If it's just the MBR being encrypted then presumably something like Photorec should recover files. However according to https://www.infosecurity-magazine.com/news/ukraine-businesses-petya-ransomware/ it encrypts files as well as the MBR.
Huge ransomware outbreak spreads in Ukraine and beyond
A huge ransomware outbreak has hit major banks, utilities and telcos in Ukraine as well as victims in other countries. Check out our full analysis of the software nasty, here. Early analysis of the attack points towards a variant of the known Petya ransomware, a strain of malware that encrypts the filesystem tables and …
COMMENTS
-
-
-
Tuesday 27th June 2017 17:22 GMT Doctor Syntax
"someone talking about it attacking the MFT of NTFS - that's a more severe attack than the MBR."
Providing the files themselves aren't corrupted something like photorec reads the sectors, tries to work out what they are and copies the results out to fresh media. Obviously it depends on the extent to which the files are fragmented. If the files are encrypted then it depends on whether they're overwritten. The only experience I had with this was with ransomware that wrote out the encrypts as new files and deleted the old ones which, of course, just marked the files' sectors as free but didn't do anything to the contents. The only problem was sorting out real images from junk heap of odds & sods from the browser cache.
-
-
Tuesday 27th June 2017 21:55 GMT Doctor Syntax
"and needs to get work done?"
Yes, they certainly need to get work done now to recover from this.
I take it you've no personal knowledge of Linux or other Unix-like systems. I've got a little secret for you. Most of those of us who use Linux have also had experience of Windows, including sorting out the problems it's caused for friends and family. We can actually reach an informed opinion of what actually works.
In my case I was using Unix systems to do real work years before Windows was thought of. Lab management, logistics management, industrial control systems, all grist to the mill.
-
-
Wednesday 28th June 2017 05:12 GMT herman
In many cases you will find that there are perfectly good alternatives that do the same thing on Linux/BSD/Apple Mac. For the rest, you can use Windows in a virtual machine with the virtual network cable unplugged, or very strongly packet filtered by the host.
Note that there are millions of Apple Mac users out there that do not use any Windows software and get things done much more easily, securely and professionally.
-
-
-
Wednesday 28th June 2017 05:07 GMT herman
Well, Linux, BSD and MacIntosh are very similar and share tens of thousands of software packages. So you allude that millions of Mac users for example, cannot get any work done?
It is time to wake up and smell the coffee. There is a whole world of computing out there that you are not aware of.
-
-
Wednesday 28th June 2017 13:41 GMT patrickstar
Funny with the mandatory "stupid Windows is so insecure, use Linux!!!111" comment considering that the article clearly states that this was not relying on any Windows specific vulnerability, but rather compromising the auto-update servers of some company and then being able to move across the network due to bad admin practices. Both things would work equally well against Linux if the attackers wanted to target it instead.
-
-
-
Tuesday 27th June 2017 15:01 GMT i1ya
"Never attribute to malice that which is adequately explained by stupidity"
My beloved country, which is Ukraine, is famous for pirated Windows and nihilist admins who often deliberately don't install patches. The horse was stolen two months ago when "Wanna Cry" was all over the news; but to some people, it's never enough to finally lock the barn door.
-
Tuesday 27th June 2017 16:01 GMT iromko
Re: "Never attribute to malice that which is adequately explained by stupidity"
For a country which is target of Russian aggression, it's only natural to assume that any widespread attack on it's infrastructure was initiated by the aggressor. And only after that was disproved, other possibilities may be considered. Of course, if some administrators failed to protect their systems (big 'if', we don't really know), they should be held accountable.
But still the blame should be placed where it belongs, on the perpetrator, not the victims.
-
Tuesday 27th June 2017 19:23 GMT Tom Paine
Re: "Never attribute to malice that which is adequately explained by stupidity"
But still the blame should be placed where it belongs, on the perpetrator, not the victims.
Criminal negligence, negligent culpability, duty of care,.. these are things in UK law. Blame the attackers existing if you like, but really they've got more in common with a lightning strike or washing machine catching fire: these are things that, sooner or later, are going to happen, and you'd better design and build (or procure and operate) accordingly.
Put another way: it's not my /fault/ that nature and nurture made me enjoy beer, but it's my /responsibility/ not to drink drive, or destroy my liver, or glass someone for looking at my pint all night.
-
Tuesday 27th June 2017 21:52 GMT Anonymous Coward
Re: "Never attribute to malice that which is adequately explained by stupidity"
And your evidence is, what? Something bad happened in Ukraine, so the Russians must be orchestrating it?
At some stage, Ukrainians will wake up to the fact that most of the damage done to Ukraine was not done by the wicked Russians, but by the utterly corrupt "leaders" of the country whose sole intent it to pillage the country for their own benefit. Yes, the Russians are an easy scapegoat, but when EVERY Ukrainian president has been more corrupt than Ismailov and more inept that Yeltsin, this might be a more plausible explanation.
Ukrainians really need to find the spirit of Khemelnitskiy and rise up to free themselves from the political class, then perhaps they could work to being the most prosperous nation in Europe.
-
-
Thursday 29th June 2017 09:37 GMT find users who cut cat tail
Re: "Never attribute to malice that which is adequately explained by stupidity"
Pirated Windows and lazy admins may be factors. Still, Ukraine is not exactly a wealthy country and $300 is lots of money there. If your goal is to make money from the ransomware, wouldn't you rather target a country where $1000/month is considered the poverty threshold? This looks more like the ransom part is a nice benefit but not the goal.
-
-
-
-
-
-
Wednesday 28th June 2017 08:03 GMT Anonymous Coward
I think I know the one. They're my company's main courier, which has meant vast parts of our shipping/logistics teams grinding to a halt as a result. Not great when you've got lots of companies expecting urgent kit from you which is now stuck in various courier warehouses...
Edit, sod it, it's TNT. Seeing as the BBC have already ousted them...
-
-
-
-
-
-
-
-
Tuesday 27th June 2017 19:27 GMT Tom Paine
Re: That's it
Why don't you just invest in a firewall device that you can configure to block access from the Internet to all those ports Micro$oft love to keep open by default ?
Altogether, now: "OF COURSE IT'S SECURE, IT'S INSIDE THE FIREWALL!
This is why infosec people have a job for life, and a frequent flier card at their local boozer.
-
Tuesday 27th June 2017 21:02 GMT Sir Runcible Spoon
Re: That's it
"Why don't you just invest in a firewall device that you can configure to block access from the Internet to all those ports Micro$oft love to keep open by default ?"
Well, when my work laptop is connected, it's using split-tunnel so no naught connections to my local network at all once I've VPN'd to the corporate network.
Once connected, my machine is effectively on a DMZ within the perimeter of the corporate security estate, and I know how leaky that is because I used to work for the company that manages it. If I can connect to a network share at the office via an SSL VPN then I can sure as hell get hit by malware using those ports to host-hop.
So, tell me Mr AC - where exactly does the firewall fit into this? I'm more likely to be protected by the IPS solution than the firewall, since the firewall is set to allow those connections that are at risk.
-
Tuesday 27th June 2017 23:07 GMT hmv
Re: That's it
If you were VPNing in through _my_ firewall (well it belongs to $work, but I'm the Evil Firewall Admin), you could SMB to the storage networks but not to and from the workstation networks. So yes the firewall would limit the chances of getting infected.
BTW: It's not clear, but what you're describing doesn't sound like split-tunnel to me.
-
Wednesday 28th June 2017 05:21 GMT Anonymous Coward
"So, tell me Mr AC - where exactly does the firewall fit into this?"
Well: I have an ancient external Firewall device. I block the ports used for SMB server connections which are open on my intranet from being connected to from the Internet which is then on the other side of the Firewall.
So you just interpose the firewall between your node and the rest of the Internet.
Of course if you need to share a drive across a network then that network needs to be similarly protected as does its transative closure.
Otherwise you're buggered.
-
-
Tuesday 27th June 2017 23:00 GMT hmv
Re: That's it
Hard and crunchy on the outside, soft and chewy on the inside. I'm probably paraphrasing, but that phrase was in one of the first firewall books I read back in the mid-1990s.
Sure blocking SMB at the edge helps protect, but I would not be very surprised to learn those hardest hit by this one were those who did have protection at the edge and so were complacent about their "soft and chewy" inside.
-
-
-
Tuesday 27th June 2017 16:00 GMT Julian 8
Besides patching
Windows Server: PowerShell method (Remove-WindowsFeature FS-SMB1)
Windows Client: PowerShell method (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)
Not surprised about WPP - who are being named on R5 live a lot
IBM and no idea who or what they are doing about patching these days. Used to be good
-
This post has been deleted by its author
-
-
Tuesday 27th June 2017 18:59 GMT Anonymous Coward
Re: Place your bets
Who Gains ?
Probably some Government "Civil Servants" trying to justify the existence of their budget (being bored with blackmailing MPs with dodgy e-mails), or else they've been ordered to take the Populace minds' off of burning Tower blocks or Politicians discovering their new friends in the DUP have a common shared interest in small boys.
-
Wednesday 28th June 2017 02:56 GMT GrumpyOldBloke
Re: Place your bets
From the Australian ABC ransomware-virus-hits-computer-servers-across-the-globe...
The Federal Minister responsible for cyber security, Dan Tehan, said the Government was doing all it could to prevent further outbreaks.
"We have been in contact with our Five Eyes partners and the national cyber security centres in those countries to get a good sense as to what is occurring," he told the ABC.
"We are monitoring the situation, we are in touch with other countries to see what impact is happening there.
"That is the best we can do at this stage."
... That is it, the best we can do at this stage. The emperor has no clothes. I guess we wait for another programmer sitting in his bedroom to work this one out.
-
-
Tuesday 27th June 2017 17:20 GMT Anonymous Coward
Companies in the USA have been hit
Just ran into a friend from a big company that was sent home because of a ransomware virus. They had them turn off their systems and remove their batteries. Turned off wifi. It infected their Cisco phone system too and it is randomly calling out to people in their contacts.
-
-
-
This post has been deleted by its author
-
-
-
This post has been deleted by its author
-
Wednesday 28th June 2017 07:12 GMT Anonymous Coward
cmd.exe (administrative elevation)
cd\windows
md perfc
md perfc.dll
exit
sounds too good to be true... have cockblocked several nasties in the past by creating a directory (when it want to create a file) and a readonly file (when it want to create a directory) on ickdoze PC's...
now that the cat is out of the bag, malware writers will most probably add code to check for a file/directory and take appropriate steps.
-
Tuesday 27th June 2017 20:14 GMT adnim
The older I get
the more I think that those who are trained to run computers aren't. And I can never see more than seven layers (or is it veils) in my mystical dream world of Unicorns, no matter how hard I try, or try to get hard.
Joke icon...cos some don't understand satire.
The only real downside to this is that the tax payer and consumer will foot the cost as prices or quantity/quality of product are adjusted so as not to upset share holders and the stock price.
-
This post has been deleted by its author
-
-
-
-
Wednesday 28th June 2017 00:05 GMT Destroy All Monsters
Re: if the virus is really named Petya
> hammer and sickle
Yeah but sovietism has been dead since, likle Gorbatchev.
Anyway, Putlet cannot hold a candle to Real Russian Nationalism.
-
-
-
-
-
Wednesday 28th June 2017 06:51 GMT Anonymous South African Coward
So, update.
Seems once you get the bitcoin message (apparently it shows the same message for all computers, and not individual bitcoin addresses) it seems to be more than a smokescreen, and you can save your skin by switching off your computer as it will start to encrypt your preciouses files once it reboots. Not 100% guaranteed as newer iterations may encrypt on the fly.
We've got a few incidents of this malware here in Sunny South Africa, and I'm trying to find out who's been hit.
Ne'er-do-wells *sigh*