Score: 4, Informative

      That's why you don't just rotate the snapshots, you organize them into tiers.

      For example, the setup I use is: I keep yearlies, monthlies, 1-11-21th day of month, dailies, and (for two machines) 3-hourlies. Yearlies and monthlies don't expire other than manually, others keep 10 of their kind.

      If you use btrfs on the backup machine -- with dedupe and compression -- all of this takes surprisingly little space compared to other forms of backup, yet any individual snapshot is available straight as a mounted filesystem, without any extra steps.

      Obviously most machines have pull backups: since root privs are needed, it's the backup machine that can control the backupees.

      I also have disconnected backups, although I haven't automated that yet.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    7. Re:Backup/Restore by whitlocktj · · Score: 2

      This right here. Saved my bacon so many times.Clients don't like missing emails, so they like getting spam and actually OPEN the files. Good thing we had configured a regex alert whenever one of those files were created. Saved a lot of hours of recovery.

  2. BBC Report by Big+Hairy+Ian · · Score: 3, Informative

    http://www.bbc.co.uk/news/tech...

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  3. Credit where it's due by Anonymous Coward · · Score: 5, Insightful

    Slashdot editors receive a lot of flak when they run dupes, or miss out on good stories. But this story about the ongoing cyber attack is literally the only one that makes sense - and I have read FT, NYT, and WSJ copies. Insightful summary, and perfectly stitched together. Kudos.

  4. Petya = already defeated last year by AdamD1 · · Score: 3, Interesting

    This ransomware has actually previously been defeated (April 2016), and a key generator tool was released:

    https://www.bleepingcomputer.c...

    fyi

    --
    Because I can! [Brainrub.com]
    1. Re:Petya = already defeated last year by Anonymous Coward · · Score: 5, Informative

      This appears to be a new variant. No confirmation yet as to whether or not the previous decrypter still works.

      https://isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/
      "According to the Verge article, today's ransomware appears to be a new Petya variant called Petyawrap."

      https://twitter.com/craiu/status/879692523102511104
      The fast-spreading Petrwrap/Petya ransomware sample we have was compiled on June 18, 2017 according to its PE timestamp.

  5. windows - eternal blue - SMB by johnjones · · Score: 2

    they used windows... they did not turn off SMB 1... their own fault if they are a large company

    John

  6. is it Windows, mac, linux, ios, android? by goombah99 · · Score: 3, Insightful

    Seems like the story is missing a key piece of information

    --
    Some drink at the fountain of knowledge. Others just gargle.
  7. Re:How stupid can some people be? by Max_W · · Score: 2

    I do not think it is run-off-the-mill individuals who are behind an attack of this magnitude.

  8. Re:Political agenda much by Rei · · Score: 2

    Because Ukraine is getting hit by far the hardest? Because they've been the subject of a long string of crippling cyberattacks since the Donbas conflict broke out, including highly sophisticated attacks that took down public utilities - so naturally people assume that this is more along those lines?

    That doesn't mean that this is targeted at Ukraine; it could just be coincidence. But those numbers certainly are skewed. That said, if it was from Russia, they didn't do a good job at preventing it from hitting their own systems.

    --
    "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
  9. Re:oh dear by JaredOfEuropa · · Score: 3, Insightful

    It's not a home invasion if the intruder presents himself as a delivery man / pizza guy, and you subsequently open the door.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  10. Re:Political agenda much by Rei · · Score: 2

    Interesting... ESET has a very different distribution analysis than Kaspersky, and they show almost exclusively Ukrainian targets, with Russia moved way down the list.

    --
    "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
  11. Re:Optimal ransom demand? by gnick · · Score: 2

    Demand goes infinite as the price approaches $0, and disappears as the price goes too high.

    Demand will never exceed the number of machines infected - Not infinite. Lower, in fact, because a lot of victims don't have and will not create a bitcoin wallet even for a $1 ransom.

    --
    He's getting rather old, but he's a good mouse.