
Maersk IT systems infected with ransomware - TonnyGaric
https://twitter.com/Maersk/status/879679584282738688
======
simonvc
I worked a Maersk for a couple of years. This happened once before, we came in
and all Maersk's machines were randomly shutting down.

I heard later a rumour that the reason the AV didn't pick it up was it was a
0-day (stuxnet derived before that was known) and it was literally targeting
the SCADA systems on boats.. but that's also the plot of Hackers, so take that
with a pinch of salt.

Anyway being the build/devops/tooling person on a project i burned 40 dvd's
with eclipse and ubuntu and handed to them to the devs and they booted into
Ubuntu and kept developing.

All was going fine until i got a telling off from the Corporate IT security
team complaining that our unauthorised Ubuntu machines weren't running AV and
so could be introducing viruses into the network.

Total facepalm.

~~~
hans0l074
After close to a decade of working in DK, I found their Big IT corporate
processes resembling a Deathstar. Looks powerful from a distance, but
flaws/inefficiencies can be discerned if you happen to be at close quarters.
Also, they advanced ponderously. Which was weird because if you spoke to
individual engineers in the teams, they seemed to know how things should be
done. I was at Maersk same time as you, and I recall your team (ADLT!)
eventually conjuring up some Vagrant machines for us devs, which were, it
turned out, a pain to use since the AV kept interfering with the running VM's.

------
smartbit
Essence of Maersk attack in one tweet
[https://twitter.com/craiu/status/879690795946827776](https://twitter.com/craiu/status/879690795946827776)

 _New Petrwrap /Petya ransomware has a fake Microsoft digital signature
appended. Copied from Sysinternals Utils._

I was sitting next to someone who wanted didn't close his laptop immediately
when notified, 1 minute later it was too late. Most of my colleagues went
home, even if their laptop was not infected (also over de VPN) they are no
allowed to start the machine. Some departments ask people to stay home
tomorrow too. Those with MacBooks continue working. And _externals_.

In Rotterdam APM Terminals has shutdown.

~~~
samstave
Just curious, could the fake sig have been begotten/created from the supposed
"32 TB of source/internal MS code that was 'leaked'" recently?

~~~
nucleardog
The comment you replied to answered your question completely: No.

The signature doesn't validate, and was simply copied from a published
Microsoft application (something from sysinternals). You can do this at home
right now by visiting Microsoft.com, downloading any signed application, and
copying the signature verbatim onto your application.

------
r721
It looks like there is a massive Petya ransomware attack:

>Russia, Ukraine, Spain, France - confirmed reports about #Petya ransomware
outbreak. Good morning, America.

[https://twitter.com/codelancer/status/879688596852101120](https://twitter.com/codelancer/status/879688596852101120)

>Petrwrap/Petya ransomware variant with contact wowsmith123456@posteo.net
spreading worldwide, large number of countries affected.

[https://twitter.com/craiu/status/879689411419668480](https://twitter.com/craiu/status/879689411419668480)

Sample:
[https://twitter.com/benkow_/status/879692704724250628](https://twitter.com/benkow_/status/879692704724250628)

Articles:

[http://www.independent.co.uk/news/world/europe/ukraine-
cyber...](http://www.independent.co.uk/news/world/europe/ukraine-cyber-attack-
hackers-national-bank-state-power-company-airport-rozenko-pavlo-
cabinet-a7810471.html)

[https://motherboard.vice.com/en_us/article/qv4gx5/a-ransomwa...](https://motherboard.vice.com/en_us/article/qv4gx5/a-ransomware-
outbreak-is-infecting-computers-across-the-world-right-now)

~~~
Vaanir
Here is a tweet from the Ukraine Twitter account
[https://twitter.com/Ukraine/status/879706437169147906](https://twitter.com/Ukraine/status/879706437169147906)

------
onion2k
A shipping company being attacked by malware worm designed to steal money is
_literally_ the plot of the movie Hackers.

~~~
samstave
I wonder if the plot of Hackers was derived from the fact that shipping
companies typically keep a cash bounty in their on-ship safes to placate
pirates should they come aboard, as (AFAIK) it is cheaper(?) to just pay off a
pirate than deal with all the other factors?

------
secfirstmd
Hey, FWIW we had to do some response for ransomware cases recently. There was
a lack of decent stuff out there for how IT teams should deal with it. So we
contributed to putting together this quick checklist:

[https://github.com/0xswap/guides/blob/master/ransomware-
tria...](https://github.com/0xswap/guides/blob/master/ransomware-triage.txt)

Would be great if more people wanted to add to it.

------
fest
About a year ago:

One morning a colleague notices that a particular Windows share used by every
EE in the multi-national company now contains encrypted files and generic
request for ransom.

Highlight of the e-mail thread that followed: "<Name of another coworker whose
account was used to encrypt files>, virus __again __? "

------
pasta
There are reports of other large companies that currently are being infected.

It almost looks like the virus has been slumbering in systems and today woke
up.

------
vuln
I laughed way too hard at this.

'Petya sees you when you're sleeping

Petya knows when you're awake

Don't click the link in that email or IR gets no break'

[https://twitter.com/FourOctets/status/879700290395439105](https://twitter.com/FourOctets/status/879700290395439105)

------
nthcolumn
Not just Maersk. Petya going global. Writes to boot sector.

~~~
e79
Writes to boot sector? Care to elaborate? Sources?

~~~
nthcolumn
If you see the fake chkdsk reboot to media and overwrite/fix the master boot
record. It encrypts the master file table on startup (before AV etc.), has
sophisticated lateral movement capabilities using WMIC. Don't bother paying
the ransom - the mailbox is dead you'll never get your files back that way.

------
NeutronBoy
WaPo have just published a story about the attacks
[https://www.washingtonpost.com/world/europe/ukraines-
governm...](https://www.washingtonpost.com/world/europe/ukraines-government-
key-infrastructure-hit-in-massive-
cyberattack/2017/06/27/7d22c7dc-5b40-11e7-9fc6-c7ef4bc58d13_story.html)

------
Hoshea
Anything special about the way this one is spreading or just the usual
suspects?

~~~
shubb
Mearsk is kind of critical infrastructure - they carry a lot of freight. It's
conceivable that if you took out a few major carriers like this for a week,
you'd get widespread food shortages.

~~~
dx034
Even just Maersk could have huge consequences. Some of their ships have
capacities of more than 10,000 containers, that's a lot of goods which may not
be unloaded for the time being. Many supply chains will be quite sensitive to
a delay like this and it could have very visible knock-on effects.

A delay of a day is probably already enough to cause congestion in ports with
further delays down the road.

~~~
samstave
Yep, I am surprised this hasn't happened earlier....

------
proyb2
DBSchenker and many logistic companies are still running Windows XP on some
legacy PC. I have encountered one PC had ransomware too.

~~~
nulagrithom
I'm in the intermodal industry. CEO likes to say that transportation is about
10 years behind technology, and intermodal is 5 years behind that.

We have the security posture of a wet sock.

~~~
fiftyacorn
Hasnt the shipping market tanked in recent years so prob no money to update
systems

~~~
lb1lf
That it has, like you wouldn't believe - basically, Mærsk and a few other
giants have fought over who will be the last man standing.

The market is (weakly) starting to improve, though.

