Today, a ransomware virus attacked many computers in the public, commercial and private sectors of Ukraine

An unprecedented hacker attack knocked out many computers and servers in government agencies and commercial organizations across the country

A large-scale and carefully planned cyber attack has disabled the critical infrastructure of many state-owned enterprises and companies today. The Security Service (SBU) reported this.

Starting from lunch, messages about infection of computers in the public and private sector began to appear on the Internet like a snowball. Representatives of government agencies announced hacker attacks on their IT infrastructure.

According to the SBU, the infection mainly occurred as a result of opening Word and PDF files, which the attackers sent by email. The ransomware virus Petya.A exploited a network vulnerability in the operating room Windows system. To unlock encrypted data, cybercriminals demanded payment in bitcoins of $300.

Secretary of the National Security and Defense Council Alexander Turchynov said that the government agencies that were included in the protected circuit - a special Internet node - did not suffer any damage. Apparently, the Cabinet of Ministers did not properly implement the recommendations of the National Cyber ​​Security Coordination Center because government computers were affected by Petya.A. The Ministry of Finance, Chernobyl Nuclear Power Plant, Ukrenergo, Ukrposhta could not resist today’s attack, New mail and a number of banks.

For some time, the Internet pages of the SBU, cyber police and Civil service special communications and information protection (GSSSZI).

As of the evening of Tuesday, June 27, none of the law enforcement agencies whose responsibilities include combating cyber-attacks have reported where Petya.A came from or who is behind it. The SBU, the Cyber ​​Police (whose website was down all day), and the SSSSZI maintained an Olympic silence regarding the extent of the damage caused by the ransomware virus.

This conclusion was the result of a study by two companies at once - Comae Technologies and Kaspersky Lab.

The original Petya malware, discovered in 2016, was a money-making machine. This sample is definitely not intended for making money. The threat is designed to spread quickly and cause damage and disguises itself as ransomware.

NotPetya is not a disk cleanup tool. The threat does not delete data, but simply makes it unusable by locking files and throwing away decryption keys.

Senior researcher from Kaspersky Lab Juan Andre Guerrero-Saade commented on the situation:

In my book, a ransomware infection without a possible decryption mechanism is equivalent to a disk wipe. With no regard for a viable decryption mechanism, the attackers showed complete disregard for long-term monetary gain.

The author of the original Petya ransomware tweeted that he had nothing to do with the development of NotPetya. He has become the second cybercriminal to deny involvement in creating a new similar threat. Previously, the author of the AES-NI ransomware stated that he had nothing to do with XData, which was also used in targeted attacks on Ukraine. In addition, XData, like NotPetya, used an identical distribution vector - update servers from a Ukrainian manufacturer software for accounting.

Many indirect signs support the theory that someone is hacking known ransomware and using modified versions to attack Ukrainian users.

Are destructive modules disguised as ransomware already a common practice?

Similar cases have already occurred before. The use of malicious modules to permanently damage files under the guise of regular ransomware is not a new tactic. In the modern world this is already becoming a trend.

Last year families malware Shamoon and KillDisk included “ransomware components” and used similar techniques to destroy data. Nowadays, even industrial malware is getting disk cleanup features.

Classifying NotPetya as a data destruction tool could easily reclassify the malware as a cyber weapon. In this case, the analysis of the consequences of the threat should be viewed from a different perspective.

Considering the initial point of infection and the number of victims, it becomes obvious that the target of the hacker attack was Ukraine. At the moment there is no obvious evidence pointing the finger at the attacker, but Ukrainian officials have already blamed Russia, whom they have also blamed for past cyber incidents dating back to 2014.

NotPetya could be on par with the well-known Stuxnet and BlackEnergy malware families, which have been used for political purposes and to destructive effects. The evidence clearly shows that NotPetya is a cyber weapon and not just a very aggressive form of ransomware.

On Tuesday, June 27, Ukrainian and Russian companies reported a massive virus attack: computers at enterprises displayed a ransom message. I figured out who once again suffered because of hackers and how to protect yourself from theft of important data.

Petya, that's enough

The energy sector was the first to be attacked: Ukrainian companies Ukrenergo and Kyivenergo complained about the virus. The attackers paralyzed them computer systems, but this did not affect the stability of the power plants.

Ukrainians began to publish the consequences of the infection online: judging by numerous pictures, computers were attacked by a ransomware virus. A message popped up on the screen of the affected devices stating that all data was encrypted and device owners needed to pay a $300 ransom in Bitcoin. However, the hackers did not say what would happen to the information in case of inaction, and did not even set a countdown timer until the data was destroyed, as was the case with the WannaCry virus attack.

The National Bank of Ukraine (NBU) reported that the work of several banks was partially paralyzed due to the virus. According to Ukrainian media, the attack affected the offices of Oschadbank, Ukrsotsbank, Ukrgasbank, and PrivatBank.

were infected computer networks"Ukrtelecom", "Borispol" airport, "Ukrposhta", "Nova Poshta", "Kievvodokanal" and the Kyiv metro. In addition, the virus hit Ukrainian mobile operators - Kyivstar, Vodafone and Lifecell.

Later, Ukrainian media clarified that we are talking about the Petya.A malware. It is distributed according to the usual scheme for hackers: victims are sent phishing emails from dummies asking them to open an attached link. After this, the virus penetrates the computer, encrypts the files and demands a ransom for decrypting them.

The hackers indicated the number of their Bitcoin wallet to which the money should be transferred. Judging by the transaction information, the victims have already transferred 1.2 bitcoins (more than 168 thousand rubles).

According to information security specialists from Group-IB, more than 80 companies were affected as a result of the attack. The head of their crime lab noted that the virus is not related to WannaCry. To fix the problem, he advised closing TCP ports 1024–1035, 135 and 445.

Who is guilty

She hastened to assume that the attack was organized from the territory of Russia or Donbass, but did not provide any evidence. Minister of Infrastructure of Ukraine saw clue in the word “virus” and wrote on his Facebook that “it’s no coincidence that it ends in RUS,” adding a winking emoticon to his guess.

Meanwhile, he claims that the attack is in no way connected with existing “malware” known as Petya and Mischa. Security experts claim that the new wave has affected not only Ukrainian and Russian companies, but also enterprises in other countries.

However, the current “malware” resembles the well-known Petya virus in its interface, which was spread through phishing links a few years ago. At the end of December, an unknown hacker responsible for creating the Petya and Mischa ransomware began sending infected emails with an attached virus called GoldenEye, which was identical to previous versions of the ransomware.

Attached to regular letter, which HR department employees often received, contained information about a fake candidate. In one of the files one could actually find a resume, and in the next one - the virus installer. Then the main targets of the attacker were companies in Germany. Over the course of 24 hours, more than 160 employees of the German company fell into the trap.

It was not possible to identify the hacker, but it is obvious that he is a Bond fan. The Petya and Mischa programs are the names of the Russian satellites “Petya” and “Misha” from the film “Golden Eye”, which in the plot were electromagnetic weapons.

The original version of Petya began to be actively distributed in April 2016. It skillfully camouflaged itself on computers and posed as legitimate programs, requesting extended administrator rights. After activation, the program behaved extremely aggressively: it set a strict deadline for paying the ransom, demanding 1.3 bitcoins, and after the deadline, it doubled the monetary compensation.

True, then one of the Twitter users quickly found weak sides ransomware and created a simple program, which in seven seconds generated a key that allowed you to unlock the computer and decrypt all data without any consequences.

Not for the first time

In mid-May, computers around the world were attacked by a similar ransomware virus, WannaCrypt0r 2.0, also known as WannaCry. In just a few hours, he paralyzed the work of hundreds of thousands of workers Windows devices in more than 70 countries. Russians were also among the victims. strong structure, banks and mobile operators. Once on the victim’s computer, the virus encrypted HDD and demanded to send the attackers $300 in bitcoins. Three days were allotted for reflection, after which the amount was doubled, and after a week the files were encrypted forever.

However, the victims were in no hurry to pay the ransom, and the creators of the malware

What is Petya.A?

This is a “ransomware virus” that encrypts data on a computer and demands $300 for the key to decrypt it. It began infecting Ukrainian computers around noon on June 27, and then spread to other countries: Russia, Great Britain, France, Spain, Lithuania, etc. There is a virus on the Microsoft website now It has "serious" threat level.

Infection occurs due to the same vulnerability in Microsoft Windows, as is the case with WannaCry virus, which hit thousands of computers around the world in May and caused companies about $1 billion in damage.

In the evening, the cyber police reported that the virus attack was intended for electronic reporting and document management. According to law enforcement officials, at 10.30 am the next M.E.Doc update was released, with the help of which malicious software was downloaded to computers.

Petya was distributed using Email, passing off the program as an employee’s resume. If a person tried to open a resume, the virus asked to give him administrator rights. If the user agreed, the computer rebooted, then the hard drive was encrypted and a window appeared asking for a “ransom.”

VIDEO

Petya virus infection process. Video: G DATA Software AG / YouTube

At the same time, the Petya virus itself had a vulnerability: it was possible to obtain the key to decrypt data using special program. This method was described by Geektimes editor Maxim Agadzhanov in April 2016.

However, some users prefer to pay the ransom. According to one of the well-known Bitcoin wallets, the creators of the virus received 3.64 bitcoins, which corresponds to approximately $9,100.

Who is affected by the virus?

In Ukraine, the victims of Petya.A were mainly corporate clients: government agencies, banks, media, energy companies and other organizations.

Among others, the following enterprises were hit: Nova Poshta, Ukrenergo, OTP Bank, Oschadbank, DTEK, Rozetka, Boris, Ukrzaliznytsia, TNK, Antonov, Epicenter, Channel 24, and also Boryspil airport, the Cabinet of Ministers of Ukraine, the State Fiscal Service and others.

The attack also spread to the regions. For example, n and at the Chernobyl nuclear power plant, due to a cyber attack, electronic document management stopped working and the station switched to manual monitoring of radiation levels. In Kharkov, the work of the large Rost supermarket was blocked, and at the airport, check-in for flights was switched to manual mode.

Due to the Petya.A virus, the cash registers at the Rost supermarket stopped working. Photo: Kh...evy Kharkov / VKontakte

According to the publication, in Russia the companies Rosneft, Bashneft, Mars, Nivea and others came under attack.

How to protect yourself from Petya.A?

Instructions on how to protect yourself from Petya.A were published by the Security Service of Ukraine and the cyber police.

Cyber ​​police advise users to install Windows updates from the official Microsoft website, update or install antivirus, do not download suspicious files from emails and immediately disconnect the computer from the network if problems are noticed.

The SBU emphasized that in case of suspicion, the computer cannot be rebooted, since file encryption occurs precisely during the reboot. The intelligence service recommended that Ukrainians save valuable files on a separate medium and make backup copy operating system.

Cybersecurity expert Vlad Styran wrote on Facebook that the spread of the virus in local network can be stopped by blocking TCP ports 1024-1035, 135, 139 and 445 in Windows. There are instructions on the Internet on how to do this.

Specialists from the American company Symantec