Feed aggregator

Petya-esque ransomware is spreading across the world

Malwarebytes - Tue, 06/27/2017 - 20:26

UPDATE 6/27/2017 1653 PST: Based on information released by security researchers, a Ukrainian accounting software company called Me Doc pushed an update at around 10:30 GMT this morning, which installed the malware on the “victim zero” system. Then, using a mix of PSExec, WMI, and EternalBlue, it was able to spread to every other computer on the network. Me Doc has claimed that this isn’t the case, however, so we won’t 100 perfect confirm that this was the source of the original infection vector.

You are correct. Here you go, this is not my work. #Petya #NotPetya #CISO #CSO pic.twitter.com/dRnzZK1FVu

— John Lockie (@thedefensedude) June 27, 2017

At this point, it would be a good idea (if you are running any Me Doc software) to not update said software until they have announced that their servers are clean.

UPDATE 6/27/2017 1515 PST: Researchers have discovered what might be a “Vaccine” for the current version of the Petya-Esque ransomworm. You can give it a shot and see if it works for you, but keep in mind that basically as soon as the linked article was created, the creators of this attack have likely already modified their source to negate the defense. Good luck!

UPDATE 6/27/2017 1430 PST: If you’re thinking about paying the ransom for this threat–don’t bother. The e-mail service which hosted the address which victims were instructed to send payment to has closed the account. So, at this point trying to pay the ransom will result in a returned e-mail. Unfortunately, recovering files from payment is no longer possible at the moment, the attackers may provide their victims with alternative forms of payment transactions.

Ringing with echoes of WanaCrypt0r, a new strain of ransomware being called Petya/NotPetya is impacting users around the world, shutting down firms in Ukraine, Britain, and Spain.

Background

Petya, created in July 2016, started off as one of the next-generation ransomware strains that utilizes an MBR (Master Boot Record) locker. In the early days of ransomware, strains that modified the startup of a system were popular, but they had died off for many years. Today, not long after its one year anniversary, Petya has come back with a vengeance and a nasty new distribution method.

As to whether or not this malware is the same Petya that we have dealt with in the past, many other researchers, including our own, claim that the malware is heavily influenced and likely developed by the creators of Petya. This malware has indicators and code that matches previous versions of Petya, but with additional functionality.

Kaspersky Lab analysts say new attacks are not a variant of Petya ransomware as publicly reported, but a new ransomware they call NotPetya pic.twitter.com/Uf8phx9Pkf

— Patrick O'Neill (@HowellONeill) June 27, 2017

We are not going to claim attribution or even confirm what family we are dealing with until more analysis has been completed and more evidence is available. What we can say for sure is that this ransomware uses tactics rarely seen in the wild.

Infection vector

Taking a page out of WannaCry’s book, this new ransomware utilizes the same EternalBlue SMB exploit that was used in the outbreak that occurred more than a month ago. There are also currently reports that this attack uses email spam to distribute infected Office documents in efforts to rapidly spread and distribute the ransomware. This malware also includes the ability to use PSExec on a system it has administrative credentials on, allowing it to execute duplicates of the malware on any system on the network.

However, not all of these reports have been confirmed by Malwarebytes staff, so its true original infection vector beyond SMB exploitation is up in the air. But the combination of the PSExec method with the EternalBlue exploit gives this malware a lot of power in its ability to spread across a network.

Execution

After execution, the ransomware infects the system at a low level, modifying the MBR and presenting the user with the following prompt:

After a reboot, instead of loading into the operating system installed on the computer, the user is faced with a faux Check Disk operation that, instead of actually checking your hard disk for issues, is actually encrypting files! We know this is a fake screen based on strings found within the malware itself:

 

This is done to buy the ransomware more time to encrypt all the relevant files on the system without being stopped by the user.

The MFT (Master File Table) and the MBR are also encrypted. The MBR is overwritten to display the ransom note, which makes it impossible to boot the system without remediation—meaning users must either pay the culprit or be unable to access their system. The computer will then display a menacing black screen with red lettering listing the ransomware’s purpose and its demands. The attack affects users by encrypting anywhere from a single file to the entire system.

While this situation could have been easily avoided by simply keeping all antivirus database and operating system updates current, the now-infected users must pay $300 in Bitcoins to regain access to their files.

An interesting aspect of this attack is the targeted filetypes. The intended victims are rather different from Petya or 'normal' ransomware. pic.twitter.com/mTRcPTHbpF

— Yonathan Klijnsma (@ydklijnsma) June 27, 2017

As stated on Twitter by @ydklijnsma, it would appear that the file types being targeted are aimed more toward the programs that developers would use, such as, .vbs, .ova, .vbox, and so on. This makes it appear like target of these attacks are likely businesses and especially firms that specialize in software development.

Unfortunately, unlike WannaCry, Petya does not have a “killswitch” readily available or known.  has a “vaccine” that could potentially work to stop the infection, although our own tests have shown that in many cases, it doesn’t. Windows 10 systems seem to have a fighting chance by using this method but based on our tests, Windows 7 gets infected every time.

Zero-hour protection

Malwarebytes detected this ransomware in the zero hour, meaning those that have Malwarebytes Premium or our standalone anti-ransomware technology have been protected from the instant this attack began. Both Malwarebytes business users and consumers users are protected if they are using the latest version of the above products.

We detect this ransomware as either Ransom.Petya or Ransom.Petya.EB

Full protection from this threat can also be achieved by:

  • Updating and deploying security software with anti-ransomware capabilities
  • Updating and securing operating systems on your network, including checking for any open SMB ports on any Internet-facing systems
  • Locking down user accounts from having administrative powers and possibly even removing/shutting down admin systems that might utilize the PSExec method of spreading the malware
  • If you are a business owner, making sure your users are aware of this current threat
  • Opening emails with a high degree of scrutiny in the near future
Click to view slideshow.

We are going to regularly update this post to inform you about new developments with this attack, a deeper look at its spread, and possible motivations/infection methods. In addition, we are currently working on a post that analyzes the malware binary to its core. Expect that shortly.

Thanks for reading and safe surfing!

Special Thanks:

The post Petya-esque ransomware is spreading across the world appeared first on Malwarebytes Labs.

Categories: Techie Feeds

REVIEW: Titan Comic Tenth Doctor #3.6 – Vortex Butterflies

Blogtor Who - Tue, 06/27/2017 - 20:09

THIS REVIEW CONTAINS SPOILERS The Tenth Doctor (David Tennant) is back in the TARDIS for more of his comic adventures in a remarkable new Titan adventure written by Nick Abadzis with artwork from Giorgia Sposito and Arianna Florean. Previously… In the previous issues, Cindy had been captured and whisked away to a new destination in the […]

The post REVIEW: Titan Comic Tenth Doctor #3.6 – Vortex Butterflies appeared first on Blogtor Who.

Categories: Doctor Who Feeds

Doctor Who, Victoria & David Tennant Receive TV Choice Nominations

Blogtor Who - Tue, 06/27/2017 - 18:49

The shortlist for the 2017 TV Choice Awards have been announced today and Doctor Who is among the nominations. Our favourite TV show receives the nod for Best Family Drama in a category alongside ‘Call the Midwife, ‘Casualty’ and ‘The Durrell’s’. Some ex-Doctor Who stars are also in the running with ‘Broadchurch’s David Tennant (Tenth Doctor) nominated […]

The post Doctor Who, Victoria & David Tennant Receive TV Choice Nominations appeared first on Blogtor Who.

Categories: Doctor Who Feeds

Kickstarter - Top Secret: New World Order

Tenkar's Tavern - Tue, 06/27/2017 - 17:14


Top Secret is back in a new way. The Top Secret: New World Order Kickstarter has just launched.

Now, I has hoped to have the transcript of the interview I conducted with Merle Rasmussen on Sunday transcribed, but as I have found little in the way of helpful software I will need to do this by hand. It may take a few days and it might come out in pieces. Either way I'll put it in your hands, our readers as soon as it is done.

Back to the Kickstarter. Boxed set with all the extra goodness boxed sets are know for is just 50 bucks. Just want the rules and the module? 10 bucks in PDF. If you ask me, those are really strong buy in points for what you get in return.



I also plan to run the pre-release version of the rules through a play test this Saturday night. Yes, the fine folk at the New TSR were nice enough to send me along the PDF of the rules and some extras. I've not read through everything yet, but having played it at NTRPG Con earlier this month I'm confident enough I can run a fairly accurate to the rules session of Top Secret: NWO. That's a huge statement from a grognard like me.

Oh, this also means I can report that the rules are written, which is often not the case with Kickstarters (Far West, I AM talking about you!)

Alright, time for my legs to recover from yesterday's 4.8 mile walk. I see a few pints and 1# lifts in my immediate future ;)

edit - 30 minutes after launch and the funding goal of 12k has already been achieved and exceeded



Categories: Tabletop Gaming Blogs

BIG FINISH: Looking Back At ‘UNIT: Extinction’

Blogtor Who - Tue, 06/27/2017 - 15:00

With the UNIT audio adventures reaching its fourth series, we’re taking another look at their very first outing – ‘UNIT: Extinction’. As leader of UNIT, Kate Stewart has modernised the military organisation from its former “five rounds, rapid” philosophy. But when the dreaded Nestenes return to Earth, UNIT must look to its roots or face […]

The post BIG FINISH: Looking Back At ‘UNIT: Extinction’ appeared first on Blogtor Who.

Categories: Doctor Who Feeds

Does This Thing Still Work?

The Splintered Realm - Tue, 06/27/2017 - 13:47
Logged in today to see that it has been over a year since my last update! And, I realized this week it has been two years since I released Sentinels of Echo City. Wow... um. Time flies and all that good stuff. School goes well and my march towards certification as a school administrator continues unabated... but I always have some gaming stuff turning in the back of my head.

I saw a picture of Doc Ock fighting Spidey the other day, and I realized that I never really solved a villain like him in game terms. Yeah, you can have multiple attacks, but he doesn't really have a multiple attack so much as a barrage of attacks at one time. In fact, this is something that I had not successfully resolved for any hero or villain that can pummel you quickly with a series of blows. Speedsters do this. Doc Ock does this. A big tanky guy could take this as his sort of signature. Instead of landing one big attack, he is always peppering you with quick jabs. I present to you, the barrage attack for Sentinels of Echo City:

Barrage Attack (self). You land a series of blows every time you attack in melee. Roll 1d4+1 for the number of attacks you can take every round. Roll 1d6 for the base damage from your attacks: 1-2 = 1d4; 3-4 = 1d6; 5-6 = 1d8. On each attack you roll, you roll a total number of 1d20s equal to your barrage attack rating (adding your total modifier to hit to each roll). For each attack that succeeds, you roll one of the appropriate dice from barrage attack. Add your STR modifier to the total damage (not to each individual die). For example, Professor Squid is level 5 (+3 attack modifier) has STR 14 (+4 modifier) and has barrage attack 4 (for his 4 robotic tentacle arms) with damage of 1d6 for each arm. He attacks a hero with AC 17. He rolls 4d20 each time he attacks. If he rolls 5 (+7=12; miss), 12 (+7=19; hit) 13 (+7=20; hit), and 20 (allowing him to double the die) on an attack, he lands 3 of the 4 attacks this round. He rolls 3d6 for damage, adding +4 (from his STR) to the total damage this round, and doubling one of the 1d6 results (he should roll this die separately before the other two 1d6s). He could potentially deal a large amount of damage this round... or he could roll a series of 1s.   

REVIEW: Titan Comics Eleventh Doctor #3.6 The Memory Feast

Blogtor Who - Tue, 06/27/2017 - 11:40

George Mann returns to Doctor Who comics, taking a shot at the Eleventh Doctor run. The Doctor, Alice and the sapling are fresh from their previous adventure, after saving the Ood from impending doom.  But there is no rest for this TARDIS team as they receive a distress call from a mystery ship. However, all […]

The post REVIEW: Titan Comics Eleventh Doctor #3.6 The Memory Feast appeared first on Blogtor Who.

Categories: Doctor Who Feeds

Tales of Peril Ordering Details

Zenopus Archives - Mon, 06/26/2017 - 13:00
Tales of Peril at the Black Blade booth at NTRPG Con. Photo by Allan Grohe
I am excited to share that Tales of Peril - the Complete Boinger & Zereth Stories of John Eric Holmes - is now available for order. For details on how to order see this post on Allan Grohe's blog:

How to Order Tales of Peril (and other books) from Black Blade Publishing
Categories: Tabletop Gaming Blogs

Pages

Subscribe to Furiously Eclectic People aggregator