
Another Ransomware Outbreak Is Going Global - smn1234
https://www.forbes.com/sites/thomasbrewster/2017/06/27/ransomware-spreads-rapidly-hitting-power-companies-banks-airlines-metro/
======
Animats
Maersk is down. Their main site says:

    
    
        Maersk IT systems are down
    
        We can confirm that Maersk IT systems are down across multiple sites
        and business units due to a cyber attack. We continue to assess the
        situation. The safety of our employees, our operations and customer's
        business is our top priority. We will update when we have more information.[1]
    

Maersk is the largest shipping company in the world. 600 ships, with ship
space for 3.8 million TEU of containers. (The usual 40-foot container counts
as two TEUs.) If this outage lasts more than a few hours, port operations
worldwide will be disrupted.

[1] [http://www.maersk.com/en](http://www.maersk.com/en)

~~~
nothrabannosir
Great. Maybe we can finally put a price on lack of security protocol.

~~~
merrickread
I dream of seeing a "security first" development process adopted ..

~~~
devcpp
Are you sure about that? You do know most organizations will implement that as
a huge amount of bureaucracy for every commit, rather than proper man-hours of
security-oriented development.

~~~
sillysaurus3
Only because most organizations don't know how to be effective at security.

It's not hard. You don't actually have to change much. You just have to
schedule regular pentests, ideally every couple weeks.

Pentests protect everyone because it's our job to worry about all of the
security flaws that you can't possibly be aware of in your normal day-to-day
development cycle. There's just too much for any organization to know about
except security companies. This way you can focus on development and we can
focus on pointing out how to fix what's broken.

~~~
hutzlibu
"It's not hard."

No, it is not, you just need skilled people working on it. Oh, those people
want money for it ...

~~~
davidbanham
Exactly. It's not hard, it just costs some money.

It's exactly the same as physical security. You build fences and buy locks.
You pay people to keep an eye on things. You take insurance to cover the rest
of the risk.

Nothing hard, no new inventions required. It just takes some attention and
cash. It's part of the cost of being in business.

~~~
joe_the_user
Wait, the hardness of information security comes because it has to be built-in
everywhere since everything is connected and so everything is a potential
attack surface.

It's not impossible but it requires a somewhat universal attitude change.

~~~
sillysaurus3
I want to agree with you in principle, but in practice it's not possible to be
secure with just an attitude change. The attack surfaces have grown too large.
Keeping track of all possible vectors is a full-time job in itself. You either
need a dedicated security person or regular pentests. And honestly, regular
pentests are probably more effective.

It's a positive statement though: it _is_ possible to be constantly secure if
you just get a pentest every few weeks. Big companies can even afford to make
it a requirement of their release cycle.

~~~
noxToken
> _Big companies can even afford to make it a requirement of their release
> cycle._

Oh man. I have a peer who works for a very large international company. They
require pentests in their release cycle. What could go wrong?

Turns out that pentesting isn't in the final portion of their release. They
tag a release candidate (e.g. v5.7.0-rc), send that build to the pentesters,
then fix other integration and user-acceptance bugs while the pentesters are
working. The pentesters may greenlight v5.7.0-rc when it's really v5.7.3-rc
that's shipping, and the pentesters are none the wiser.

Security only works when the culture supports it.

------
willstrafach
FYI to Sysadmins: Paying the ransom at this point will be a waste of money, as
the contact e-mail address has been blocked.

[https://posteo.de/blog/info-zur-ransomware-petrwrappetya-
bet...](https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-
postfach-bereits-seit-mittag-gesperrt) (German)

[https://posteo.de/en/blog/info-on-the-petrwrappetya-
ransomwa...](https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomware-
email-account-in-question-already-blocked-since-midday) (English)

~~~
sillysaurus3
It's always seemed like the best way to end ransomware is to launch hundreds
of variants that demand money but don't actually decrypt anything. Unethical,
to be sure, but eventually people would learn not to give them money.

All the competent ransomware authors are probably quite unhappy whenever a
defective ransomware strain pops up.

~~~
dzhiurgis
It's like saying best way to fight heroin addicts is to supply market with
poisoned heroin. No heroin users - no problems!

~~~
rickycook
except that getting malware isn't addictive...

~~~
dzhiurgis
Your information is tho

------
jannes
This is even more proof how powerful a 0-day in the wrong hands can be.

All of the affected companies' should be considered compromised by the NSA.

Actually, every single Windows PC with an internet connection that has been
used before March 14 should be considered irrevocably compromised. Ransomware
is much more visible than spyware. Think about all the spyware-infected
PCs/networks that nobody knows about.

~~~
rsync
"Actually, every single Windows PC with an internet connection that has been
used before March 14 should be considered irrevocably compromised."

March 14 of what year ?

I would say 2000 but I am open to discussion ...

~~~
80211
People who don't run Windows shouldn't get cocky! There are many, many attacks
on Linux:

Here's one in the news from just last week. A ransomware where the victim
agreed to pay the equivalent of US$1MM in bitcoin.

[https://arstechnica.com/security/2017/06/web-host-agrees-
to-...](https://arstechnica.com/security/2017/06/web-host-agrees-to-
pay-1m-after-its-hit-by-linux-targeting-ransomware/)

~~~
eeeeeeeeeeeee
Something to keep in mind. They were running:

Apache version 1.3.36 and PHP version 5.1.4

It's not like a brand new Ubuntu installation connected to the open Internet
will suddenly be pwned. The owners of this company were beyond inept.

~~~
astrodust
Seeing Apache 1 in the wild makes me a bit nostalgic.

What kind of utter lunatic would use that for their company today?

~~~
H1Supreme
Lord have mercy, Apache 1? That's what you get bro.

------
secfirstmd
___(Sorry for the repost but I feel the pain of sysadmins so it might be
useful to some people as everything melts down around them this evening)..._
__

Hey, FWIW we had to do some response for ransomware cases recently.

There was a lack of decent stuff out there for how IT teams should deal with
it. So we contributed to putting together this quick checklist:

[https://github.com/0xswap/guides/blob/master/ransomware-
tria...](https://github.com/0xswap/guides/blob/master/ransomware-triage.txt)

Would be great if more people wanted to add to it.

~~~
voltagex_
A minor nit: if you convert this over to markdown or ReStructuredText, it'll
display more nicely on the page and be easier to move over to GitHub pages or
the like.

~~~
secfirstmd
Good idea! Will do that.

------
elcapitan
Kill switch has been found:
[https://twitter.com/PTsecurity_UK/status/879779707075665922](https://twitter.com/PTsecurity_UK/status/879779707075665922)

~~~
chipperyman573
Why would a ransomware author include a killswitch in their software?

~~~
gilgoomesh
Even ransomeware authors accidentally infect themselves and lose keys.

------
bkor
The Netherlands and various other countries have created laws where either
their version of the NSA and/or police can hoard 0days to be used for hacking.

This massive outbreak is so widespread that at this stage it appears that it
either was a very recent 0day or something which only recently was fixed by a
patch.

Instead of having loads of countries hoarding security problems I highly
encourage a focus on security instead. Seems much better for the economy
overall.

~~~
carvalho
It is basically WannaCry without the kill switch. It is using the same
exploits (EternalBlue). Not some recent zero-day, but sloppy patching.

~~~
guilhermetk
Seems like there is a kill switch:
[https://twitter.com/PTsecurity_UK/status/879779707075665922](https://twitter.com/PTsecurity_UK/status/879779707075665922)

~~~
pritambaral
Originally found by:
[https://twitter.com/0xAmit/status/879768194545836032](https://twitter.com/0xAmit/status/879768194545836032)

------
110011
Can someone provide a simple (but not overly so) explanation of how the
current generation of ransomware operate i.e., A) spread and B) lock up the
computer? Does it always require human intervention for A. ? Thank you.

~~~
SCHiM
There are indications that this new version uses a number of ways to spread.

Where attacker == the ransomware executable:

First is the EternalBlue exploit developed by and leaked from the NSA.
EternalBlue exploits a flaw in Windows systems on port 445 TCP that can be
used to take complete control of an unpatched system. So if an attacker can
connect to a vulnerable Windows machine on port 445 tcp they can take control
of that machine.

There are also indications that this ransomware sample spreads using
legitimate administrative tools in Windows systems such as WMI (execute
commands on a remote system if you an administrator account on that PC), and
PSEXEC (mount shares on the remote system if you have an administrator
account, execute command if ''). These are legitimate (but legacy) Windows
components that normally facilitate the management of client PC's when they're
connected to a domain at a company or school. So if an attacker can connect to
a Windows machine on port 445 tcp (PSEXEC) or 135 (WMI) _AND_ have
administrative credentials for that PC they can take complete control of that
machine.

These two are probably part of how the ransomware spreads once it gets inside
your network. The wcry outbreak a few weeks ago gained access to networks by
infecting one or several people via a phishing e-mail with malicious
files/links-to-files inside. AFAIK it's currently still unknown/unconfirmed
how this outbreak spreads precisely but I'd guess it's either actively being
spread by phishing OR it's been present but dormant in these networks for a
while after having been installed by phishing over a longer period of time.

If an attacker possesses a 0-day then all bets are probably off, and even step
A would not necessarily require any human interaction.

This outbreak is particularly nasty because after it's done encrypting files
it supposedly triggers a crash that forces the system to restart. (handy for
servers where a user is not normally able to restart the system). Because the
system restarts any, artefacts from the encryption process that might be used
to decrypt files without paying or restoring backups are gone.

~~~
jsizzle
Actually, I believe phishing / malicious attachment was debunked as the
infection vector. Subsequent research found that WC starts scanning hosts and
IP's on port 445 to try to find other machines to infect.

Source:[https://www.us-cert.gov/ncas/alerts/TA17-132A](https://www.us-
cert.gov/ncas/alerts/TA17-132A)

"Once the malware starts as a service named mssecsvc2.0, the dropper attempts
to create and scan a list of IP ranges on the local network and attempts to
connect using UDP ports 137, 138 and TCP ports 139, 445. If a connection to
port 445 is successful, it creates an additional thread to propagate by
exploiting the SMBv1 vulnerability documented by Microsoft Security bulliten
MS17-010."

~~~
thefreeman
That only happens after the initial infection into the network. Notice that it
says it scans the "local network".

~~~
jsizzle
This is minutiae at this point, but it scans the "local" /24\. My assumption
is that it scans the /24 for any interface available, so if a machine is
infected with a public IP, it will start scanning machines on the public
Internet. Not to mention other variations may decide to scan more
aggressively.

------
maddyboo
Does anyone know if any tools exist on Linux which can be used for early
detection of ransomeware?

Something that monitors file access, disk activity, etc. for suspicious
behavior and can trigger some action or alert?

I think I remember some discussion about using a 'canary file' \- some
innocent looking file with known contents which should never be modified. If a
modification is detected, you know something fishy is going on.

~~~
tyingq
Aide is a popular utility to monitor for changes to files on Linux systems.

[http://aide.sourceforge.net](http://aide.sourceforge.net)

You could also use the built in audit subsystem if you wanted to watch a
specific canary file, directory, filesysyem, etc.
[https://www.linux.com/learn/customized-file-monitoring-
audit...](https://www.linux.com/learn/customized-file-monitoring-auditd)

~~~
singularity2001
what a horrible interface

    
    
      aide 
      Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db for reading
    
      aide -i
      Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db.new for writing

~~~
tyingq
I suppose, but it's not really made as a one off run-a-command type tool. It
needs set up so that you can compare now to then.

Having no parameters specified doing something real is probably not desired,
as it would overwrite the DB that your aide Cron job is running.

That's why your Linux distro (not aide) picked those funny defaults.

------
nlte
This isn't yet the cyberattack "the world isn't ready for"
([https://www.nytimes.com/2017/06/22/technology/ransomware-
att...](https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-
cyberweapons.html)), is it?

~~~
devopsproject
no.

you will know when the big one hits because you won't be able to ask this
question online and get an immediate answer.

------
mbaha
A friend sent me the bitcoin address, they've already collected 2600$.

[EDIT] Now 3230$

Source:
[https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaA...](https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX)

~~~
mrb
What a clickbait headline. A paltry $3k and yet the article calls this a
"MASSIVE ransomware outbreak". I would be curious to see what a "minor"
outbreak is.

~~~
SmallDeadGuy
There are reports of hundreds to thousands of machines infected across
multiple firms in multiple countries. I'd bet >99% of people are never gonna
send the $300 in bitcoin to decrypt their machine, instead they'll just clean
and restore as much as they can. The $3k is 11 people desperate to restore all
their data now, more may come in the future after people have exhausted other
options, but the vast majority will never pay unless their backups were hit
too.

~~~
49para
Seems like a better approach would be to have the ransom increase higher after
every person that paid. Just so you'd have some competetion to pay sooner.

------
vldx
Interestingly, WPP mandates all it's employees to shut down their computers –
irrespective of the OS.

> As a precaution, WPP is mandating that everyone immediately shut down all
> computers, both Macs and PCs. This applies to you whether you are in the
> office or elsewhere. Working on an office computer remotely is not an
> option. Please leave your computers turned off until you hear from us again.

> Many thanks for your co-operation and patience.

> Best regards,

~~~
SpeakMouthWords
How do they plan on contacting the employees en masse if the computer is off?

~~~
hsod
Probably via their smart phones

~~~
rahkiin
So a smartphone is not a computer anymore? The world we live in..

~~~
ccozan
I think is a matter of semantics, not of functionality. A smartphone is a
computer per design, but no one is calling it like that.

------
dz0ny
Public analysis is tracked here
[https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/](https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/)

Seems that payload servers are in Germany, France, and Malaysia.

[https://securelist.com/petrwrap-the-new-petya-based-
ransomwa...](https://securelist.com/petrwrap-the-new-petya-based-ransomware-
used-in-targeted-attacks/77762/)

------
mihaifm
> with WannaCry it was alleged a nation state was likely responsible for
> spreading the malware: North Korea

Is there any evidence for this? Looks like another fake rumor.

~~~
zmmz
There's an article on it in NYT which provides a short list of the reaons:
[https://www.nytimes.com/2017/05/22/technology/north-korea-
ra...](https://www.nytimes.com/2017/05/22/technology/north-korea-ransomware-
attack.html)

It basically comes to it looking like Lazarus Group

 _The WannaCry attacks used the same command-and-control server used in the
North Korean hack of Sony Pictures Entertainment in 2014, which wiped out
nearly half of the company’s personal computers and servers._

...

 _Other digital crumbs linking the North Korean group to WannaCry include a
tool that deletes data that had been used in other Lazarus attacks. The
hackers behind WannaCry also used a rare encryption method and an equally
unusual technique to cover their tracks._

~~~
slim
Then WikiLeaks published CIA's Marble Framework

[https://wikileaks.org/ciav7p1/cms/page_14588467.html](https://wikileaks.org/ciav7p1/cms/page_14588467.html)

------
the_cat_kittles
i said this before and it was met with mostly hostility, but im still
wondering... bitcoin has enabled ransomware, so its a boon to crooks. what has
it done for non-crooks? i dont mean conceptually (no fed! decentralized! etc.
etc.), i mean since its come into being, what has it done for you personally?
for me: i bought a vpn subscription, anonymously. probably not able to do that
as easily without btc. but, i would personally trade that for _not_ having
ransomware attacks. thoughts?

~~~
raw23
Bitcoin is a neutral technology, think of it like cash. Buying illegal things
is always done with cash but it doesn't mean we should get rid of cash
altogether.

Regardless even if we came to the collective decision that we wanted to get
rid of bitcoin, its not feasible due to its decentralized nature.

~~~
Kiro
> it doesn't mean we should get rid of cash altogether

I can't remember the last time I saw physical cash. The only ones I know who
are still using cash are drug dealers. Not saying it should be banned but it's
almost gone in my country already.

~~~
delecti
> The only ones I know who are still using cash are drug dealers

I was about to say "that's not true, the pot stores are cash only too", before
realizing that from the perspective of the Feds that's the same thing.

So I guess my real answer is non-business transactions, like buying things on
craigslist, or paying my cat sitter.

~~~
Kiro
> like buying things on craigslist, or paying my cat sitter

In my country you send money to other people with an app using their telephone
number. It's developed as a joint venture between all banks.

~~~
jessaustin
ISTM that's a group that already have more than enough power to screw us
over... Has this app been audited?

~~~
Kiro
No idea. The convenience is more important to me personally than the risk of
being screwed over but since everyone is using it I presume there are people
putting pressure back.

------
voidmain0001
Kaspersky wrote about Petya 16 months ago. [https://blog.kaspersky.com/petya-
ransomware/11715/](https://blog.kaspersky.com/petya-ransomware/11715/) Has the
delivery changed causing it to resurface again?

~~~
wila
Yes, it is a "petya variant" [0]

[0] [https://isc.sans.edu/diary/22560](https://isc.sans.edu/diary/22560)

------
tudorconstantin
Maybe this is the year of Linux on desktop.

~~~
mikegerwitz
(You may or may not be joking; let's assume you're not for this response.)

This is a dangerous argument.

I'm a free software activist, and I firmly believe that security without free
software is a facade, but that doesn't mean that free software is more always
more secure; it's an open source argument that's been fairly easily refuted
lately with high-profile bugs in software like OpenSSL.

It's easier to hide secrets in proprietary software, but most security
vulnerabilities are bugs, not explicit backdoors. So even bit-for-bit
reproducibility won't defend you against that.

I'm not saying you shouldn't use GNU/Linux---I think that every user deserves
an operating system that is fully free, and hope that people will use it (or
another free/libre OS). But my argument is on the basis of freedom, which
still stands _regardless_ of security. It just so happens that I believe that
strong confidence in the security of a system is not possible with proprietary
software.

~~~
tudorconstantin
So far this year, Windows leads the scorecard regarding mass infections and
business downtime due to them.

So while indeed, open source is not a guarantee for better security, the
results are in its favor. It might also be because it's not such an attractive
target to hackers due to its low share in the desktop market. But still there
millions of linux servers online 24h/24h and I assume they have a bigger
potential for monetisation.

~~~
theossuary
Windows also leads the score card in installation base, which I think is the
real causal relationship. If Linux was installed on 90% of desktops you better
well believe there'd be a similar number of exploits for it. Something similar
happened to Mac OSX not too long ago, as they grew in popularity more and more
exploits were found for the operating system.

~~~
tudorconstantin
That's what I tried to express above. I was also wondering what is more
profitable in the ransomware economy: infect many, almost worthless machines?
Or infect an order or two of magnitude fewer machines, but with a higher
chance of paying?

I'd say with a higher chance of paying because people administering them are
more likely to know how to buy bitcoins, how to send them and what to do with
the decryption key.

------
memracom
Note that having a good multi-generational backup system in place for all
machines, servers and laptops, would render this kind of ransomware harmless.

But the state of IT has deteriorated so badly these days because management
doesn't care any more. After all why care when you can just take your
severance pay and get an increase in salary and more responsibility at another
company. Rinse and repeat.

It used to be that the primary job of system admins was to keep the data safe
from loss. That was more important than keeping the systems running. How did
we lose this?

------
hackrack
Idea: What if the purpose of these WannaCry style ransomware attacks isn't to
get people to pay in Bitcoin, but to drive up the price of Bitcoin?

~~~
fpgaminer
WannaCry caused the price to drop, rather sharply. If anything, the purpose
would be to buy cheap Bitcoins and hope the price later corrects back upwards
after the news has blown over.

I suspect the price drop is due to some trading algorithms using sentiment
analysis. They see all the negative press around these ransomware, see the
included word Bitcoin, assume the negative article is about Bitcoin, and
automatically sell.

But that's just my theory, since I have a hard time imagining human traders
seeing news like this and selling because of it.

~~~
dx034
I doubt wannacry was the reason for the price drop. Rather extensive media
coverage about bitcoin hitting $3k which probably woke up some people who
realised that it might be the time to cash in.

~~~
fpgaminer
This was long before $3k. The price tanked immediately on May 12th and
remained depressed until the 17th which was shortly after the initial outbreak
was halted by the domain registration.

------
HIBC2017
If you're infected, don't pay the ransom. The email address that's used has
been blocked by the email provider.

[https://twitter.com/HIBC2017/status/879747282173911040](https://twitter.com/HIBC2017/status/879747282173911040)

------
nuclx
As someone affected by the ransomware - did anyone else notice empty console
windows popping up from time to time the days before the ransomware triggered
the encryption?

~~~
simopaa
This is most likely due to the Office bug:
[https://www.digitaltrends.com/computing/here-is-a-fix-for-
mi...](https://www.digitaltrends.com/computing/here-is-a-fix-for-microsoft-
office-command-prompt-issue/)

~~~
Flammy
Agreed. Previously following the steps here removed the problem for me on 3
different Windows 10 computers.

(PC gamers were particularly impacted by this, as the command prompt
flickering would minimize full screen games...)

------
kuon
Those attacks are still "gentle" as if you have (and you should) a read only
backup you can resolve it with near 0 dataloss.

What I fear are cancer like virus, not wiping or encrypting data at time T,
but introducing subtle errors on a longer period. You would be contacted by
hackers saying your last 6 months of data contain error. That's scary.

------
tonyplee
Wonder if they manage to disable the UK's Trident Nuclear Submarine this time.

"Windows for Warship"
[https://en.wikipedia.org/wiki/Submarine_Command_System](https://en.wikipedia.org/wiki/Submarine_Command_System)

"Want to Nuke someone, please send Bitcoin to unlock the systems."

[https://www.theregister.co.uk/2017/06/27/hms_queen_elizabeth...](https://www.theregister.co.uk/2017/06/27/hms_queen_elizabeth_running_windows_xp/)

~~~
flukus
The news here was reporting earlier that the Chernobyl monitoring computers
were compromised.

Edit: No link, but it was on ABC (Australia) live news, which is pretty
reliable. Here is a less reliable source:

[https://www.independent.co.uk/life-style/gadgets-and-
tech/ne...](https://www.independent.co.uk/life-style/gadgets-and-
tech/news/hack-cyber-attack-ukraine-russia-wannacry-petya-security-internet-
broken-computer-not-working-a7810626.html)

~~~
xyrnoble
Is there a public link for that?

------
mighty_warrior
Your own fault if you didnt patch out eternalblue. No sympathy for hacked
orgs.

~~~
strictnein
Also uses a client side exploit in Word/Wordpad, although that was patched
earlier this month:

[https://portal.msrc.microsoft.com/en-US/security-
guidance/ad...](https://portal.msrc.microsoft.com/en-US/security-
guidance/advisory/CVE-2017-0199)

~~~
cm2187
Moronic design of the microsoft page. It requires you to acknowledge some
bullshit T&C on first visit, then redirects you to the website home page.
Which means that someone clicking on the CVE to check if there is anything
important will be redirected to a home page with no information. Most sane
people will go back to the original link, but if there were only sane people
in this world, this second wave of malware would be toothless. That's not
exactly helping awareness of the vulnerability.

------
jz10
My friend's work laptop is a victim of this same attack... all the way here in
the Philippines.

There was a company wide email blast to disconnect all workstations from the
internet at once.

Fascinating development

~~~
kozhevnikov
A literal case of 'in case of cyberattack break glass'

[https://i.imgur.com/fHhkdxX.jpg](https://i.imgur.com/fHhkdxX.jpg)

------
r721
>Cyberattack hits entire Heritage Valley Health System, shuts down computers

>A cyberattack is affecting the Beaver and Sewickley hospitals and all other
care facilities in the Heritage Valley Health System on Tuesday.

[http://amp.wtae.com/article/cybersecurity-incident-
heritage-...](http://amp.wtae.com/article/cybersecurity-incident-heritage-
valley-health-system/10228015)

------
jl6
Could someone write a whitehat worm or virus to get into all those vulnerable
Windows systems and close the door behind them by patching the hole?

~~~
ChicagoBoy11
Software virus vaccines - I like it. Can’t believe I’ve never run across the
concept before. Must be a thing, no?

~~~
msielski
[https://en.m.wikipedia.org/wiki/Anti-
worm](https://en.m.wikipedia.org/wiki/Anti-worm)

------
kator
Looks like people are paying the ransom:

[https://blockchain.info/charts/balance?address=1Mz7153HMuxXT...](https://blockchain.info/charts/balance?address=1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX)

~~~
dx034
Not a lot though. Given the huge number of infections, $9000 seems a pretty
bad return.

------
andruby
I always replay the end-game of Uplink [0] in my head when I read news like
this.

Great game with great music.

[0]
[https://www.introversion.co.uk/uplink/](https://www.introversion.co.uk/uplink/)

------
runeks
> Ukraine's government, National Bank [..]

Now there's a new attack target: the central bank. Send 100 BTC to this
address and I will decrypt the balances stored by your central bank, so you,
again, know how much money you own.

------
emersonrsantos
Does anyone know if this decrypt app still work?

[https://github.com/leo-stone/hack-petya](https://github.com/leo-stone/hack-
petya)

------
gmisra
Is anyone aware of an entity that attempts to objectively quantify the
economic impact of an event like this (ransoms paid, data lost, labor hours
lost, new security costs, etc)?

~~~
d33
I wouldn't say new security is a cost - unless it's fake security, like
antiviruses.

------
strictnein
On a related note, I don't understand the reason behind transactions like
this:

[https://blockchain.info/tx/9778c698f3f2a2c9b9e9f0fdea3c96e8f...](https://blockchain.info/tx/9778c698f3f2a2c9b9e9f0fdea3c96e8fe200b19cd4db382642178dd08405f4d)

Is there something special about using numerous senders like that?

~~~
lordnacho
That just means someone's got a wallet containing the private keys
corresponding to a lot of addresses. So when they want to move some coins,
they just sign all the various transactions and send the money to new
addresses.

------
zvrba
So.. ransomware authors want payments in Bitcoins. The obvious counter-attack
from the governments would be to target and shut-down all services exchanging
bitcoins (or other digital money) to real money. Heck, they can _hack_ them
and delete all data, so they shut down on their own.

------
r721
>We have confirmed U.S. cases of Petya ransomware outbreak

[https://twitter.com/Bing_Chris/status/879713682242117634](https://twitter.com/Bing_Chris/status/879713682242117634)

------
paulpauper
store important stuff on external hard drives

never download suspicious stuff specially from emails

~~~
Analemma_
That's not enough anymore: good ransomware will look for backup systems and
wipe those out before proceeding. You need read-only, airgapped backups before
you can consider yourself safe.

~~~
derekp7
That doesn't help for targeted attacks, which corrupt the backups as they are
being written. Not sure how to protect against that though.

~~~
donald123
They can corrupt one backup but not all backups. And a good backup software
should do integrity check.

~~~
derekp7
I wasn't referring to corrupting the backup directly -- but corrupting the
data as it is written to the backup server. This can be done by compromising
the backup client, through a rootkit, etc. If this is undetected for a year
before the attacker pulls the final trigger, you have a year's worth of bad
backups.

------
faragon
Why Ransomware authors are not yet in jail? /cc FBI CIA BND MI5 FSB

~~~
coolspot
FSB lol

Even if FSB found hackers, they would take a share of profit and close the
case.

------
kronos29296
I remember reading something about a guy warning about intrusions on his
company during Wannacry to steal company data and install malware. Now we have
this. This is giving me goosebumps.

------
agumonkey
How can one check quickly if his OS is vulnerable ? I know MS pushed updates,
but sometimes updates are stuck, or fail to install or are delayed by the user
.. so

~~~
80211
Just do a Windows Update -> Update History and see if you have a cumulative
update after 5/24.

[https://imgoat.com/uploads/2e74f10e03/26813.png](https://imgoat.com/uploads/2e74f10e03/26813.png)

------
athenot
Do these attacks affect anything else beyond Windows?

~~~
swiley
They can supposedly be manually run in wine on non-windows.

------
jdc0589
FYI, looks like this is still using EternalBlue.

------
butz
One of my clients got some strange emails around 12:00 GMT with links to
probably infected websites. Is this related to ransomware?

------
agumonkey
Did these ships are also oil tanker ?

~~~
kahnpro
The little boat tipped over

~~~
subcosmos
LOL!
[https://www.youtube.com/watch?v=2PxcDyfKV90](https://www.youtube.com/watch?v=2PxcDyfKV90)

------
dagaci
I'm afraid that this attack demonstrates that the old PC architecture: Side-
loading any app, userspace, privilege escalation, low level file sharing
functionality just isn't for purpose.

If malware can exploit a 0-day, 100-day, 1000-day security hole in a corporate
network of 2000 machines, its too easy for that malware to share itself across
the network and send emails attachments to AllUsers (every single company I've
worked for still allow Everyone to send anything to Everyone).

Microsoft's next XP patch should be to remove SMB functionality or just
outright disable it (and probably remove IE and other nonsense installed by
default too).

And when Windows 7 expires the final patch should be a severe lock down too..

~~~
cm2187
It's clear that nothing bad can happen on a machine where you can't do
anything.

