Welcome to Open Carnage

A resource for gamers and technology enthusiasts, with unique means of rewarding content creation and support. Have a wander to see why we're worth the time!


A new ransomware outbreak similar to WCry is shutting down computers worldwide



A new ransomware attack similar to last month's self-replicating WCry outbreak is sweeping the world with at least 80 large companies infected, including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 12,000 computers, according to one security company.



PetyaWrap, as some researchers are calling the ransomware, uses a cocktail of potent techniques to break into a network and from there spread from computer to computer. Like the WCry worm that paralyzed hospitals, shipping companies, and train stations around the globe in May, Tuesday's attack made use of EternalBlue, the code name for an advanced exploit that was developed and used by, and later stolen from, the National Security Agency.


According to a blog post published by antivirus provider Kaspersky Lab, Tuesday's attack also repurposed a separate NSA exploit dubbed EternalRomance. Microsoft patched the underlying vulnerabilities for both of those exploits in March, precisely four weeks before a still-unknown group calling itself the Shadow Brokers published the advanced NSA hacking tools. The leak gave people with only moderate technical skills a powerful vehicle for delivering virtually any kind of digital warhead to systems that had yet to install the updates.


Besides use of EternalRomance, Tuesday's attack showed several other impressive improvements over WCry. One, according to Kaspersky, was the use of the Mimikatz hacking tool to extract passwords from other computers on a network. With those network credentials in hand, infected computers would then use PSExec, a legitimate Windows component known as the Windows Management Instrumentation, and possibly other command-line utilities to infect other machines, even when they weren't vulnerable to the EternalBlue and EternalRomance exploits. For added effectiveness, at least some of the attacks also exploited the update mechanism of a third-party Ukrainian software product called MeDoc, Kaspersky Lab said. A researcher who posts under the handle MalwareTech, speculated here that MeDoc was itself compromised by malware that took control of the mechanism that sends updates to end users.


Kaspersky stopped short of saying MeDoc was the initial infection point in the attack chain, as did researchers from Cisco Systems' Talos group, which in its own blog post also said only that the attacks "may be associated with software update systems for a Ukrainian tax accounting package called MeDoc." Researchers from AV provider Eset, however, said the MeDoc update mechanism was "the point from which this global epidemic has all started." A separate, unconfirmed analysis circulating on Twitter also makes a compelling case a MeDoc update issued early Tuesday morning played a key role.


Many analysts interpreted the post as an admission of playing a key role in the attacks. But if that's the case, the 13-word statement was uncharacteristically glib for an official communication taking responsibility for one of the worst computer attacks in recent memory. What's more, in a separate Facebook post, MeDoc officials seemed to say they weren't involved.


Once the malware takes hold of a computer, it waits 10 to 60 minutes to reboot the infected computers, Kaspersky said. The encryption routine that permanently locks data until targets pay a $300 fee starts only after the computer restarts. Researchers said anyone who experiences an infection may be able to preempt the encryption process by immediately turning off the computer and allowing only an experienced security professional to restart it.


News organizations reported potentially serious disruptions around the world, with organizations throughout Ukraine being hit particularly hard. In that country, infections reportedly hit metro networks, power utility companies, government ministry sites, airports, banks, media outlets, and state-owned companies. Those affected included radiation monitors at the Chernobyl nuclear facility. A photograph published by Reuters showed an ATM at a branch of Ukraine's state-owned Oschadbank bank that was inoperable. A message displayed on the screen demanded a payment to unlock it. Meanwhile, Reuters also reported that Ukrainian state power distributor Ukrenergo said its IT systems were also hit by a cyber attack but that the disruption had no impact on power supplies or broader operations. Others hit, according to Bloomberg, included Ukrainian delivery network Nova Poshta, which halted service to clients after its network was infected. Bloomberg also said Ukraine's Central Bank warned on its website that several banks had been targeted by hackers.



Rumors are carried by haters
Spread by fools
Accepted by idiots

Share this post

Link to post
Share on other sites

Members of Open Carnage never see off-site ads.

This ransomware is different because it doesn't just encrypt files on a normal filesystem level. It reboots the machine, locks out the master file table (MFT) and master boot record (MBR), and encrypts the entirety of the drive itself. 


Edit: Apparently a mitigation was found?

Edit2: ^Apparently creating that file stops it from running entirely. 

WaeV likes this

Linux/Unix | InfoSec | Electronics | Radios

Share this post

Link to post
Share on other sites

an advanced exploit that was developed and used by, and later stolen from, the National Security Agency

Yet more tangible evidence to back my motto: fuck the federal government.

DiSiAC likes this


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.