Huge ransomware outbreak spreads in Ukraine and beyond A huge ransomware outbreak has hit major banks, utilities and telcos in Ukraine as well as victims in other countries. Check out our full analysis of the software nasty, here. Early analysis of the attack points towards a variant of the known Petya ransomware, a strain of malware that encrypts the filesystem tables and …
"someone talking about it attacking the MFT of NTFS - that's a more severe attack than the MBR."
Providing the files themselves aren't corrupted something like photorec reads the sectors, tries to work out what they are and copies the results out to fresh media. Obviously it depends on the extent to which the files are fragmented. If the files are encrypted then it depends on whether they're overwritten. The only experience I had with this was with ransomware that wrote out the encrypts as new files and deleted the old ones which, of course, just marked the files' sectors as free but didn't do anything to the contents. The only problem was sorting out real images from junk heap of odds & sods from the browser cache.
"and needs to get work done?"
Yes, they certainly need to get work done now to recover from this.
I take it you've no personal knowledge of Linux or other Unix-like systems. I've got a little secret for you. Most of those of us who use Linux have also had experience of Windows, including sorting out the problems it's caused for friends and family. We can actually reach an informed opinion of what actually works.
In my case I was using Unix systems to do real work years before Windows was thought of. Lab management, logistics management, industrial control systems, all grist to the mill.
In many cases you will find that there are perfectly good alternatives that do the same thing on Linux/BSD/Apple Mac. For the rest, you can use Windows in a virtual machine with the virtual network cable unplugged, or very strongly packet filtered by the host.
Note that there are millions of Apple Mac users out there that do not use any Windows software and get things done much more easily, securely and professionally.
Well, Linux, BSD and MacIntosh are very similar and share tens of thousands of software packages. So you allude that millions of Mac users for example, cannot get any work done?
It is time to wake up and smell the coffee. There is a whole world of computing out there that you are not aware of.
Funny with the mandatory "stupid Windows is so insecure, use Linux!!!111" comment considering that the article clearly states that this was not relying on any Windows specific vulnerability, but rather compromising the auto-update servers of some company and then being able to move across the network due to bad admin practices. Both things would work equally well against Linux if the attackers wanted to target it instead.
My beloved country, which is Ukraine, is famous for pirated Windows and nihilist admins who often deliberately don't install patches. The horse was stolen two months ago when "Wanna Cry" was all over the news; but to some people, it's never enough to finally lock the barn door.
For a country which is target of Russian aggression, it's only natural to assume that any widespread attack on it's infrastructure was initiated by the aggressor. And only after that was disproved, other possibilities may be considered. Of course, if some administrators failed to protect their systems (big 'if', we don't really know), they should be held accountable.
But still the blame should be placed where it belongs, on the perpetrator, not the victims.
But still the blame should be placed where it belongs, on the perpetrator, not the victims.
Criminal negligence, negligent culpability, duty of care,.. these are things in UK law. Blame the attackers existing if you like, but really they've got more in common with a lightning strike or washing machine catching fire: these are things that, sooner or later, are going to happen, and you'd better design and build (or procure and operate) accordingly.
Put another way: it's not my /fault/ that nature and nurture made me enjoy beer, but it's my /responsibility/ not to drink drive, or destroy my liver, or glass someone for looking at my pint all night.
And your evidence is, what? Something bad happened in Ukraine, so the Russians must be orchestrating it?
At some stage, Ukrainians will wake up to the fact that most of the damage done to Ukraine was not done by the wicked Russians, but by the utterly corrupt "leaders" of the country whose sole intent it to pillage the country for their own benefit. Yes, the Russians are an easy scapegoat, but when EVERY Ukrainian president has been more corrupt than Ismailov and more inept that Yeltsin, this might be a more plausible explanation.
Ukrainians really need to find the spirit of Khemelnitskiy and rise up to free themselves from the political class, then perhaps they could work to being the most prosperous nation in Europe.
Pirated Windows and lazy admins may be factors. Still, Ukraine is not exactly a wealthy country and $300 is lots of money there. If your goal is to make money from the ransomware, wouldn't you rather target a country where $1000/month is considered the poverty threshold? This looks more like the ransom part is a nice benefit but not the goal.
I think I know the one. They're my company's main courier, which has meant vast parts of our shipping/logistics teams grinding to a halt as a result. Not great when you've got lots of companies expecting urgent kit from you which is now stuck in various courier warehouses...
Edit, sod it, it's TNT. Seeing as the BBC have already ousted them...
Why don't you just invest in a firewall device that you can configure to block access from the Internet to all those ports Micro$oft love to keep open by default ?
Altogether, now: "OF COURSE IT'S SECURE, IT'S INSIDE THE FIREWALL!
This is why infosec people have a job for life, and a frequent flier card at their local boozer.
"Why don't you just invest in a firewall device that you can configure to block access from the Internet to all those ports Micro$oft love to keep open by default ?"
Well, when my work laptop is connected, it's using split-tunnel so no naught connections to my local network at all once I've VPN'd to the corporate network.
Once connected, my machine is effectively on a DMZ within the perimeter of the corporate security estate, and I know how leaky that is because I used to work for the company that manages it. If I can connect to a network share at the office via an SSL VPN then I can sure as hell get hit by malware using those ports to host-hop.
So, tell me Mr AC - where exactly does the firewall fit into this? I'm more likely to be protected by the IPS solution than the firewall, since the firewall is set to allow those connections that are at risk.
If you were VPNing in through _my_ firewall (well it belongs to $work, but I'm the Evil Firewall Admin), you could SMB to the storage networks but not to and from the workstation networks. So yes the firewall would limit the chances of getting infected.
BTW: It's not clear, but what you're describing doesn't sound like split-tunnel to me.
Well: I have an ancient external Firewall device. I block the ports used for SMB server connections which are open on my intranet from being connected to from the Internet which is then on the other side of the Firewall.
So you just interpose the firewall between your node and the rest of the Internet.
Of course if you need to share a drive across a network then that network needs to be similarly protected as does its transative closure.
Otherwise you're buggered.
Hard and crunchy on the outside, soft and chewy on the inside. I'm probably paraphrasing, but that phrase was in one of the first firewall books I read back in the mid-1990s.
Sure blocking SMB at the edge helps protect, but I would not be very surprised to learn those hardest hit by this one were those who did have protection at the edge and so were complacent about their "soft and chewy" inside.
Besides patching
Windows Server: PowerShell method (Remove-WindowsFeature FS-SMB1)
Windows Client: PowerShell method (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)
Not surprised about WPP - who are being named on R5 live a lot
IBM and no idea who or what they are doing about patching these days. Used to be good
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
