Haven't seen anything on ausnog so far, so here's a summary of the latest big attack, Petya - it's not apparently real ransomeware but something a bit weirder.
1) The address to send bitcoins to was a single mailbox, immediately shut down by the ISP, so no other payment method and no decryptions possible. That breaks the entire ransomeware model. 2) It started via automatic updates of a Ukrainian accounting package called Me-doc, one of 2 packages obligatory for tax purposes in Ukraine. Russian companies in Ukraine mysteriously evaded it. https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4 3) It's hit Ukraine badly - see https://twitter.com/TetySt/status/879755007540723712/photo/1 4) Ukraine has been used as a cyberattack testbed several times, see brilliant and very readable Wired article: https://www.wired.com/story/russian-hackers-attack-ukraine/ 5) Petya spreads laterally inside /24s then stops, ie it's very limited. It's also disabled ridiculously easily, with the creation of a readonly file called perfc on Windows boxes: https://www.wordfence.com/blog/2017/06/petya-ransomware/?utm_source=list&utm_medium=email&utm_campaign=062717-2 6) MalwareTechBlog is a great source too (he found the Wannacry kill switch): https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html All very odd. Patch those Windows boxes. (Unix users sit back and smirk - for now at least.) Kate _________________________________________________________________ Dr Kate Lance, CEO IPv6 Now Pty Ltd Ph 0416 070 230 Dedicated to IPv6 [email protected] Head Office 1800 222 085 www.6now.net Suite 1, 89 Jones St Ultimo NSW 2007 _________________________________________________________________ _______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
