Newsletter Archives

• Evidence that PetyaWrap is from a Russia-linked hacking group “TeleBots”

  Posted on June 30, 2017 at 17:51 CDT by woody • Comment in the Forums

  Interesting tweet stream from Catalin Cimpanu.

  He connects the dots and, based on a report from ESET, deduces that PetyaWrap comes from a hacking organization known as TeleBots, which targeted the US before 2015, and the Ukraine after 2015.

  ESET now confirms Telebots hacked MEDoc and installed a backdoor

  which apparently was used to seed PetyaWrap.

  That doesn’t explain all of the PetyaWrap infections, but it does explain the best-known infection vector.

  In addition, Dan Goodin has more evidence on Ars Technica that the people behind PetyaWrap got the leaked NSA code weeks before Shadow Brokers released it to the world. Dan calls it an “unproven theory” but it’s a interesting one.

  Thx @Kirsty

  Windows Patches/Security PetyaWrap

• Contrary opinion: PetraWrap is buggy, poorly constructed ransomware

  Posted on June 29, 2017 at 20:15 CDT by woody • Comment in the Forums

  Yesterday, I ran an article that says PetyaWrap (NyetPetya, Petya.2017, nPetya, pick your name) “was designed to make headlines, not to make money.” There’s convincing evidence for that conclusion, offered by highly regarded malware researchers.

  But there’s a second opinion which says, roughly, “PetyaWrap was (is) a buggy piece of real ransomware.” Vess Bontchev goes on to assert that it’s from an “idiot ransomware writer.”

  Rob Graham has an excellent expose of that assertion in his Errata Security blog, NonPetya: no evidence it was a “smokescreen”:

  Certainly, things look suspicious. For one thing, it certainly targeted the Ukraine. For another thing, it made several mistakes that prevent them from ever decrypting drives. Their email account was shutdown, and it corrupts the boot sector.

  But these things aren’t evidence, they are problems. They are things needing explanation, not things that support our preferred conspiracy theory.

  Three things I know for sure.

  First, it’s still a problem. According to Ian Thomson at The Reg, FedEx reportedly halted trading on the NYSE because its TNT subsidiary got infected – likely with PetyaWrap.

  Second, the antivirus companies are in hype overdrive mode, claiming this or that about their products and PetyaWrap. I don’t believe any of it.

  Third, the people who say “install all Windows patches right away to prevent PetyaWrap infections” don’t have a clue. The infection method for PetyaWrap is still unknown, and the subject of much conjecture. What we do know is that, if your Windows PC has all of the March patches installed, it won’t get infected by one method, but it may get infected by a different method. Having all of your Windows patches up to date won’t protect you, in spite of what the self-proclaimed “experts” say.

  As for the major network TV show that claimed you could improve protection against PetyaWrap by using strong passwords…. pffffffffffffffft.

  

  Welcome to the scary new world of Windows, folks.

  Windows Patches/Security PetyaWrap

• PetyaWrap was designed to make headlines, not to make money

  Posted on June 28, 2017 at 20:10 CDT by woody • Comment in the Forums

  … and it certainly succeeded.

  Security researcher Matt Suiche has published more details about PetyaWrap (NyetPetya, Petya.2017, choose your favorite cute name) that show quite conclusively that the person/organization behind PetyaWrap wasn’t interested in making money — they just wanted to make a big splash. Suiche calls it a “wiper,” as opposed to ransomeware:

  The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.

  Dan Goodin at Ars Technica has a new analysis that strengthens Suiche’s conclusion: Tuesday’s massive ransomware outbreak was, in fact, something much worse:

  the payload delivered in Tuesday’s outbreak wasn’t ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected network…

  Tuesday’s malware was impressive. It used two exploits developed by and later stolen from the National Security Agency. It combined those exploits with custom code that stole network credentials so the malware could infect fully patched Windows computers. And it was seeded by compromising the update mechanism for M.E.Doc, a tax-filing application that is almost mandatory for companies that do business in Ukraine. The shortcomings in the ransomware functions aren’t likely to be mistakes, considering the overall quality of the malware.

  If the intent of the PetyaWrap author(s) was to sow fear of Windows, they certainly succeeded. Because of the way PetyaWrap infects, very few of you have been hit. The next version may not be so kind.

  Chromebooks are looking better every day.

  Windows Patches/Security PetyaWrap

• The grugq: PetyaWrap causing lots of havoc, making little profit

  Posted on June 27, 2017 at 20:56 CDT by woody • Comment in the Forums

  Dan Goodin at Ars Technica has the definitive report on the latest ransomware outbreak:

  A new ransomware attack similar to last month’s self-replicating WCry outbreak is sweeping the world with at least 80 large companies infected, including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 12,000 computers, according to one security company.

  If you haven’t seen the grugq’s technical analysis, it’s well worth a gander.

  Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline.

  Of course, you have nothing to worry about because you installed MS17-010 last month, right?

  Vess Bontchev nudged me about the spreading mechanisms. At this point, we don’t really know how PetyaWrap spread, but once it infects one machine on a system, the MS17-010 patch doesn’t block it from moving from machine to machine on that same network. I have no idea how it spread so rapidly.

  Microsoft has a security blog on the topic. It lists one of the spreading mechanisms and says that one is blocked by MS17-010 — but there are two other identified mechanisms.

  We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:

  • Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously

  • Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445

  If you want to double down on your protection, you can also block PetyaWrap by creating a read-only file called c:\Windows\perfc. Full instructions on Bleeping Computer.

  Windows Patches/Security MS17-010, PetyaWrap