Re: [AusNOG] Petya 'ransomeware' attack

Tue, 27 Jun 2017 19:27:56 -0700 

Thanks for the walk through Kate. Saves me a reading through the flurry of 
messages this morning. :-)

> On Jun 28, 2017, at 9:12 AM, Kate Lance <[email protected]> wrote:
> 
> Haven't seen anything on ausnog so far, so here's a summary of the latest
> big attack, Petya - it's not apparently real ransomeware but something a
> bit weirder.
> 
> 1) The address to send bitcoins to was a single mailbox, immediately shut down
> by the ISP, so no other payment method and no decryptions possible. That
> breaks the entire ransomeware model.
> 
> 2) It started via automatic updates of a Ukrainian accounting package called
> Me-doc, one of 2 packages obligatory for tax purposes in Ukraine. Russian
> companies in Ukraine mysteriously evaded it.
> https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4
> 
> 3) It's hit Ukraine badly - see
> https://twitter.com/TetySt/status/879755007540723712/photo/1
> 
> 4) Ukraine has been used as a cyberattack testbed several times, see brilliant
> and very readable Wired article:
> https://www.wired.com/story/russian-hackers-attack-ukraine/
> 
> 5) Petya spreads laterally inside /24s then stops, ie it's very limited. It's
> also disabled ridiculously easily, with the creation of a readonly file called
> perfc on Windows boxes:
> https://www.wordfence.com/blog/2017/06/petya-ransomware/?utm_source=list&utm_medium=email&utm_campaign=062717-2
> 
> 6) MalwareTechBlog is a great source too (he found the Wannacry kill switch):
> https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html
> 
> All very odd. Patch those Windows boxes. (Unix users sit back and smirk -
> for now at least.)
> 
> Kate
> _________________________________________________________________
> 
> Dr Kate Lance, CEO                               IPv6 Now Pty Ltd
> Ph 0416 070 230                                 Dedicated to IPv6
> [email protected]                                  Head Office 1800 222 085
> www.6now.net                 Suite 1, 89 Jones St Ultimo NSW 2007
> _________________________________________________________________
> 
> _______________________________________________
> AusNOG mailing list
> [email protected]
> http://lists.ausnog.net/mailman/listinfo/ausnog

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
AusNOG mailing list
[email protected]
http://lists.ausnog.net/mailman/listinfo/ausnog

Reply via email to