The Bitcoin wallet controlled by the NotPetya attackers showed surprising signs of life over the Fourth of July holiday weekend, with approximately $10,000 in paid ransom disappearing from the account. Around the same time, a message purporting to be from the culprits behind the maybe-ransomware attack surfaced — demanding 100 bitcoin in exchange for a key they say can unlock encrypted files.
At the time of writing, 100 bitcoin is worth approximately $260,000.
“Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks),” read the message posted to Pastebin. “See the attached file signed with the key.”
As NotPetya, which first surfaced in Ukraine on June 27, has been shown to damage an infected computer’s master boot record, the person behind the message is only claiming to be able to decrypt specific files — not entire systems. Still, that ability could be a godsend for companies struggling to restore lost data, assuming the ransomer is telling the truth.
The new demand was posted on July 4, the same day ransom payments made in the hopes of obtaining decryption keys were moved from the Bitcoin address listed in the initial NotPetya attack to another wallet.
No new Bitcoin address was listed for payments should anyone decide to actually fork over the 100 bitcoin. However, a link was provided to a chatroom for the purpose of getting in touch with the hackers and presumably arranging payment.
Motherboard exchanged messages with someone claiming to be one of the hackers, who told the publication the key for sale would “decrypt all computers.”
So, should organizations desperate for their data pay up? It’s a tough question. Security researchers have more or less reached a consensus that the intention behind NotPetya was to damage cyber-infrastructure, not to make money. As such, the calculus for victims is different than it would be with a more traditional form of ransomware.
Either way, this latest series of developments — the transfer of funds between Bitcoin wallets and the new demand — serves to further muddy the waters behind the NotPetya attack. It also makes one thing clear: The story of the latest ransomware scourge to sweep the globe is not over yet.
July 5, 2017 / Comments Off on Alleged hackers behind NotPetya cyberattack demand $260,000 bitcoin ransom
WannaCry paralyzed hospitals. NotPeya crashed banks. But how to know if you’re vulnerable to the stolen National Security Agency exploit that fueled two major cyber attacks and helped bring down computers across the globe?
Thankfully, a new tool has your back.
After the Shadow Brokers hacking group dumped a cache of stolen NSA exploits in April, the cybersecurity community issued dire warnings that things were about to get really, really bad. But then Microsoft quickly chimed in to note that it had already patched the vulnerabilities in question.
“We’ve investigated and confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products,” a Microsoft spokesperson told Mashable at the time. “Customers with up-to-date software are already protected.”
One of the hoarded NSA vulnerabilities, dubbed EternalBlue, allows for the worm-like spread of malware across computer systems. And despite Microsoft’s assurances, it turns out that many people and organizations did not in fact update their computers with the available patch. WannaCry and NotPetya, which made use of EternalBlue, were the result.
That, in the face of clear warnings and readily available safeguards, people failed to protect themselves is a clear sign that many of those at risk don’t realize the precarious nature of their position.
“The majority of latest WannaCry, NoPetya (Petya, GoldenEye or whatever) victims, are not technical organizations and sometimes just small business who don’t have a security team, or even just an IT team to help them mitigate this,” writes Erez on his blog. “Running NMap, Metasploit [a penetration testing software] (not to mention more commercial products) is something they will never do. I aimed to create a simple ‘one-button’ tool that tells you one thing and one thing only – which systems are vulnerable in your network.”
The free software simply checks networks to see if they are still susceptible to EternalBlue.
“[Eternal Blues] helps finding the blind spots in your network, these endpoints that are still vulnerable to EternalBlue,” continues Erez. “Just hit the SCAN button and you will immediately start to get which of your computers are vulnerable and which aren’t. That’s it.”
Importantly, Erez does collect anonymized data on the results of the scan, but he also details a way to disable this information-sharing feature for the extra security conscious.
And if you do find that your computer is vulnerable? Make sure you install the Microsoft patch. And, as always, keep your operating system up to date.
June 30, 2017 / Comments Off on A new tool will check if you’re vulnerable to the hack that brought down computers across the globe
Ransomware is not new. The malware, which encrypts data and demands payment in exchange for decryption keys, has been with us for almost 30 years.
So why does it feel like it’s getting worse? Well, that’s because it is getting worse.
In seemingly no time at all, ransomware has gone from an obscure threat faced by a select few to a plague crippling hospitals, banks, public transportation systems, and even video games. Frustratingly, the explosive growth of ransomware shows no signs of abating — leaving victims wondering why them, and why now?
The answer to both of those questions involves cryptocurrency and the National Security Agency.
But first, a little history
The first known ransomware attack hit the healthcare industry way back in 1989. According to the cybersecurity blog Practically Unhackable, a biologist by the name of Joseph Popp sent close to 20,000 floppy disks to researchers claiming they contained a survey which would help scientists determine a patient’s risk for contracting HIV.
What was left unmentioned in the promotional material was that the disks also encrypted file names on infected computers — rendering them practically unusable. Instead of their typical boot screens, victims were shown a message demanding a $189 payment in order to unlock the system.
Popp, who had a PhD from Harvard, was an evolutionary biologist and fell outside of what we think of today as a stereotypical hacker. According to The Atlantic, after he was arrested and charged with blackmail, Popp insisted that he intended to donate the proceeds from his scheme to HIV-related research.
Regardless of his true motives, the success of Popp’s attack was limited by two key factors: The floppy disks were sent out via the mail system, and the encryption employed by what became known as PC Cyborg was reversible without his help.
Twenty-eight years later, things have changed for the worse in the world of ransomware.
Cryptocurrency and the NSA
When we talk about the scale of modern ransomware attacks, it’s important to keep two criteria in mind: frequency and reach.
A 2016 report from the U.S. Department of Justice noted 7,694 ransomware complaints since 2005, which it acknowledged is probably undercounting the number of actual attacks. The May WannaCry ransomware, for its part, hit over 150 countries. Two factors played a key role in those jaw-dropping figures: the rise of cryptocurrency and the availability of dumped hacking exploits hoarded by the NSA.
Cryptocurrency like Bitcoin allows attackers a real shot at actually receiving ransom payments. In a major step up from the payment mechanism implemented by Joseph Popp, hackers no longer need to set up a PO box and hope the physical cashier’s checks flow in. Instead, they can simply direct victims to make payments to specific Bitcoin addresses.
According to the cybersecurity company Palo Alto Networks, the first ransomware to demand payment in Bitcoin was the 2013 Cryptowall. It was by no means the last, however. The relative ease of cryptocurrency payments combined with the growing popularity of Bitcoin surely contributed to what a 2016 IBM report found was a 300 percent increase in ransomware incidents over the preceding year.
As for the growing reach of such attacks? While there are many factors at play, one obvious inflection point can be found in the April Shadow Brokers dump where the hacking group notoriously released a host of exploits originating from the National Security Agency. Among that list was one vulnerability by the name EternalBlue, which, when paired with ransomware, allowed for the worm-like propagation of the WannaCry attack.
The same exploit reportedly played a key (but not exclusive) role in the spread of NotPetya — ransomware that has hit at least 65 countries and whose likely primary goal is to cause destruction.
And while Microsoft had already released a patch for EternalBlue by the time is swept the globe, the wildfire spread of WannaCry and NotPetya serve as a stark reminder that not everyone stays up to date with security patches.
So where does that leave us?
The unprecedented scale of these two attacks, powered by stolen NSA exploits and facilitated by cryptocurrency, suggests we have entered a new age of virulent ransomware. To make matters worse, attacks like WannaCry are likely to become more common, not less, as evidenced by a 2017 report from cybersecurity firm Symantec which found “a 36 percent increase in ransomware attacks worldwide.”
Interestingly, however, ransomware may end up becoming a victim of its own success. The sheer number of infected computers, combined with the practically nonfunctional payment mechanisms of both NotPetya and WannaCry, mean that even if people did elect to pay the ransom, they weren’t going to get their decryption keys.
Why pay up if you know you’re not getting your files back either way?
And the word has gotten out. At the time of this writing, the Bitcoin address associated with NotPetya has received only 46 payments totaling approximately $10,317.
All of this suggests that while the form of digital extortion first developed by Joseph Popp shows no signs of slowing down, the money may no longer be in it. And that, in the end, may be the only hope we have of an end to the growing ransomware scourge.
June 29, 2017 / Comments Off on Ransomware has been around for almost 30 years, so why does it feel like it’s getting worse?
Is ransomware still ransomware if its goal is purely to destroy?
This is less if-a-tree-falls hypothetical and more sobering reality for the untold number of people across the globe whose computer systems have been infected with the NotPetya ransomware. That’s because the latest digital scourge to cripple computer networks in 65 countries (and counting) doesn’t fit the typical ransomware mold.
Instead of just encrypting users’ files and holding those files ransom, NotPetya appears to do permanent damage to computer systems.
Security researcher Matt Suiche lays out the bad news in a blog post for cybersecurity firm Comae Technologies. He notes that while an earlier version of Petya, from which NotPetya gets its name, technically allowed for the decryption of files, NotPetya doesn’t.
“2016 Petya modifies the disk in a way where it can actually revert its changes,” writes Suiche. “Whereas, 2017 Petya does permanent and irreversible damages to the disk.”
Suiche goes on to call NotPetya a “wiper,” and explains the difference between a wiper and ransomware.
“The goal of a wiper is to destroy and damage,” notes Suiche. “The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as [restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays]— a wiper would simply destroy and exclude possibilities of restoration.”
So, if the motive for the malicious code is not profit via a Bitcoin ransom, what could it be? While at this point it’s pure speculation, the growing consensus among a host of security experts is that the attack was not launched by cybercriminals in the traditional sense.
Agreed, this is starting to look like “Fuck with Ukraine” disguised as ransomware.
However, not everyone agrees with Suiche’s findings. The () security researcher who discovered the WannaCry kill switch, Marcus Hutchins, takes issue with Suiche’s claim that “the current version of Petya clearly got rewritten to be a wiper and not a[n] actual ransomware.”
I do believe the purpose behind Petya was to cause disruption not make money, but the claims of intentional MBR destruction are false.
But even if the intent hadn’t been to destroy, there’s almost zero chance those affected by NotPetya could get their data back by paying the $300-worth-of-Bitcoin ransom for a decryption key. That’s because the email used to coordinate ransom payments was disabled by the email service provider.
In other words, Suiche’s findings reveal a bad situation to be even worse. And, if his discovery portends a new type of ransomware-disguised wipers, the news just went from worse to downright awful.
June 28, 2017 / Comments Off on The NotPetya ransomware may not actually be ransomware at all — it could be something worse
It’s a familiar story: You boot up your computer only to find a mysterious message saying your files are encrypted. You soon realize that your data is likely gone for good — even if you fork over a cryptocurrency ransom payment.
But this time around, as a new and virulent form of ransomware dubbed NotPetya sweeps the globe, it doesn’t have to be this way.
Because this time around, there’s a vaccine.
What is NotPetya?
The first symptoms of the attack appeared on June 27 in Ukraine, with the National Bank of Ukraine and the Kiev International Airport both hit hard. Even Chernobyl’s radiation monitoring system has reportedly been affected. But NotPetya, which targets the Windows operating system, didn’t stay there. Microsoft has confirmed that computers in 64 additional countries have been infected.
The ransomware, so called because it demands a payment from users in exchange for decrypting their files, appears to use some code from an earlier ransomware known as Petya. However, this latest version looks to have been souped up with the allegedly stolen NSA exploit EternalBlue — the same exploit that drove the spread of WannaCry — and as such has security researchers calling it “NotPetya.”
According to the security firm Symantec, NotPetya is particularly nasty because instead of just encrypting a system’s files, it actually modifies a computer’s master boot record in order to encrypt its hard disk.
Once a system is infected, a message is displayed demanding $300 worth of Bitcoin in exchange for a decryption key. However, as the listed email address for confirming that the ransom has been paid has been shut down by the email provider, there is little-to-no chance a decryption key will be provided even if a victim pays.
Essentially, those hit by NotPetya can kiss their data goodbye.
But the situation isn’t hopeless. Those who either don’t want to or simply can’t afford to turn off their computer and wait for this all to blow over have a weapon in the battle against this attack. And, thankfully, it’s a pretty simple home remedy.
A security researcher by the name of Amit Serper appears to have found a way to prevent the ransomware from running on vulnerable computers with just a few easy steps.
His observation, which has since been confirmed by other researchers, is that NotPetya looks for a specific file on a computer before encrypting the computer’s contents. If that file is located, the ransomware won’t proceed.
So all concerned users have to do is create a file by that name, and then NotPetya won’t run. To do this, head to the C:\Windows folder and make a read-only file by the name of “perfc.” Importantly, this should not have a file extension. Bleeping Computer has a great step-by-step guide for those looking for detailed instructions.
An added dose of security, which everyone should have done by now but clearly hasn’t, is to install Windows security updates. The EternalBlue exploit used by NotPetya, which relies on a Server Message Block (SMB) vulnerability, was patched back in March.
Both keeping your Windows OS up to date with security patches, and creating the perfc file as explained by Serper, should be enough to vaccinate otherwise healthy computers against NotPetya. While that doesn’t help the National Bank of Ukraine this time around, it may be enough to save you.
As for the next wave of ransomware? While predicting what’s coming down the pike is a difficult if not impossible task, you can still take precautionary steps: Make sure your system is up to date, and be skeptical of any and all emails and links.
June 28, 2017 / Comments Off on A new ransomware is sweeping the globe, but there’s a vaccine