back to article Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem. The malware, dubbed NotPetya because it masquerades as the Petya ransomware, exploded across the world on Tuesday, taking out …

  1. Am I Paranoid Enough?
    WTF?

    Cyber sex in action

    Here we go again. So many systems getting well and truly screwed all around the world!

    Am I correct in understanding that this happens (in part) quicker in systems patched by Micro$oft?

    Viz: "These cyber-weapons attack vulnerabilities patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates."

    1. Olivier2553

      Re: Cyber sex in action

      Viz: "These cyber-weapons attack vulnerabilities patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates."

      I too had hard time understanding this sentence. I read it as:

      - if you patched MS recently, NotPetya will propagate by finding credentials in the RAM

      - if you did not patch, it will used the unpatched vulnerabilities.

      1. Prst. V.Jeltz Silver badge

        Re: Cyber sex in action

        At some point in the article it said the Ram Raid ( hehe ) dosent work on w10 so the sentence would mean:

        It tries the vulns patches issued earlier (smb) , which may work if still not yet applied , and tries the Ram raid , which is usually more successfull as not yet patched on W7 , but wont work on w10.

      2. Ken Hagan Gold badge

        Re: Cyber sex in action

        I agree with that reading, but would add...

        "- if you patched MS recently, NotPetya will propagate by finding credentials in the RAM"

        ...which, if you are logged in as a normal user rather than a pseudo-admin, won't be sufficient to go any further. Perhaps.

        1. Anonymous Coward
          Anonymous Coward

          Re: Cyber sex in action

          MS have been criticised for their ASLR.

          https://en.wikipedia.org/wiki/Address_space_layout_randomization#Microsoft_Windows

          Seems to me like some old software has become a conduit. Perhaps those companies need to upgrade and invest in more up to date systems.

          Besides, like Wannacry, this is an exercise to raise awareness of bitcoins & crypto currencies to a lessor extent.

          Wannacry targeted national institutions, and this one is just targetting more high profile entities but still raising the profile of bitcoins.

          Satoshi must be worth getting on for $2billion now, not bad for a few years work, an idea and then letting the public run with it with Govt & media backing.

          I still think this is a side show though and believe there are many many more systems already pwn'ed waiting to be activated, if you want to know more, that will cost you £10k per day! :-)

          In the mean time, can MS come up with some major fixes to prevent an exodus from Windows?

          Its a bummer when all the original talent who built windows have long since gone.

          1. TheVogon

            Re: Cyber sex in action

            "can MS come up with some major fixes to prevent an exodus from Windows?"

            Like Windows 10 you mean where none of this works on an updated PC?

          2. Truckle The Uncivil

            Re: Cyber sex in action

            @Richard Rose

            Talent?

      3. Dan 55 Silver badge

        Re: Cyber sex in action

        Nobody pushing out the read-only file yet? (See first page.)

        Luckily I have local admin privileges so I could do it on my computer.

        Yes, I am aware of irony (or whatever it is) of that.

        1. Dan 55 Silver badge
          Alert

          Re: Cyber sex in action

          Seems other sources say the file is not called C:\Windows\perfc.dat but C:\Windows\perfc.

          1. Anonymous Coward
            Anonymous Coward

            Re: Cyber sex in action

            is that because the are hiding file extensions (default)?

            1. Dan 55 Silver badge

              Re: Cyber sex in action

              No, one that I read specifically mentioned that you had to show file extensions to be able to create the file.

              Edit: I've just searched Google and it seems there's an even split between with .dat and without .dat.

              Bloody Internet and fake news.

              Best to create both.

            2. This post has been deleted by its author

        2. TheVogon

          Re: Cyber sex in action

          "Luckily I have local admin privileges so I could do it on my computer."

          If that's in a corporate setting, you should be using a separate user account for those....

    2. theblackhand

      Re: Cyber sex in action

      "Am I correct in understanding that this happens (in part) quicker in systems patched by Micro$oft?"

      Pretty sure the answer is no.

      If machines are patched against the NSA backdoors and SMBv1 is disabled, other propagation routes if the user has local admin access to the PC. i.e. lsadump for any cached credentials on the PC and then psexec/WMIC using those credentials in an attempt to access other machines via C$/Admin$ shares. Your MBR is also re-written and after 20-40 minutes your PC is restarted and a "chkdsk" run that encrypts your hard disk. Prior to the reboot, a boot from CD and re-writting the MBR allows to you to recover from this.

      Also considering blocking SMB access between workstations via Windows firewall for end user devices if there isn't a compelling reason not too (i.e. in offices where a local PC is the "server" or some dumb app) or at least reducing access to just the hosts or subnets that need access to reduce your exposure.

      If you don't have local admin access to allow the hash dump AND you are patched against the NSA issues across your network, files matching a list of extensions are encrypted.

      If you haven't been infected yet, you best protection is ensuring AV and patching is up-to-date and reviewing your usage of privileged accounts (both at domain level and local PC level) to ensure you understand the potential for propagation across your network. Changing passwords for privileged to prevent cached hashs from being usable is also a good step.

    3. Naselus

      Re: Cyber sex in action

      "Am I correct in understanding that this happens (in part) quicker in systems patched by Micro$oft?"

      Exactly the inverse.

      The main SMB1 vulnerabilities used for propagation were patched back in April (which kept a lot of us safe from Wannacry, too), so as long as you're actually running a decent patching schedule you were immune. The admin credential harvesting from local RAM would also be fairly ineffective if basic security hygiene was followed (in other words, MS's own best practice, as outlined in pretty much every level of MS training).

      Oh, and Win 10 was effectively immune - it doesn't have the SMB flaw, and doesn't allow the creds to be harvested. Which must be very frustrating for everyone who was hoping to use this as another excuse to attack Win 10.

    4. TheVogon

      Re: Cyber sex in action

      "logged in as an admin or domain admin into running a booby-trapped email attachment"

      What sort of shoddy organisation allows admin accounts to have email and be used for general purpose access?!

      1. Kiwi
        Windows

        Re: Cyber sex in action

        What sort of shoddy organisation allows admin accounts to have email and be used for general purpose access?!

        The one that expected everybody to do that by default?

        1. Jakester

          Re: Cyber sex in action

          Well, I was in IT in a bank several years ago (in the U.S.). One of the major companies for bank software needed to have users logged in as administrators for their software to work properly. Coworkers and I spent many hours after each new version of software was released to find out what permissions needed to be changed in program files and registry entries so users could be logged in as a standard user instead of an admin. Very frustrating, but too often the tech support answer from software providers was to "just have users login as administrators". I'm retired now, so I don't know if things are better. It was very frustrating at the time.

          1. Naselus

            Re: Cyber sex in action

            Sage tech support regularly demand to have domain admin access in order to do support on our systems. I regularly tell them where they can stick it.

  2. Anonymous Coward
    Anonymous Coward

    Of Course

    It could be the Ukrainians themselves who set this loose to try and blame their enemies.

    False flag operations are a favourite trick of numerous national governments worldwide, particularly if there is an election coming up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Of Course

      While I would not go as far as false flag, the primary malware production facilities in the ex-USSR are presently in Ukraine and the war zones bordering it - Donetsk and TransDnestr. It used to be all over Russia. Not any more - they started getting in the way of legitimate business so the police got pressured by banks and businesses to start paying attention.

      So it was probably written in Ukraine. Now, who paid for the kids to write it - that is a different story. We are least likely to know that any time soon. Investigating the organized criminal industry in Ukraine (or the politicians related to it) always finishes with a bomb under your bonnet, a bullet in the back of your head or your head cut off and sent to your wife. I am not going to quote the actual examples - they are in the news going as far back as Kuchma's government.

      1. Anonymous Coward
        Anonymous Coward

        Re: Of Course

        TransDnestr is in Moldova, not Ukraine. It's not a "war zone" since the 1990s, albeit still a trouble zone because the pro-Russia illegal government takes advantage of the situation to gain from a lot of illegal activities...

    2. Doctor Syntax Silver badge

      Re: Of Course

      "It could be the Ukrainians themselves who set this loose to try and blame their enemies."

      More to the point, has MeDOc let anyone go recently and failed to delete their accounts and change any passwords they may have known? Because this is getting t sound like a bigger and better version of https://www.theregister.co.uk/2017/06/26/engineer_imprisoned_for_hacking_exemployer/ (for some values of better).

  3. Anonymous Coward
    Anonymous Coward

    The real blame goes to..

    Okay, so I get everyone wants to blame Russia or North Korea etc.

    But the way I see it, the true people to blame is in fact the Americans, more specifically, the NSA.

    Why? Simple these attacks are using exploits NSA have known about for years which is ironic when you think about the fact they claim to keep them in the name of "National Security" - Had they just found the exploits, and reported them to Microsoft (or whatever application developer has the bug) this would of been prevented years ago.

    But instead the NSA chose to harbour these security bugs, refusing to fix them and instead have them for their own malicious intents. The fact remains had these bugs been fixed instead of used then none of these attacks such as WannaCry would of been as effective as they are now.

    Personally, I think the NSA should stand up and admit it did wrong by harbouring the bugs and apologise to the effected businesses.

    That's not to say the creators of the malware are not responsible, which of course, they are. But to me the NSA still had a hand it in it all.

    1. Hawkuletz

      Re: The real blame goes to..

      Speaking of NSA, let's remind ourselves about the first great Internet/Arpanet worm.

      From Cliff Stoll - The Cuckoo's Egg

      I knew Bob Morris was on his computer at 6:30 A.M. Thursday morning. I could see him logged into NSA's Dockmaster computer. After posting a message to that machine, I called him on the phone.

      "Hi, Bob. We've got troubles. A virus is spreading over the Arpanet, and it's infesting Unix computers."

      "When did it start?"

      "Around midnight, I'd guess. Maybe earlier-I just don't know. I've been up all night trying to understand it."

      "How's it spread?"

      "Through a hole in the Unix mail program."

      "You must mean Sendmail. Hell, I've known about that for years." Bob Morris might have known, but he had never told me.

      1. Prst. V.Jeltz Silver badge

        Re: The real blame goes to..

        Wasnt that his son ? or was that later?

        1. Hawkuletz

          Re: The real blame goes to..

          Affirmative, it was his son.

        2. Truckle The Uncivil

          Re: The real blame goes to..

          @Prst. V.Jeltz

          And the son learned of the vulnerability from his father

    2. EricM

      Re: The real blame goes to..

      Fully correct. Global Security is harmed mainly by Security Services (every major intelligence org is doing it) in multiple ways.

      1) They create incentive to find security problems AND keep them secret by buying them on the black market.

      2) They then hoard these problems to transform them into attack weapons against state-actors, terrorists and criminals alike.

      3) Defenders (OEMs and Anti-Virus companies) are intentionally kept in the dark in order to not de-value the attack waepons.

      This system is fully conentrated on each actor's ability to attack, not to defend.

      So there is a global incentive for the Security Services to keep potential targets on each side vulnerable.

      So when ( not if ) the weapon cache is breached, as soon as the thieves learn to control the weapons, they are able to do harm on a global scale.

      I understand the thinkiung behind collecting attack vectors - but in effect the Security Services do NOT raise the global security level, they lower it to dangerous levels.

      Time to change this system.

      Otherwise NSA, GCHQ, BND, FSB et al will become responsible for a major hit against the global infrastructure. It's just a matter of time.

      1. Kiwi
        Thumb Up

        Re: The real blame goes to..

        I understand the thinkiung behind collecting attack vectors - but in effect the Security Services do NOT raise the global security level, they lower it to dangerous levels.

        The old addage, if you can find a backdoor so can someone else (paraphrased obviously). I believe I first heard it in military terms, physical access to a bunker etc.

        Would be nice if the NSA were made to pay for the damage, out of the personal bank accounts of those who made the decision to keep this stuff secret. Same for equivalents in other nations. They've brought some real pain into people's lives by their decisions, they should be made to pay.

      2. Aitor 1

        Re: The real blame goes to..

        Same as child porn.

        People who pay for child porn create the incintives for kids to be exploited.

        So the intelligence services provide exactly the same incentives as child porn buyers.

        All of this damages the population, and creates thousands of millions in damages. That economic damage translates into lack of money for hospitals, improving roads, etc. That means people die because of this.

      3. chuckm
        Black Helicopters

        Re: The real blame goes to..

        It's worse than that. The boundaries between government, private and rogue in the security services are extremely fluid and always have been. Anyone having knowledge of these technologies can and probably will put them at the disposal of anyone if the price is right.

    3. Anonymous Coward
      Anonymous Coward

      Re: The real blame goes to..

      But the way I see it, the true people to blame is in fact the Americans, more specifically, the NSA.

      The problem I have with this blame attribution, is it isn't quite true, all it would have done is meant us having this discussion X years ago as companies failed to apply the patches and malware skiddies reverse engineered them enough to exploit the vulnerabilities.

      Worryingly (because I am strongly against harbouring vulnerabilities), it could be argued that the NSA protected the business world by keeping it a secret. This chaos never happened as a result of a parallel discovery, it was only after Shadowbrokers popped the NSA and released the files. If they had kept them secret properly, this wouldn't have happened.

      1. Doctor Syntax Silver badge

        Re: The real blame goes to..

        "it could be argued that the NSA protected the business world by keeping it a secret."

        This is an argument for security through obscurity. The main problem with this is that you have to maintain the obscurity for ever. By far the best approach is for the vulnerabilities to be notified back as soon as discovered, fixed and the fixes incorporated in future products and in updates to existing ones.

        1. Naselus

          Re: The real blame goes to..

          "This is an argument for security through obscurity."

          Exactly this. And security through obscurity is almost certainly not actually secure.

          There's a basic rule in sigint which should always be followed:

          Always assume the other guy is smarter than you.

          This is the basic foundation of modern security infrastructure, and has been since World War 2. Basically, the Nazis assumed that they were smarter than their opponents, and so that the Enigma code was invulnerable. But it turned out the Allies were working on stuff that the Germans hadn't even begun to imagine, and so they were able to break the code in ways that the Axis assumed would be impossible. The Allies knew where the Axis were going to attack within hours of the order being issued, but the Germans remained convinced that Enigma was unbreakable.

          This is why, since the end of the war, whenever we come up with a new encryption method we publish it and invite people to have a go at cracking it. Because the assumption is that someone out there is smarter than you and will figure it out even if you think it's unbreakable. It's effectively the same many-eyes principle which works in Open Source; if everyone is working on the problem and still can't crack it, then it's probably securer than if you're the only person working on it and hoping that some combination of obscurity and your own genius makes it uncrackable. This is one of the problems many infosec researchers have with Apple's walled garden; it's a bad philosophical approach to security even if you do a very good job of implementing it, and when someone smarter does decide to target it the result will be devastating.

          The assumption should always be that the Bad Guy - whomever they happen to be at a given moment - knows your movements, has access to all your information, has slightly better resources than you do, and can do a bit more than you can at any given time. That makes hording exploits directly equivalent to arming your enemies.

          1. naive

            Re: The real blame goes to..

            If the replies on this thread are given by people working in the IT industry, and who are responsible for working IT systems, then it shows a) why these things happen and b) It won't go away any time soon.

            Conclusion: It is anybodies fault, but not Microsofts or the people responsible for the architecture of resilient IT infrastructure in companies.

            So better stop whining about NSA and others, since they are just guys doing their job and laughing their *ss off from all this lemming like behave in corporate IT that makes their lives so easy.

            And besides that, if the boss asks some questions, tell him it was the ant virus tool not recognizing the virus attack :).

        2. Anonymous Coward
          Anonymous Coward

          Re: The real blame goes to..

          This is an argument for security through obscurity. The main problem with this is that you have to maintain the obscurity for ever. By far the best approach is for the vulnerabilities to be notified back as soon as discovered, fixed and the fixes incorporated in future products and in updates to existing ones.

          I agree and it was never my argument.

          The best approach is the best but it isnt followed. MS issued patches in March and in June organisations were still being owned because they hadnt implemented them. As soon as a patch is released people will be reverse engineering it to create badness.

          My point is, it is just as valid saying NSA is to blame for evil people using these vulns as it is saying NSA should have kept them secret for ever. Neither are correct. The more we try to find someone other than the criminal who launches the attack to blame, the more confused things get and the stranger the arguments promoted.

          1. Kiwi

            Re: The real blame goes to..

            The more we try to find someone other than the criminal who launches the attack to blame, the more confused things get and the stranger the arguments promoted.

            Sometimes there can be several parties to blame in an incident. There are a number of reasons people don't patch things, eg my Win 7 no longer gets updates because I have little control over what is there (it also no longer gets internet, and any unknown USB's get checked via another box first); they range from paranoia to incompetence to stuck with old tech that is mission critical and can't be fixed.

            The sooner a flaw is announced, the sooner a patch is released. The sooner a patch is released, the sooner "baddies" can start taking it apart to see what is fixed, but it also means the sooner the vendor knows of the problem and fixes it. A new program is written today that in a year's time will be used by almost every person in the world, and in 5 years time it is deeply embedded in all sorts of critical systems. Now, do you want the vendor told very early on that there is a flaw in that program that will let anyone control the devices it is used on, or do you think it better for those who learn of the flaw to sit on it for years1, especially when they're an organisation charged with protecting the security of their nation?

            1 As previously stated, I have no idea how long the NSA knew.

      2. Rob D.

        Re: The real blame goes to..

        > The problem I have with this blame attribution, is it isn't quite true ...

        Correct and a little perspective is useful here - at least four months since Microsoft patched anything from the NSA that has been used in this attack. Plenty of references to the timelines (toolkit compromised last year, MS patches in Feb, toolkit dumped public April/May, first 'public' exploit mid-May).

        Do the spooks have form in using any weakness to attack perceived enemies of their respective state with little concern for moral/legal scruples? Yes. Are they responsible for the failure of commercial organisations to implement basic, proper IT maintenance when the necessary defenses have been in the public domain for months? No.

        Whether the motivation behind NotPetya turns out to be criminal or political will be far more interesting than ideological blame games (although a definitive answer on motive seems like it will be challenging to confirm).

        1. Anonymous Coward
          Anonymous Coward

          Re: The real blame goes to..

          Security through obscurity is never a proper solution.

          The primary problem with security agencies keeping them private is that when their toolkit is leaked it's not just one exploit to be fixed, it's multiple which makes it enough that it can be used together to take complete control of a system before a fix is created.

          Where as if they played nice and reported those bugs to developers when they found them then it would (should) be fixed before the public was made aware of it.

          You see, a single bug release, complete with patches is far better and safer than a huge pack of exploits leaked leaving systems insecure and vendors scrambling to fix the bugs.

          Then you have the second issue, what about when you've found a bug, decided to keep it for your own use, and someone else with ill intent finds it and uses it also? You could of stopped that from happening but you chose not to.

          Whichever way you spin it, harbouring bugs is bad.

          1. Anonymous Coward
            Anonymous Coward

            Re: The real blame goes to..

            Security through obscurity is never a proper solution.

            I agree and I never meant to suggest this, despite all the downvotes who appear to have misread my earlier comment. However the comments here do show lots of confusion between people trying to find a way to blame the NSA or Microsoft.

            There are some issues with the recent attacks:

            1) WannaCry used exploits which were fully patched on all support OSes at the time it ran. It was effective because companies dont patch their software properly. (as mentioned elsewhere MS08-067 is STILL an effective exploit across the globe). This is not the NSA's fault and their public guidance says patch faster. MS17-010 was rated as a CRITICAL patch. Failing to have applied it six weeks later points the blame in only one direction.

            2) Companies whining that MS didnt immediately support XP / 2003 etc. This is simply a sign that they cant be arsed keeping up with technology. Why is this MS or NSA's fault.

            3) Everything in the ShadowBrokers dump was patched before the public was made aware of it - unfortunately this means lots of companies accuse MS (etc) of hyping up the threat of a patch and downgrade it.

            4) The NotPetya attacks did not rely on the SB dump of NSA tools. Powershell and WMIC are fundamental to MS and Mimikatz is such a well known tool it is embarrassing that controls werent already in place (why do admin accounts have SeDebugPrograms set?)

            Basically, for all the whining, the only people to blame for this are the bad people who launched the attacks. Everyone else is on a sliding scale of making bad judgement calls.

        2. Sixtysix

          @ Rob D Re: The real blame goes to..

          >> The problem I have with this blame attribution, is it isn't quite true ...

          > Correct and a little perspective is useful here - at least four months since Microsoft

          > patched anything from the NSA that has been used in this attack.

          Well, as I understand it that is not precisely correct...

          It seems that actually M$ have published patches for the exploits that have been SEEN IN THE WILD and notified through the usual bug report channels. Nowhere have I seen/heard any suggestion that NSA have told M$ and other software vendors what was stolen so that PROACTIVE patching was possible - it's all still reactive as the exploits surface.

          And that is why infrastructure managers are buying coffee, sitting uncomfortably and not sleeping well at present.

          1. Thored

            Re: @ Rob D The real blame goes to..

            There was no overt notification of the exploits existence, but many of the exploits in the Shadow Brokers NSA leak were patched one month prior to Shadow Brokers releasing the code.

            MS patched many of them in March and the Shadow Brokers leak was in April. No one knows who tipped MS off on what was being leaked.

      3. John Brown (no body) Silver badge

        Re: The real blame goes to..

        "This chaos never happened as a result of a parallel discovery, it was only after Shadowbrokers popped the NSA and released the files."

        I think I'd rather each vuln was discovered and patched ASAP rather than the situation we have now with multiple serious vulns all being dropped at the same time.

      4. Marshalltown

        Re: The real blame goes to..

        "... all it would have done is meant us having this discussion X years ago ..."

        In fact the discussion WAS being held years ago. As early as the early '90s at least. Many pointed out the hazards of monocultures, systems where a single "organism" is the primary foundation for a complex overstory. Attack that foundation and and the entire system can be brought down. Mathematically the internet and an ecosystem are very similar. The opposition offered the lame argument that computers and operating systems are not biological. There were Engineers at the helm; Great Geniuses were protecting us all; immense multinational corporations "knew" what they were doing. Besides, open source or some means of auditing critical code bases would risk trade secrets and patents. Besides, all us peons were just consumers (cash cows).

    4. Cuddles

      Re: The real blame goes to..

      "Had they just found the exploits, and reported them to Microsoft (or whatever application developer has the bug) this would of been prevented years ago."

      While I agree with the sentiment that hoarding vulnerabilities in the name of national security is rather stupid, the above isn't really true in this case since MS have patched the vulnerabilities in question. If this had happened last year when the NSA new about the bugs but MS didn't it might have been a good point, but when malware is exploiting bugs that were patched months ago it hardly makes sense to complain that they weren't patched even earlier - at this point if you don't have the patches it's neither the NSA's nor Microsoft's fault, it's yours.

      1. Anonymous Coward
        Anonymous Coward

        Re: at this point if you don't have the patches it's your fault

        Rather ironic that the problem in this case is both failing to deploy updates (Microsoft ones), and deploying updates (the hacked accounting software one). We just can't win.

      2. Doctor Syntax Silver badge

        Re: The real blame goes to..

        "MS have patched the vulnerabilities in question."

        Only very belatedly. They were embarrassed into having to patch XP after its EoL. If the problem was known during XP's lifetime, shouldn't it have been patched then? If it was known during 7's development should it ever have been in 7?

        There are reasons other than indolence why stuff doesn't get patched or at least patched promptly and doesn't get replaced (see TFA and also the frequent posts about the effects of enforced updating of 10).

        NSA have no excuses whatsoever for sitting on this stuff and letting it become a global problem. Countries which have experienced serious infrastructural problems should have been calling US ambassadors into their foreign affairs ministries for a good talking to.

        1. tom dial Silver badge

          Re: The real blame goes to..

          Microsoft released patches for currently supported operating systems two months before the WannaCry exploit. Unless things have changed dramatically since the middle of 2012, outward facing US DoD systems were patched well before a month after patch release - the requirement then was to patch Category I vulnerabilities within 15 days of patch availability. EternalBlue unquestionably was a Category I vulnerability. So was use of an unsupported software product like Windows XP, although there is no remediation for that, not even application of a patch for the vulnerability; Windows XP would have been disallowed within the DoD as of April 30, 2014.

          Use of SMB version 1 might or might not have been as severe a vulnerability, but it would have been one beginning when Microsoft deprecated it, and at worst ought to have been discontinued within 180 days, which would have been before the end of 2014.

          The DoD is a far from perfect organization in IT as in other things. But the outlines of their information assurance standards are not that hard to understand or, in principle, to implement. Their implementation is tedious, annoying, expensive in terms of staffing, and all too often disruptive to the operations the IT staff support.

          Many organizations, including the DoD agency that employed me, do not consider IT part of their core mission. For some, not including my agency, that result in treating it as a cost center to be starved of staff and funds to the maximum possible extent, taking heedless of the potential cost and damage that inattention to security patching and configuration can bring.

          Blaming the NSA may have some merit, but their behavior in retaining some vulnerability knowledge was approved at the highest level in the executive branch and certainly is not meaningfully different from that of similar agencies in other countries. At least as much blame is due the management of organizations victim to these recent attacks.

        2. PrivateCitizen

          Re: The real blame goes to..

          Only very belatedly.

          But before malware was publicly identified exploiting it with WannaCry (as an example).

          NSA have no excuses whatsoever for sitting on this stuff and letting it become a global problem.

          They have lots of excuses but that is largely irrelevant. The issue is organisations have NO EXCUSES whatsoever for failing to deploy patches that are issued. Unless of course we say the criminals who deployed the malware are really to blame here.

          1. Kiwi
            Holmes

            Re: The real blame goes to..

            The issue is organisations have NO EXCUSES whatsoever for failing to deploy patches that are issued.

            Software compatibility

            Hardware compatibility

            Software/hardware that needs to be properly audited and certified to be used

            Number of patches released in a single lump

            Trustworthyness of the vendor releasing said patches (how often to they cause failures).

            Time taken to make sure it won't break your stuff

            Seriously of the need for this particular patch (ie can the secretary's assistant's intern's machine wait another few weeks, and can we get in the team to re-certify the MRI machine before we point it at some unsuspecting brain?)

            There's a few reasons right there for many places not updating immediately. Better networks might make a huge difference (ie if your MRI machine can get it's data to where you need it, but nothing from the internet can reach it...), but some stuff cannot be fixed except for at huge cost.

            1. Anonymous Coward
              Anonymous Coward

              Re: The real blame goes to..

              There's a few reasons right there for many places not updating immediately.

              So it wouldnt matter if NSA had announced the exploits, Shadowbrokers had dumped sooner or researchers finding as part of normal work - people would still put off the patch for $REASONS and then get pwnd.

              Every decision to not apply a patch (even when the reasons are good) is a broad acceptance that anything bad which happens afterwards is better than the risk of patching. When events like WCry land, they need to accept that its an outcome of their decisions. If a patch is rated Critical by the vendor and SANS are saying "patch now" it seems reasonable that any delay is accepting a lot of risk.

              Systems important/critical/fragile they cant be patched quickly should be kept off the net etc.

      3. Kiwi

        Re: The real blame goes to..

        While I agree with the sentiment that hoarding vulnerabilities in the name of national security is rather stupid, the above isn't really true in this case since MS have patched the vulnerabilities in question. If this had happened last year when the NSA new about the bugs but MS didn't it might have been a good point, but when malware is exploiting bugs that were patched months ago it hardly makes sense to complain that they weren't patched even earlier

        Not everything can be patched easily. When XP and intranet pages etc exploded into the business world, a lot stuff was written to work with technologies that only existed IE61. I'm sure the writers assumed these things would continue but they didn't, for whatever reason the tools were not supported in IE7 and onwards. But there was the issue that a hell of a lot of stuff considered "business critical" was written for IE6 and would not work on 7 or later. People could not upgrade to a more secure browser because of this. I assume there's still many places where 6 has to be used even today.

        A lot of other systems were developed around older tech, which can be hard to update as has often been discussed in these forums.

        The question I am wanting asked is.. How long did NSA know of this particular flaw? DId it date back to pre-XP versions of Windows? Did the NSA know about it before Vista? Before XP SP3? When? Because the longer they sat on it, the more systems were built using the flaw, and the more systems became vulnerable; ie if they know about it pre-Vista and had told MS then, then MS could've had Vista and onwards fixed, and only the XP systems to worry about. Had the NSA told MS before XP SP2 then XP would've been fixed back then, and probably very few systems would've been vulnerable - the lot probably fixed before the first real bits of ransomware came around.

        at this point if you don't have the patches it's neither the NSA's nor Microsoft's fault, it's yours.

        As you should well know, there are systems that are difficult to patch for various reasons. Had MS been alerted to and fixed these bugs a couple of years ago, some of those machines wouldn't be a problem now. Had it been a decade or more ago, even most XP systems would've been fine.

        Yes, those who have refused to patch because "I don't wanna" are largely to blame for their own misery. Those who cannot patch because of other more technical reasons, however, may have the NSA to thank for their misery. Depending on how long ago the NSA knew of this stuff (probably in an article I haven't read or have forgotten).

        1 If I got the wrong version of IE, please mentally substitute the correct one.

    5. Anonymous Coward
      Anonymous Coward

      Re: The real blame goes to..

      I agree with blaming the Americans, but not the NSA... if Microsoft had done their homework well, none of this would be possible! Let's not forget that the attack vectors are all Microsoft's doing. IF they wold concentrate on putting out better software instead of shiny software or bloated software, none of this would occur. Yes, this would slow down the pace of innovation in the software industry, but it is getting to a point that we need less innovation/new features and more stability/security. We have become too accustomed to the quick release-fix it in an update cycle. These are the consequences.

      1. Stoneshop

        Re: The real blame goes to..

        ... none of this ... ... none of this ...

        That's an extremely optimistic view.

        Even OpenBSD, with its focus on security first, second and third, tends to have an occasional bug to fix.

      2. Kiwi

        Re: The real blame goes to..

        Let's not forget that the attack vectors are all Microsoft's doing. IF they wold concentrate on putting out better software instead of shiny software or bloated software, none of this would occur.

        You can only patch bugs you know about. You can only know about bugs by discovering them during testing, or by someone else discovering them and telling you about them. MS did patch this stuff once they learned of the problem, but the NSA should've spoken up the moment they found the flaws. The NSA, as I understand it, is an organisation with a job to protect the data security (and the interests of) US citizens and corporations. By covering up this flaw, they've failed in this regard in many ways, not the least being the amount if ill-will that has increased towards the US and her citizens as a result of their actions.

        MS could've done better, sure - but their closed-source doesn't quite have the benefit of well-intentioned interested parties looking over it for things to improve, which is a big help at times to those in the Open Source camps. Every programmer leaves bugs in their code, many found because they stop compiling, many more found because of an obvious flaw during execution, and some that lie hidden for decades because a) no one thinks of the test that would find them and b) nothing happens in the wild to trigger the flaw.

        Writing software is difficult. Fixing bugs is difficult and a pain. But building test rigs that can catch every bug? That's incredibly hard, and no one has managed it yet. Though that said, I understand some basic testing tools would've found the flaw in SMB1?

        it is getting to a point that we need less innovation/new features and more stability/security. We have become too accustomed to the quick release-fix it in an update cycle. These are the consequences.

        That I agree with you on. I'd much rather computing be a few years behind where we are now, with the advantage that some of the painful talks I've had to have with people over lost data (eg kids photos) would never have happened.

        1. Thored

          Re: The real blame goes to..

          **shrugs**

          Microsoft has enough money to hire a reasonable sized team to do nothing but fuzz their applications for vulnerabilities. Assuming they hire people that know what they are doing, they could greatly minimize the number of potential vulnerabilities.

      3. Truckle The Uncivil

        Re: The real blame goes to..

        And here is the rub; in Australia it illegal to write or even posses the source code to a computer virus unless there is a legitimate reason. By writing virus code that has entered the country the have broken Aussie law - in Australia, which gives cause for a legal sanction.

        So if we had the identities of the NSA staffers who wrote this stuff, they can be charged here, just as Cardinal George Pell has been. The USA and the Vatican are both nation states.

        1. Thored

          Re: The real blame goes to..

          Wait, so this means you can't use tools like Metasploit in Australia?

          Kali Linux?

          How do they red team and penetration test networks without exploit code?

          I think this might actually make Australia a target rich environment if anyone decides to look in that direction.

          Are offensive security sites blocked in Australia?

    6. Zakhar
      Linux

      Re: The real blame goes to..

      The real blame goes to... people continuing to use Windows.

      But please, do continue so that we can enjoy Linux tranquillity... because you know what happens when there are too many Linuxes like Android: malware, viruses, etc...

      I'm so glad Linux desktops keeps around 2% so that not to attract too many attention!

      1. Thored

        Re: The real blame goes to..

        "The real blame goes to... people continuing to use Windows."

        Oh, how cute. A Linux fanboi in the wild.

        Just this month a South Korean ISP had 150 Linux servers hit with ransomware and paid over a million dollars to get their data back.

        https://www.onthewire.io/south-korean-isp-nayana-pays-1m-ransom-to-decrypt-servers/

        So much for not attracting attention.

        Nothing to see here, move along.

        1. duncangareth

          Re: The real blame goes to..

          A silly fanboi, sure. The example you gave illustrates an analogous scenario to the subject of the article. I think the common factor is that system administrators do not exercise due diligence, or companies do not allocate sufficient resources, whether human or financial, to the maintenance of secure networks and servers, etc.

          In the fanboi's defence, though, I think that there is less work involved in securing Linux based servers. All operating systems have vulnerabilities but some seem to be more vulnerable to exploitation than others.

    7. Thored

      Re: The real blame goes to..

      Not really.

      First, this malware only uses EternalBlue as a last resort to spread.

      Second, whoever wrote EternalBlue did not create the vulnerability, they just found it and wrote an exploit for it (Every persistent threat organization out there has zero days like this in their pocket it isn't like this was a unicorn).

      Third, Microsoft released a patch for this over a month ago and it is obvious that a large number of entities are not applying patches in a timely manner. When I do penetration tests on networks using Metasploit, the first exploit I throw is MS08-067 because 50% of the time, it wasn't patched properly. that is an exploit that was REPORTED publicly in 2008. It is almost 10 years old and you can still find machines vulnerable to it in the wild.

      Why not blame ShadowBroker for releasing the exploit?

      Why not blame shoddy Information Security practices that don't train users to use a little internet hygiene before they start clicking on links in emails they aren't expecting?

      Why not blame network engineers that deploy their networks in a flat topology so that any machine can reach any other machine?

      Why not blame software companies that don't secure their networks and allow malicious actors to plant malware in their patch catalogs?

      Why not blame system administrators that don't disable password caching so that administrator hashes aren't left behind on a machine when the administrator logs out?

      There is plenty of blame to go around. Have some.

    8. Mark 65

      Re: The real blame goes to..

      It still amazes me how people are using bog-standard OS variants for critical tasks. Maersk for their global shipping operations and whomever is in charge of monitoring radiation at Chernobyl. Sure, there's likely some forced aspect of software X only runs on Windows but for massive companies with real market power and scientists I cannot see why you wouldn't enforce the usage of a hardened OS suitable for the task. Some suitable Linux variant springs to mind.

      How many times must an OS fail in critical applications before the right people have a fucking light bulb moment?

  4. Anonymous Coward
    Anonymous Coward

    Backups

    Yet another reason to have good backups. It's good if you can stop it from getting in, in the first place... but most times, for most places, you'll need a recovery model.

    Who is the Data Protection Advocate at your company? Maybe get to know them.

    How does your business plan on recovering?

    1. Anonymous Coward
      Anonymous Coward

      Re: Backups

      For this sort of fast acting malware backups are great, but there are plenty out there that silently do their work for weeks before activating, in which case you are screwed.

      But yes, backup 99% of the time will bail you out.

      Getting the company to agree to buy a few petabytes of storage, now that's a different matter.

      1. Doctor Syntax Silver badge

        Re: Backups

        "but there are plenty out there that silently do their work for weeks before activating"

        Do you have a citation for the frequency of this? It keeps being raised but all the reported outbreaks seem to be pretty well instant or nearly so. According to TFA this one spreads for an hour before kicking in but that's very different to working for weeks.

        1. Naselus

          Re: Backups

          "Do you have a citation for the frequency of this?"

          The obvious example is Stuxnet, which was released months in advance and did nothing until a precise date. But there's plenty of others; many infections rely on a change in their C&C server's output to tell them to activate (unlike the deactivate message used for Wannacry) or are post-dated. Or consider Botnets, many of which lie dormant for months until activated for use.

        2. Rob D.

          Re: Backups

          Stuxnet springs to mind. But that's not a common attack. Maybe time-bombed ransomware - like https://www.reddit.com/r/techsupport/comments/373wk0/locker_virus_similar_to_cryptolocker/. It still seems unusual. Although the long-lived, stealthy characteristics do represent a great ransomware implementation - high infection rate, long incubation period, short duration and high mortality (payback).

          1. Anonymous Coward
            Anonymous Coward

            Re: Backups

            STUXNET and aged botnets are examples of long term attacks however 99.9999% of ransomware attacks are geared towards generating a fast profit. Sitting and waiting for long periods of time doesnt fit the model.

            This means if you have good, offline backups, then there is a fair chance you can recover from the ransomware attack to at least a known good point in time.

        3. Thored

          Re: Backups

          There are botnets in the wild that are just sitting there waiting for the zombie master to issue a command. Some of them have been there for a long time. Here is one that was built in 2013 and was only recently discovered. 350,000 bots.

          https://www.technologyreview.com/s/603404/cybersecurity-experts-uncover-dormant-botnet-of-350000-twitter-accounts/

      2. Anonymous Coward
        Anonymous Coward

        Re: Backups

        "For this sort of fast acting malware backups are great, but there are plenty out there that silently do their work for weeks before activating, in which case you are screwed."

        I guess in that case the size of your incremental backup sets would be a pretty good canary for a ransomware attack.

    2. Doctor Syntax Silver badge

      Re: Backups

      "Who is the Data Protection Advocate at your company?"

      That begs a question.

    3. Mark 85

      Re: Backups

      Who is the Data Protection Advocate at your company? Maybe get to know them.

      We had once. Once. It was clerk in the IT Management Office. All they were capable of doing was sending out the same emails over and over about not clicking on links, etc.

  5. John Smith 19 Gold badge
    Unhappy

    Lots of fishiness here.

    Competent enough coding to produce chaos on its targeted networks but not spread (by design) and a trivially easy way to stop the ransom from being collected, locking the computers permanently. Almost like the ransom parts were cobbled together as an afterthought, rather than their ultimate objective.

    Conducted pre, rather than during, a public holiday.

    An incompetent team of ransomware writers or a very competent team seeking to a)Cause substantial disruption to Ukraine or b) Cripple competitors of certain software businesses. c)Eliminate the evidence for a large scale fraud

    This would mean everyone else is merely "collateral damage," or a free pen test that they failed.

    1. israel_hands

      Re: Lots of fishiness here.

      Not incomptetent at all. They were good enough to put the attack together and it apparently works frighteningly well against a large number of targets.

      So, now we know they're not incompetent and also not interested in the cash, the only other explanation is that they wanted it to be a loud, flashy, obvious attack, and also wanted it to become readily apparent that it's not about the money.

      This isn't a ransomware attack, it's an intelligence operation which happens to be taking place using computers. There's a link in the article to The Gruqc's medium blog. He really knows his stuff and is very good at analysis of this type of thing.

      There are some odd things though. Assuming every line of code changed from the original Petya was done for a reason then why so obviously limit the file types it targets? Possibly they identified a target list and narrowed it down to those without thinking that leaving the original list in place would achieve the same goal and serve to obfuscate what they were specifically after.

      Another possibility is that the list was deliberately left as a message to the actual target (which could be anyone caught up in it, maybe Maersk were the original target and the other hits were just to spread the panic and confusion around). That's the problem with this sort of thing, it's moved away from hacking/script kiddies/cybercrime and attacks like this are increasingly used as COINTELPRO or PSYOPS operations.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lots of fishiness here.

        Might be reading too much into it. The filetype may have been chosen for speed of delpoyment. A sliding scale of what to encrypt first would have been best.. but just xhoosibg the juciest targets is quicker and easier. Especially as searching first would tip of more virus scanners.

        1. dajames

          Re: Lots of covfefe here.

          ... just xhoosibg the juciest targets is quicker and easier.

          You are Donald Trump, and I claim the fiver!

      2. Destroy All Monsters Silver badge

        Re: Lots of fishiness here.

        Well, some people just want to see the world burn.

    2. Anonymous Coward
      Anonymous Coward

      Re: Lots of fishiness here.

      you say fishiness, I say red herring, maybe. After all, wasn't it our own glorious democracy which produced the gems of "It's now a very good day to get out anything we want to bury." Perhaps the bad guys took it to heart, with a twist? Or a double maskirovka, by our Russian "friends"?

    3. thames

      Re: Lots of fishiness here.

      @John Smith 19 - The whole thing has more of a smell of an inside job in the Medoc software company. My own list of suspects would start with recently terminated sys admins.

      The activation date is simply explained by this is targeting businesses, whose PCs would often be shut down on a holiday. The file types targeted also point to businesses as the target, since MS Word documents are going to be more common and more valuable than photographs in most cases.

      A current or former sys admin may have access to the update servers, and he may also have the contacts in the Ukrainian hacker community to get a virus commissioned for the job. He wouldn't however necessarily be familiar with the money making end of the ransomware business, and under estimated the effort required to put together a robust payments system (as many, many, software developers do when it comes to legitimate business).

      There are loads of incompetent virus operators and spammers out there. I get loads of spam where the sender didn't configure their software properly and sent a blank template or forgot to attach the virus payload. We don't need to over-think the whole issue. If the Russian state were behind it, I would be very surprised if they fell short of making a convincing effort by not getting the payments end of things set up properly. They would in fact probably simply outsource the whole job to a criminal virus/ransomware gang who were well versed in how to do things properly end to end and who would simply collect the money as usual.

      The balance of probabilities suggests a botched criminal inside job by someone who had access to the means of distribution but wasn't experienced in running a ransomware operation.

      1. Doctor Syntax Silver badge

        Re: Lots of fishiness here.

        " My own list of suspects would start with recently terminated sys admins."

        Or any other techy from there.

        I wonder whether the private keys were being emailed in plain text to that email box. Of course with it closed down maybe victims are getting their email bounced back to them.

      2. Anonymous Coward
        Holmes

        Re: Lots of fishiness here.

        My money is on the FSB (Cozy Bear, APT29 IIRC) using one of the criminal hacker gangs they work with rather a lot. Intentionally crippling the ransomware end of things was by design. Be interesting to see what gruqc says further on. [He's brilliant at these types of analyses.]

  6. pleb

    Suspicion...

    "That said, Russian firms have been hit by the ransomware too."

    So it will be intriguing to witness how quickly these firms recover. Or maybe they just practice exemplary backup procedures?

    1. Naselus

      Re: Suspicion...

      "So it will be intriguing to witness how quickly these firms recover. Or maybe they just practice exemplary backup procedures?"

      Rosneft apparently managed to recover so quickly that it had no downtime whatsoever, and there was no impact on any of the productive assets at all. Oh, wait, I'm sorry, that should read "Russian state-owned oil company Rosneft"... Not that that seems oddly suspicious or anything.

      1. Alien8n

        Re: Suspicion...

        Considering how much money they have it's possible they're running a Datto style backup system which can give you almost instantaneous recovery of all systems. It comes at a price however, so is out of reach for most businesses or governmental departments.

        1. Naselus

          Re: Suspicion...

          "Considering how much money they have...."

          Maersk is equivalent in size to Rosneft and actually more profitable. I suspect it's not so much how much money you have that matters, as much as how many friends your CEO happens to have in the FSB.

  7. Otto is a bear.

    Bring Back

    Heterogeneous computing.

    I know Windows is allegedly cheaper to support the OSX or anything else, but I'll lay odds in the affected companies the MAC/Unix Systems are still going, and lets face it for most things now, we only need a browser, so why not mix up the client base and give people the right OS for the job. Only need eMail and Browser, a Chrome Book, Media, Mac, General Power User, Windows, Out and about, Android or iOS.

    In the data centre, lets have Windows, Solaris, AiX et al, again. I bet it's cheaper than having your data centre taken out. Remember security is strength in depth and Heterogeneity, you can make a homogeneous system fool proof secure, but not damn fool proof.

    1. Prst. V.Jeltz Silver badge

      Re: Bring Back

      If you did that Otto , then malware writers *would* cater for all systems

      1. hplasm
        Windows

        Re: Bring Back

        "If you did that Otto , then malware writers *would* cater for all systems"

        But not all systems are fragile, like Windows.

        1. Mark 110

          Re: Bring Back

          "But not all systems are fragile, like Windows."

          I've posted this before:

          https://googleprojectzero.blogspot.co.uk/

          I refer you to the last paragraph:

          "Conclusion

          Right now the Linux kernel has a huge number of poorly tested (from a security standpoint) interfaces and a lot of them are enabled and exposed to unprivileged users in popular Linux distributions like Ubuntu. This is obviously not good and they need to be tested or restricted."

          My conclusion. Windows appears fragile because it is the target of attacks because its the most popular. If other OSes were more popular they would be the target and a ton of secuirty holes would suddenly appear.

          1. Doctor Syntax Silver badge

            Re: Bring Back

            @Mark

            You do realise, don't you, that there are a multiplicity of other OSs and of CPU architectures? There are also other forms of networking semantics than SMB. Each OS, CPU and networking technology you introduce into the mix raises the difficulty for an attacker more or less exponentially. As the system becomes more difficult to attack even Windows systems gain from herd immunity.

            1. Mark 110

              Re: Bring Back

              Agree completely. Its absolutely true that having 90% of the world on the same OS makes life easy for the attackers.

              My point was more around the perception of Windows being fragile is probably to do with it getting attacked more than anything else. I wouldn't argue that it hasn't got security flaws but I imagine most other things do to. Linux was just an example.

            2. Meph
              Pirate

              Re: Bring Back

              @Doctor Syntax

              "Each OS, CPU and networking technology you introduce into the mix raises the difficulty for an attacker more or less exponentially."

              Your statement is logically sound, but the concern I'd have is that the effort required to support and maintain such a system would also increase at the same rate. Furthermore, unless each of your Sys Ads fully understood the architecture end to end, there might be a chance that they would unknowingly provide an exploit or attack vector by misconfiguring a segment of the system.

              That is assuming they don't just get lazy and build their own back doors and loopholes to make their lives more convenient.

              As a way of illustrating the point, consider the arbitrary password requirement rules that many large enterprises still force on their staff, regardless of the advice from SME's. If you make your password policy so onerous that your end users resort to writing their passwords on post-it notes, you may as well have not bothered. The same could be said for other aspects of IT security.

              1. Stoneshop

                Re: Bring Back

                If you make your password policy so onerous that your end users resort to writing their passwords on post-it notes, you may as well have not bothered. The same could be said for other aspects of IT security.

                As long as unprivileged users (and non-users, including cleaners and janitors) are barred from entering areas where one might find those passwords on post-its, or, probably better, in an notebook that can be shut and put away under lock and key (and not taken to the toilet and left there) when there's no need to use it, it's not a bad choice.

                Try reading a password that's on a paper to the side of the monitor of whatever system you've just logged into remotely.

                Of course, you don't write it on the whiteboard or on a labelwriter label that's visible from outside the room, Especially not when a TV crew comes around.

              2. Thored

                Re: Bring Back

                This is why you have a security team that is separate and autonomous from anyone else that runs and maintains the network.

                System and network administrators install patches and software/firmware upgrades and the security team runs vulnerability scans to ensure that the patches and upgrades are applied properly.

                The security team is also responsible for monitoring access to VPNs and external access to the network. This prevents administrators from opening accesses as a matter of convenience.

                In a separate reporting structure, you have an Information Assurance team (team in both cases can be a single person). The information assurance team is responsible for publishing policy and auditing the security team.

                The security team would report to the CTO/CIO and the information assurance team would report directly to a board of directors or executive management committee.

                This keeps everything separate so that it is more difficult for an insider threat to cause havoc.

                As for the password issue, the only real solutions are MFA or password vaulting.

          2. aaaa
            Alert

            Re: Bring Back

            Mark 110 - classic straw man.

            > In the data centre, lets have Windows, Solaris, AiX et al, again.

            Who even mentioned Linux?

            Of course it's understood that Linux is untested and untrusted, it's why the poster didn't mention it in the list of what to put in the data centre. And I'm sure windows was only listed as a concession because in the real world you can't exclude it entirely.

      2. Doctor Syntax Silver badge

        Re: Bring Back

        "malware writers *would* cater for all systems"

        It raises the bar for them having to deal with all systems. It wouldn't just be a matter of recompiling the same code.

        Also heterogeneous systems can have different modes of operation. For instance drop the idea of using a browser - or anything else - to apply a GUI to your server-based application. [Pauses to allow millennials to stop hyperventilating at the thought of a GUI-free application.] Now you have an old-fashioned terminal application that can be run via a link with the semantics of an RS-232 link. That really raises the bar on trying to get an infection back from a PC to the server.

    2. Anonymous Coward
      Anonymous Coward

      Re: Bring Back

      I feel sorry for the help desk.

    3. Naselus

      Re: Bring Back

      "for most things now, we only need a browser"

      This just isn't true, though. There's a great many industrial control devices which only run on Windows - in fact, which only run on obsolete versions of Windows that are out of support. Exactly the kind of devices, in fact, which a lot of these Ukrainian companies in the power sector will be relying on.

      I used to support Schelling saws for a major plastics company in the UK. These saws are designed to slice big blocks of plastic into thin sheets, cost £250k each and are the size of an Olympic swimming pool. They only work with Windows XP. No Linux, no OSX, no silly browser-based bollocks. Just a fat client Win XP box.

      When I worked at what used to be ICI's head office in Manchester, where most of the staff were engaged in trying to come up with a new shade of green paint, the machines that controlled the centrifuges and pigment analysis needed to be run on Windows XP. There was no browser involvement, and using more modern versions of Windows was impossible because the drivers were written so badly that anything after Win XP regarded them as unsafe.

      And this is the case is a great many areas of business. We use Sage for our accounts, for example; several versions of Sage (possibly all, in fact) flatly must be installed locally on a fat-client Windows box. There's 800,000 businesses using Sage in the UK alone, and all of them are using it on a windows box because they don't have a choice. I now work with CAD users; the idea that they'll ever be performing their work remotely or in a browser is laughable. The local C++ clients they're using are getting bigger, heavier and more complex every year.

      There's no denying that monocultures are bad, but honestly the illusion that there's a choice in the matter because a few applications can now be delivered via the browser is just that - an illusion. Lots of core software still cannot run on virtual machines, cannot be run through the browser, or cannot be run remotely at all, and is unlikely to ever be able to, which makes implementing a heterogeneous environment much, much harder in the sort term - it'll take decades of refreshes before there's anything like enough diversity to make a difference.

      1. Alien8n

        Re: Bring Back

        Back in my engineering days we had one machine in the waferfab running Win3.0

        It wasn't even 3.1, it was 3.0 as that was the only OS that the software running the machine would work on. This was in 2003. Prior to that we had one machine running BeOS, the only time in my entire life I've come across that OS. Plenty of AS400 and VAX systems running the manufacturing systems though.

      2. tedleaf

        Re: Bring Back

        But in a lot of these examples and in other systems,I would think it was possible to swap "normal" xp for xp embeded,that should run old drivers etc ok,,it may not be perfect but it's got to be an awful lot safer than running full xp,most of which is not needed,is full of holes and is a liability and problem waiting to happen.

        I used to use an iffy(as in free from a skip !) version of xpe on my home pc's for years,just in running speed it was worth it,I didn't bother with any security except defender,never had any problems.

        The vast percentage of systems running xp didn't/don't need 80% of what is included in the os and just leaves huge holes to be exploited.

        An os should come with almost everything it can do turned off by default,then as and when folk find they need a service,turn it on,why run everything when you just don't need most of it ?

        1. Uncle Slacky Silver badge
          Thumb Up

          Re: Bring Back

          > But in a lot of these examples and in other systems,I would think it was possible to swap "normal" xp for xp embeded,that should run old drivers etc ok,

          Something like Windows Fundamentals for Legacy PCs, then? Luckily, being based on XP Embedded, it has the POSReady setting for continued updates already in place, too:

          https://en.wikipedia.org/wiki/Windows_Fundamentals_for_Legacy_PCs

      3. Stoneshop
        Thumb Up

        Re: Bring Back

        where most of the staff were engaged in trying to come up with a new shade of green paint,

        The Meaning of Liff offers: FRATING GREEN, GRETNA GREEN, MATCHING GREEN, SPROSTON GREEN and TWEMLOW GREEN

    4. Anonymous Coward
      Anonymous Coward

      Re: Bring Back

      >>I know Windows is allegedly cheaper to support the OSX or anything else

      Not in any doubt as to a lower TCO for general use. Hence why almost everyone uses Windows.

      >>I'll lay odds in the affected companies the MAC/Unix Systems are still going

      Because no one uses them as user desktops and therefore they are not targeted by exploits that require a user to open / run something. There is plenty of evidence that commercial Linux and OS-X have historically had more security vulnerabilities than Windows, which would likely be targeted if they were widely used on desktops. For instance CVE-2016-0728. As an example just look at a) Android - loads of Malware - and b) internet facing webservers - circa 4 times more likely to be hacked if running Liinux versus Windows Server.

      1. Doctor Syntax Silver badge

        Re: Bring Back

        "Not in any doubt as to a lower TCO for general use."

        That TCO might need some revision this year.

        "I'll lay odds in the affected companies the MAC/Unix Systems are still going

        Because no one uses them as user desktops"

        You think those with Macs aren't using them as user desktops?

    5. patrickstar

      Re: Bring Back

      While having a more mixed environment certaionly can help somewhat with security - especially against automated / non-targeted attacks like this - essentially all OSes have been (and continue to be) compromised regularly.

      Back in the days of UNIX diversity it wouldn't even stop a script kiddie without any custom exploit development skills - see for example http://insecure.org/sploits.html as to what sort of resources were publicly available.

    6. Stork Silver badge
      FAIL

      Re: Bring Back

      When I was at Maersk Data all the real stuff was on mainframe (390 AFAIR). They moaned about the cost (and the challenge of maintaining 25 year old code) and worked furiously at moving to "more modern" platforms, as well as moving the work to India.

      If they managed, I hope the savings are still there after this.

      PS: One of the things we were always told by the Client was: "Think twice. We do not want to be on the front page tomorrow."

  8. bombastic bob Silver badge
    Trollface

    Let's blame Obaka's "revenge"

    Obaka wanted to get even with the Russians for allegedly hacking the election so that Trump won.

    So we'll blame Obaka for this. Why not, the lame-stream media has been blaming Russia for colluding with Trump for MONTHS now...

    trolling trolling la, la-la, la-la

    1. Doctor Syntax Silver badge

      Re: Let's blame Obaka's "revenge"

      Bob, you really do make it difficult for us to take any of your posts seriously.

      1. bombastic bob Silver badge
        Trollface

        Re: Let's blame Obaka's "revenge"

        "Bob, you really do make it difficult for us to take any of your posts seriously."

        that was a joke. you weren't SUPPOSED to take it seriously. But I'm glad you did. It made me laugh.

    2. Rob D.
      Coat

      Re: Let's blame Obaka's "revenge"

      I thought we were largely congratulating, not blaming, Russia for colluding with Trump - excellent intel work, first-rate psy-ops outcomes.

    3. Mark 85

      Re: Let's blame Obaka's "revenge"

      Bob, I hate to tell you this, but Obama isn't running the show anymore. Your guy won.

      So tell him to get off Twatter, the golf course, etc. and do his fucking job. I'm sure with his superior knowledge and staff/advisory panels, etc. all the problems including this one could quickly be solved.

  9. Stoneshop
    Devil

    International advertising conglomerate WPP was taken offline

    Good.

    1. Anonymous Coward
      Anonymous Coward

      Re: International advertising conglomerate WPP was taken offline

      condoning cyber-terrorism, are you (in a mock cop voice)

      1. hplasm
        Happy

        Re: International advertising conglomerate WPP was taken offline

        condoning cyber-terrorism, are you (in a mock Yoda voice)

        FTFY

  10. Anonymous Coward
    Anonymous Coward

    This whole "flat network / dont give your techies any access to do their job" thing is very worrying.

    What "precautions" are being suggested here exactly?

    If a virus on someone else's pc is going to read my admin password of my pc , it must already have admin access to the pc . A good precaution i guess would be to not let lesser admins (workstaion admins) have admin access to domain admins's pc's

    But what else can you do? unique adm pwd on every pc? - with no alternative wsadmin domain group in the local adm group?. That would be a major PITA for ws admins , and theyd still have to have access to the password list for all the PCs , so any malware could still potentially get to it . Especially if using , say , MS's lap system - it'd know exactly where to look.

    so i say again - whats being proposed here?

    1. Adam 52 Silver badge

      "This whole "flat network / dont give your techies any access to do their job" thing is very worrying."

      No it's not. For too long BOFH types, or even Helpdesk staff, have argued that they need admin privileges. They don't. Helpdesk might need to reset passwords, but they don't need domain admin rights to do that. Your DBA might need to reindex tables or resize your storage but they don't need root permissions on the underlying host to do that and they don't need the encryption key to the data. Networks team might need to play in WINS or DNS, but again can do that using an lower privileged account.

      Last time this came up commentards kept bleating "I need sysadmin to do my job". You almost certainly don't if your systems are properly designed.

      1. Anonymous Coward
        Anonymous Coward

        >Last time this came up commentards kept bleating "I need sysadmin to do my job". You almost certainly don't if your systems are properly designed.

        It all depends on what your job is. However, proper design 10, 15 or even 20 years ago is not in the same league for security as proper design now. Many of us out here in the real world are still dealing with poor legacy designs that were "vendor best practice" when the designs were made. It is very difficult to back engineer proper access control policies and rights assignments when the genie is already out of the bottle.

        At least I've not seen anywhere as bad as my last job - where the helpdesk had domain admin access to 10+ clients domain from their normal desktop PCs *with* the same account (normal non-admin desktop login) being trusted across all the domains. That was a fight to sort out.

        1. Anonymous Coward
          Anonymous Coward

          "poor legacy designs that were "vendor best practice" when the designs were made."

          They wernt best practice , they were just shit. I havent seen one for a couple of years , but to me it beggars belief that someone writing software that is only EVER going to be used in a commercial environment would assume the user has full admin rights on their pc ! .. and i have seen that many times .

      2. sabroni Silver badge

        re: I need sysadmin to do my job

        Otherwise I'd have to learn how to do it properly....

      3. Anonymous Coward
        Anonymous Coward

        @adam , ac op here:

        True about BOFH types. helpdesk , networks etc dont need to be domain admins. I myself am admin on an SQL server instance, but not the server it runs on . I think these days we all realise that. but ..

        The people I was getting at are desktop support staff , or , if you're talking about servers server support staff. They need full administrative access to every end users pc , at the end of the day. This article seems to think thats a problem (and im not particularly disagreeing) just saying what can you do about it?

        1. Mayhem

          The people I was getting at are desktop support staff , or , if you're talking about servers server support staff. They need full administrative access to every end users pc , at the end of the day

          Yes, they do, but not under their own credentials, that's just laziness.

          Each person should have their own local account, which may have local elevated permissions locally. They then need an admin account which has elevated permissions remotely to do their support work. With separation of the two accounts, your sniffed credentials don't get you very far. For multiple client support, you should have specific admin accounts for each client you support, so compromising one will not affect any other.

          1. Anonymous Coward
            Anonymous Coward

            " not under their own credentials" yeah i get that, the powers that be have decided we separate admin accounts to our domain ones with our names on that we get email with etc - but they are still domain accounts.

            Are you suggesting that every PC should have an account on it locally for every support person?

            They then need an admin account which has elevated permissions remotely to do their support work ..and I'm really not following that - is that a domain account you use to remote to a pc , but still log on with the local account?

            are the passswords all different for these local accounts? where would you keep them?

          2. TheVogon

            "Each person should have their own local account, which may have local elevated permissions locally"

            Nope. Elevated permissions should be a separate admin account. Without a roaming profile / email and anything else that might encourage you to login with it rather than use Run As...

            1. Prst. V.Jeltz Silver badge

              Hail! Nice to meet a fellow Vogon!

              "Run as <admin acc>" is good for remote regedit , compmgmt.mst services.msc etc etc.

              but if you have to log onto a machine through its front door , in person , using your admin acc , in order to fix it , if its a domain acc , you are adminning all the machines and any nasty malware you trod in could kill them all .

        2. Thored

          Domain admins should be reserved only for server admins and the security team and they have separate user and admin accounts. The user account is for day to day tasks (Word, Excel, Powerpoint, email, etc...) and the admin account is for anything a typical user cannot do.

          Helpdesk techs need local administrator on workstations only and they have permissions to reset/unlock passwords for normal users only. Again, helpdesk techs have a normal user account and an admin account. Domain admins are the only ones that can reset/unlock administrator accounts.

          All account changes and logins are syslogged and alerts are set for repeat lockouts and expired accounts that attempt to log in.

    2. sitta_europea Silver badge

      [quote]... and theyd still have to have access to the password list for all the PCs , so any malware could still potentially get to it .[/quote]

      Not if the passPHRASEs are written in spidery ballpoint in a diary.

      [quote]... so i say again - whats being proposed here?[/quote]

      My diary.

      1. Vic

        Not if the passPHRASEs are written in spidery ballpoint in a diary.

        I knew someone who did that.

        Then he left his note book in the toilet, and everyone had all his passphrases...

        Vic.

        1. Doctor Syntax Silver badge

          "Then he left his note book in the toilet"

          Provision of proper toilet paper is an essential for security.

        2. Anonymous Coward
          Coat

          @Vic

          Then he left his note book in the toilet, and everyone had all his passphrases...

          A proper leak.

          Hmmm, I guess Manning's sex change would change the dynamics of that sort of thing ...

    3. Anonymous Coward
      Anonymous Coward

      As a DBA on oracle and SQL Server we have the option to raise our privs to "root/super" but we have to apply through an online system that issues a 1 hour limited admin password through an assigned and audited admin account. When we get called at midnight and are desperate for admin access we can get it for a limited time without having to callout admins and waster time explaining what we need. We then fill in the "paperwork" next morning in a post-callout audit report that has to be checked and signed off. Any admin access used without pre/post paperwork is questioned. The second the external auditors walk in we know we're in the clear.

      1. Anonymous Coward
        Anonymous Coward

        Well I'm glad you have caught up ... we had this kind of DBA support arrangement about 30 years ago on an IBM mainframe, running IMS and ACF2.

    4. Thored

      By flat topology they mean every machine can reach every other machine in the enterprise.

      It is better to set up the network in such a way that user machines are segregated. Meaning a workstation on the 4th floor of a building cannot touch or see a workstation on the first floor or second floor. Workstations should only be able to reach servers on ports that are required to perform tasks and only administrative workstations should be able to perform administrative functions on servers and infrastructure.

      Any devices that VPN into the network should not be able to see any critical resources directly. There should be administrative jump boxes for administrators to reach into the infrastructure.

      This is much easier to implement if it is baked in when the network is built, but it isn't impossible to implement after the fact.

  11. JimmyPage Silver badge
    Pirate

    Dry run ?

    The whole episode has a vague feeling of being a dry run for something much nastier.

  12. Anonymous Coward
    Thumb Up

    Wishful thinking...

    Do you think this outbreak and the recent WannaCry shenanigans will make the self-serving tight-fisted idiot accountants and lawyers, and the sociopathic CEOs who run and cripple our companies and economy, just pause for a second, and realise that IT on the cheap, and outsourcing to poorly skilled third parties is not actually that clever.

    Probably not.

    1. Destroy All Monsters Silver badge

      Re: Wishful thinking...

      It will just be an incitement to declare local security and maintenance as incompetent, then ship the jobs to India.

    2. Tumshie

      Re: Wishful thinking...

      You hit the nail on the head. Suffering from it just now. Relentless and idiotic. Don't know difference between risk management and gambling.

  13. Anonymous Coward
    Anonymous Coward

    Belgian media report TNT's parcel sorting facility at Liège Airport has been affected.

    1. Anonymous Coward
      Anonymous Coward

      My cat delivers faster and more reliably than TNT.

      TNT are idiots - they wouldn't notice if they lost their computer systems, if they even have any.

      1. Doctor Syntax Silver badge

        "My cat delivers faster and more reliably than TNT."

        Kittens or dead birds?

        1. Steve Hersey

          Our cats used to deliver half a dead mouse

          And occasionally a stunned chipmunk.

          And, on two days running when mice were in short supply, a very large toad from the front garden. THE SAME TOAD, TWICE. Undamaged.

          I've always wondered how that went down. Did the cats bribe the toad somehow? Was the toad thinking, "Not this again!" as they carried it into the house?

          1. Vic

            Re: Our cats used to deliver half a dead mouse

            And, on two days running when mice were in short supply, a very large toad from the front garden. THE SAME TOAD, TWICE. Undamaged.

            If a cat brings you live prey, it means the cat believes you're shit at hunting, and you need remedial lessons...

            Vic.

          2. Doctor Syntax Silver badge

            Re: Our cats used to deliver half a dead mouse

            "And occasionally a stunned chipmunk."

            Years ago when we had a cat and a dog one of them brought in a live baby rabbit. Whilst we were trying to round that one up the other arrived with another. I wor nobbut a nipper but I still remember that.

            1. dmacleo

              Re: Our cats used to deliver half a dead mouse

              mine brings me field mice, deer mice (long tail, north america) chipmunks, squirrels, rabbits, moles, groundhogs, birds, frogs, snakes, anything that moves at night smaller than a raccoon and better smelling than a skunk.

              have a carcass graveyard in woodline, 100--150 each summer/fall season

              no mice/rodents in houses around here now.

  14. Pen-y-gors

    Decrypting?

    I am by no means an encryption expert, so this is a genuine quest for knowledge.

    The scum use AES-128 to encrypt the files and then a 2048-bit key to encrypt the 128 key.

    As I understand it, the shorter keys are susceptible to brute force crunching these days, with enough processor oomph. But can the process be shortened if you have an encrypted file but also have a copy of the original un-encrypted file?

    I'm sure I've fundamentally misunderstood how AES works, but I'm curious.

    And is it possible/likely that they use the same 2048 bit key for every case?

    And another idiot question (I just code, I don't do deep-level BIOS surgery) if the MBR has been overwritten, obviously the machine won't boot, but can the HDD be mounted as a secondary drive on something else and have the MBR re-written?

    The real lesson, as always, is take lots of off-line backups!

    1. dajames

      Re: Decrypting?

      As I understand it, the shorter keys are susceptible to brute force crunching these days, with enough processor oomph. But can the process be shortened if you have an encrypted file but also have a copy of the original un-encrypted file?

      I'm sure I've fundamentally misunderstood how AES works, but I'm curious.

      It can certainly help to have plaintext as well as ciperhtext ... but modern ciphers are designed to minimize the amount of help that that gives. So, in essence: No, not much.

      And is it possible/likely that they use the same 2048 bit key for every case?

      Possible: yes. Likely: No. They seem to have done their job reasonably well in other respects, so I doubt they would make such a basic error with the key.

      And another idiot question (I just code, I don't do deep-level BIOS surgery) if the MBR has been overwritten, obviously the machine won't boot, but can the HDD be mounted as a secondary drive on something else and have the MBR re-written?

      Yes, of course. As I understand it, though, it is not just the MBR (a single disk sector) but the MFT (Master File Table - something like 0.1% of the size of the disk) that is encrypted, and data files are encrypted as well. The MFT can be regenerated by analysis of the contents of the files on the disk -- it's not easy and it's not foolproof, but partial recovery may be possible in this way if the files all have well-understood formats and the disk is not too fragmented -- but that won't help with encrypted data files.

      1. Doctor Syntax Silver badge

        Re: Decrypting?

        "but that won't help with encrypted data files."

        It depends on whether the original data blocks were overwritten.

    2. Naselus

      Re: Decrypting?

      "if the MBR has been overwritten, obviously the machine won't boot, but can the HDD be mounted as a secondary drive on something else and have the MBR re-written?"

      Yes, that's perfectly doable - you can format it and it'll do more or less exactly that. It'll lose literally all the data on it, though, which is probably not what you're hoping to hear in this case. If you're hoping you can plug it in and re-create the data that was in in the MBR... no, not really. Best case would be recovering the data from the disk and then copying it back over after formatting it.

      I've recovered data from a few disks where the MBR has been fragged to all hell and back, so it is doable, though not easily. You need specialist tools to do it with. The MBR doesn't just handle the boot loader, it also contains a bunch of meta information about stuff like the partitions on the disk (where they start and end, for example) or the block addresses for data, without which the OS can't tell where data is or what it belongs to.

      Some programs are capable of re-constructing this data, though they're invariably either very, very expensive or very, very un-user friendly (requiring a good knowledge of how a disk drive physically works at a cylinder-and-sector level). I'm not aware of anything which would let you reconstruct the MBR itself if it was completely dead/encrypted, though.

      1. Vic

        Re: Decrypting?

        If you're hoping you can plug it in and re-create the data that was in in the MBR... no, not really

        Sure you can. I've done it many times,. I used to have to do it frequently on multi-boot machines where Windows would happily write its own MBR all over my Grub one...

        It's a bit harder if the partition table is screwed, but that's still a fairly common cleanup problem. Just takes a bit of searching. It's amazing what you can do with dd and a bit of perl.

        Vic.

        1. Ramazan

          Re: It's a bit harder if the partition table is screwed

          Partition table is usually restored by looking for 55 AA at end of sectors. In good old days you would only look at cylinder boundaries and cylinder boundaries + 63 sectors, that was damn fast. Now that fdisk et al operate in non-DOS-compatible mode by default, the process takes much longer.

      2. Doctor Syntax Silver badge

        Re: Decrypting?

        "Some programs are capable of re-constructing this data, though they're invariably either very, very expensive or very, very un-user friendly (requiring a good knowledge of how a disk drive physically works at a cylinder-and-sector level)."

        <cough/> https://en.wikipedia.org/wiki/PhotoRec

        Free and IIRC, fairly straightforward. But it does depend on the original data being undamaged on the disk.

      3. Kiwi

        Re: Decrypting?

        If you're hoping you can plug it in and re-create the data that was in in the MBR... no, not really.

        Sure you can. Piece of piss. Why, even XP had "fixmbr" and "fixboot" commands to fix the mbr on another attached disk. Took all of a couple of seconds to run (if that).

        7 and up IIRC have "bootcfg /somethingIcannotremember", worked as well. Or is it "bootrec"? Been a while.

        There's tools in Linux to do this just as quickly and easily, and if you're really struggling you can look at boot repair disk which is a bootable CD/USB/PXE image which will do it all with a few mouse clicks.

        The MBR doesn't just handle the boot loader, it also contains a bunch of meta information about stuff like the partitions on the disk (where they start and end, for example) or the block addresses for data, without which the OS can't tell where data is or what it belongs to.

        No, those would be the "partition table" and "MFT" (Master File Table) on NTSF, FAT (file allocation table) on FAT systems, no idea what on Linux file systems (I've never had to repair/recover from one so I honestly have no clue what they are). You can delete the MBR and still access the data without anything special (at least IME)

        Some programs are capable of re-constructing this data, though they're invariably either very, very expensive or very, very un-user friendly (requiring a good knowledge of how a disk drive physically works at a cylinder-and-sector level).

        Afraid your Data Recovery people are telling you porkies so they can inflate their prices. A number of tools freely or cheaply availble. Examples on the Falcon 4 and Hirens boot disks you have Get Data Back for NTFS - not sure if it should be there freely but it is, and a very good tool as well. I would actually recommend you chuck a few bob the developers way once you use it. User friendly, easy to navigate, and available at a decent price. There's also testdisk&photorec which can recover entire partitions, and go through hunting for files by type and recover them - however unlike Get Data Back it doesn't put stuff back into the original folders with the original file names (GDB is useful for loss of MFT, disk being formatted, new partition table etc but with little other damage done, TD/PR is more for a really messed up disk where you want to get as much of your photos back (and maybe some other stuff) and are desperate enough that random names are fine (eg "1ffdce.jpg"). Testdisk looks for partitions by looking for their start/end markers, which are independent of the partition table (or MBR etc).

        There are a number of other tools I used to use from time to time depending on the job, filesystem, how hosed it was, how much the customer wanted done and so on, but those were my main ones. All really easy to use (though testdisk/photorec does come in CLI format only (that I know of).

        20+ years ago I had a working knowledge of how things worked at the sector etc level. I haven't done needed that in a long time and today I really know nothing about drives at that level. I have, however, within the last few years, actually built and used my own "cleanroom" for HDD repairs such as replacing heads, and have performed a huge number of data recoveries from drives often that'd been formatted or had a few critical bad sectors, couple where someone though it wise to do a "factory restore" without backups.

        I'm not aware of anything which would let you reconstruct the MBR itself if it was completely dead/encrypted, though.

        As above, the old "fixmbr" under XP or bootrec /whatever (sure it's that one now) under 7+, various tools under Linux. Got a niggly feeling there was even something under DOS but it's been a very long time since I did any disk work under DOS.

        HTH.

        1. Thored

          Re: Decrypting?

          "Sure you can. Piece of piss. Why, even XP had "fixmbr" and "fixboot" commands to fix the mbr on another attached disk. Took all of a couple of seconds to run (if that).

          7 and up IIRC have "bootcfg /somethingIcannotremember", worked as well. Or is it "bootrec"? Been a while.

          There's tools in Linux to do this just as quickly and easily, and if you're really struggling you can look at boot repair disk which is a bootable CD/USB/PXE image which will do it all with a few mouse clicks."

          It is amazing that no one else figured this out. Actually it isn't amazing because it isn't true.

          When NotPetya gets on the machine it does more than just "encrypt the MBR".

          1. When it initially gets on the box, it overwrites (not encrypts) the MBR with its own bootloader and scans the system for a few files. Specifically, it checks to see if the machine is running Kaspersky, Norton Security or Symantec anti-virus products. If it finds any of these products it has specific processes it uses to avoid detection.

          2. If it doesn't find any of those AV products, it checks to confirm it has the privileges to perform its task and assuming it does, it drops its modified version of MimiKatz to pull any credentials out of memory.

          3. If it is able to pull admin credentials from memory, it will attempt to use those credentials to spread in the network (using DHCP if it happens to be on a domain controller or scanning the local network if it isn't on a DC) and while it is doing this it is also scanning the hard drive for the ~65 specific file types it was created to encrypt and encrypts them with 128 bit AES encryption.

          4. If it is unable to pull credentials from memory, it then attempts to use EternalBlue to spread to computers on the same subnet as the infected computer as a last resort.

          5. After it finishes spreading and encrypting individual files, it chooses a method to reboot the machine based on the privileges it has in its user context. Initiating a system shutdown, creating a hard error that causes windows to reboot or creating a scheduled task to initiate a reboot within an hour. (up to this point, the user has no idea anything is going on unless they get suspicious because the hard drive light is thrashing)

          6. System reboots

          7. The system runs the NotPetya bootloader and loads its own lightweight operating system. This OS displays what appears to be a Windows chkdsk screen telling the user that it is attempting to correct errors on the disk. What it is actually doing is encrypting the MFT and then displaying the ransom note.

          So you can't just boot into a disk recovery environment or slave the disk into a working system because the specific file types NotPetya targets were encrypted on top of the MFT being encrypted. It targeted file types like .7z files and VMware files. File types that would be important to a corporate environment suggesting this was targeted to take out corporate, government and infrastructure targets.

    3. TheVogon

      Re: Decrypting?

      "The scum use AES-128 to encrypt the files and then a 2048-bit key to encrypt the 128 key."

      So symmetric and asymmetric encryption respectively...

      "As I understand it, the shorter keys are susceptible to brute force crunching these days"

      Not really. Unless you have billions of years to spare... Symmetric and asymmetric key lengths are also not equivalent.

      "And is it possible/likely that they use the same 2048 bit key for every case?"

      If it is used to encrypt a unique AES key which is then stored locally, then yes they could use the same public key to encrypt that on every system.. The private key would remain on the decryption server with the attacker and your encrypted AES key could be decrypted remotely once the ransom had been paid.

      "can the HDD be mounted as a secondary drive on something else and have the MBR re-written?"

      Potentially, yes. However it presumably encrypts something to stop that being a viable recovery. Otherwise what are the keys for?

  15. Kaltern

    I feel these recent attacks are linked in some way, perhaps coincidence. It just seems odd that there have been 2 separate attacks, using different 'tools', within just a few weeks of each other. To mind mind, it's either trial runs - to see which system is the most effective, and who 'fixes' the problems, or maybe even some ridiculous tit-for-tat attack - like 'we can do it better' type things.

    The very fact the 'Wannacry' attack had a very obvious and deliberate failsafe built in, tells me that it was designed to be shut down after a time. Perhaps those behind it didn't think it would be so easily found, or even they KNEW it would be found.. And this new attack, specifically targeting code and other 'useful' documents again tells me there is method to the madness.

    I would suggest any and all sysadmins start testing their own networks for any possible point of intrusion, as I get the feeling that, as someone said earlier, these are preludes to something a lot more dangerous. Cyber crime has never been top of many IT head's agendas, mainly because it's harder to justify to the board.

    1. Doctor Syntax Silver badge

      "It just seems odd that there have been 2 separate attacks, using different 'tools', within just a few weeks of each other. "

      Why odd? There have been malware campaigns for a long time. Then the EternalBlue and a load of other stuff went public a while ago. Add some time for the malware writers to incorporate it and there's nothing surprising at all that a couple of specimens using it emerge at more or less the same time.

    2. Naselus

      "I feel these recent attacks are linked in some way, perhaps coincidence."

      Fairly certain they aren't, tbh.

      WannaCry was pretty amateurish. It looked quite advanced at first glance, but if you dug around under the hood you quickly found that actually it was two or three very advanced tools stolen from the NSA dump, strung together by some fairly low-end code that might be banged out by a script kiddie just learning how to build malware. It was, in a lot of ways, very primitive indeed, and was not a state-backed attack; they'd would have done a better job of it.

      This one is completely the opposite. It at first appeared to be an amateurish knock-off of Wannacry, but digging under the hood finds a very sophisticated, advanced persistent threat that uses a dozen separate methods to try and target and compromise specific targets, before dumping a poorly-designed malware layer over the top to try and convince people it's not as clever as it actually is. This definitely smells state-backed; it may or may not be the Russians, but there's enough clever shit going on on the quiet before the half-baked encryption attack to show that the encryption thing is a sideshow, not the main event.

      1. TheVogon

        Maybe this was Obama's revenge attack plan on the Russians for interfering in the election, but the US mostly missed the target as per usual?

        (Just like 11/9 was mostly by Saudis, but the US then invaded Afghanistan...)

  16. Anonymous Coward
    Anonymous Coward

    Since midday it is no longer possible for the blackmailers to access the email account"

    Would it not be a better move to leave it open & monitor who accesses it?

    1. Doctor Syntax Silver badge

      Re: Since midday it is no longer possible for the blackmailers to access the email account"

      "leave it open & monitor who accesses it?"

      Yes. I can see why the MSP would want to avoid an aiding and abetting charge or whatever the equivalent is in Germany but the responsible thing would have been to have gone to TPTB and asked how the latter wanted them to handle it. I'd have thought that the answer would have been to keep it running to gather evidence and I doubt that it was kept running long enough for that to have happened.

    2. Anonymous Coward
      Stop

      Re: Since midday it is no longer possible for the blackmailers to access the email account"

      Then if someone comes in from a hidden location, rips all the emails out and then kerching!

  17. Destroy All Monsters Silver badge

    "Putin and his pals in action?"

    Goddammit El Reg. You guys have a direct pipe to the Clinton News Network or what?

    CNN does it to make its ratings go up by pulling in the dumbs (ding, dong). We don't need this here. Stop it.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Putin and his pals in action?"

      A foolish comment, from someone with an ideological axe to grind.

  18. Anonymous Coward
    Anonymous Coward

    And people still continue to use windows

    Its a business liability and often not even needed. A read-only signed secure OS (like chromeOS) and google apps for business is not only cost effective , but very secure.

    Sadly you can't get idiots admins to push simple patches, let alone radically review OS policy.

    Windows is a malware cesspool, all versions, no windows 10 rollout is going to fix that if anything win10 is worse, constantly telling me I need to go online and download an app to do something that used to work out the box on previous windows)

    1. Mark 85

      Re: And people still continue to use windows

      Sadly you can't get idiots admins to push simple patches, let alone radically review OS policy.

      I think most would say it's a waste of time on the policy review or even trying to change corporate OS. The Board will override anything that costs money such as the time and effort to configure and then install a new OS. Then there's training and manglement muppets who would protest that they don't have time (time = brains in this case) to learn a new OS.

      I can't fault the admins on this as many haven't any experience on other OS's nor the inclination to be shot down in flames by manglement.

  19. phuzz Silver badge

    GPT?

    So, if the encryption routine is written to the MBR, does that mean those of us booting from GPT disks would be ok?

    I also assume that SecureBoot would refuse to boot the new bootloader that encrypts your files.

  20. Anonymous Coward
    Anonymous Coward

    Correction?

    is it c:\windows\perfc.dat as in the article or c:\windows\perfc with no file extension. I'm pretty sure its the latter as its on the official page of the security team that found it. I'd use the "Tips and Correction" link but it doesn't work for me.

    1. Doctor Evil

      Re: Correction?

      BleepingComputer.com says to create 3 files -- perfc, perfc.dat, and perfc.dll -- out of an overabundance of caution. The files themselves can contain anything whatsoever but need to be "Read Only".

      Seems they'd be holdovers from a previous Petya infection so NotPetya avoids the system on detecting them ... ?

  21. Anonymous Coward
    Anonymous Coward

    Here is how to fix it....

    Run around like a headless chicken.

    Shout very loudly.

    Make sure you are talking utter bollocks

    Employ knee jerk reactions which will actually do more harm than good.

    Spout more bollocks, even louder.

    Spout random words you've heard, anti-virus, shares, CVE's

    Stomp around more.

    Yours

    Business Manager.

  22. Anonymous Coward
    Anonymous Coward

    That's a fact.

    A Donald, fact, but still a fact.

    Sad.

  23. Anonymous Coward
    Anonymous Coward

    Nuke them from orbit

    Its the only way to be sure!

  24. Anonymous Coward
    Anonymous Coward

    It would be real funny if...

    Corporations used this as an opportunity to upgrade all their systems, then claimed a tax deduction blaming business disruption due to government's negligence...

    1. patrickstar

      Re: It would be real funny if...

      Atleast in the US, there's solid legal precedent that you have no right to restitution if the government doesn't deliver police services when you need them. I'm sure the same reasoning would be applied in this case.

      See, there's a difference between actors exchanging money for goods/services voluntarily, and an actor unilaterally taking money by force with a vague promise of delivering.

  25. Anonymous South African Coward Bronze badge

    Meh

    That's all I will say on this matter. For now.

    1. Mr_Pitiful

      Oy

      Why should being in South Africa protect you?

      I'll be in Joburg On Fri with a memory stick or 5 and my laptop

      Then next week, Pretoria & Cape town

      Where exactly would you like me to plug it in?

      All the sites I visit will be government so might just try Joburg and watch the spread!

      The funny thing is, my laptop was infected from a firewalled wireless network that visitors access

      I'd hate to imagine how many people got caught out

  26. dajames

    Conspiracy theory ...

    ... states that this malware is the work of storage vendors!

    Run around encrypting stuff, offer to decrypt it for cash, then ensure that nobody can contact you to ask for the decryption key. Brilliant way to discredit malware writers!

    No more will the lazy and stingey say "I'll worry about ransomware when it strikes -- I can always pay the ransom!" because it is now clear that this is not a productive strategy and the only the only way to preserve one's data is to have a sound backup regime. Sales of drives and tapes go through the roof!

    Of course, once it is accepted that nobody is ever going to pay the ransom, the malware writers will move on from ransomware to some other means of profiting from their misbegotten endeavours.

    1. Pen-y-gors

      Re: Conspiracy theory ...

      Nice one! I do like a nice convoluted conspiracy theory! +1

  27. Anonymous Coward
    Anonymous Coward

    A good argument for keeping *one* *nix machine

    and having *it* act as file server.

    1. Doctor Syntax Silver badge

      Re: A good argument for keeping *one* *nix machine

      "and having *it* act as file server."

      But not via SMB.

      1. Anonymous Coward
        Anonymous Coward

        Re: But not via SMB

        SSH would be better, I'd presume.

      2. Thored

        Re: A good argument for keeping *one* *nix machine

        Nah, use network attached storage via ISCSI in a replication pair and addressed via DFS.

        Users should only store data on the NAS/SAN and data should be snapshotted every 1-4 hours and replicated to the second part of the replication pair.

        On top of that, you can add conventional incremental/differential/synthetic full backups to add in more redundancy.

    2. Anonymous Coward
      Anonymous Coward

      Re: A good argument for keeping *one* *nix machine

      Rather BSD with ZFS here on two file servers. I've a cooling off process on updates between them. Sooo, yes you can kill my Windows (virtual) machines. You can kill the Linux virtual machines. I can rebuild from my sources. [That's actually a byproduct. The fundamental protection is for protecting my collections of electronic books/documents. Losing those? End of the world,)

  28. Anonymous Coward
    Anonymous Coward

    Outsource IT

    As an employee of an IT services provider, we are ridiculously oversubscribed, we can barely manage regular helldesk call volumes. If more than one client gets shafted by ransomware we'd be so fucked, but not as fucked as the clients who'll be waiting weeks to get someone on site to rebuild their 60 odd PCs.

    There's barely enough staff here to crew a single company, let alone the dozens we take care of.

    Meh, I just come here to eat my lunch and go home, what do I care.

    1. tedleaf

      Re: Outsource IT

      Gizzus a job,I can do that !!

  29. Anonymous Coward
    Anonymous Coward

    Windows

    lol - welcome to the new normal.

    its not like you haven'y had 30 years to switch to something better.

  30. uncommon_sense

    Anal Malware?

    >A chocolate factory in Australia was also infiltrated.<

    This theory stands for a fall,

    Cause the Aussies cannot be buggered at all!

    1. Vic

      Re: Anal Malware?

      Cause the Aussies cannot be buggered at all!

      I thought that was hedgehogs?

      Vic.

      1. Captain Badmouth
        Holmes

        Re: Anal Malware?

        "I thought that was hedgehogs?"

        Only on board ships, apparently.

        p.s. and the Sphinx.

  31. Clive Galway
    Trollface

    "endpoint lockdown specialists Tanium"

    Unless of course you are customer of Tanium, in which case your endpoints are used to demo their product.

  32. cosmogoblin
    Mushroom

    Are you freaking serious?

    The Chernobyl radiation monitors:

    (1) Run Windows *

    (2) Aren't patched

    (3) Are Internet-enabled???

    * Not bashing Windows (today), but you should not be using a general purpose operating system for any safety-critical systems, and certainly not for nuclear power plants - especially those which have the rather poor [citation needed] historical safety record of Chernobyl!

    ** Entirely apt icon use

    1. Anonymous Coward
      Anonymous Coward

      Re: Are you freaking serious?

      They are just monitoring radiation in the decommissioned plant, so I don't know if that is mission critical.

      Not like they can do anything BUT monitor - but it's nice to have systems that do that for you.

      1. Anonymous Coward
        Anonymous Coward

        Re: Are you freaking serious?

        I've background here, nuclear engineering and familiarity with this site. Safety-critical describes it perfectly. There's seriously scary shit going on in there. Still.

    2. Meph
      Alien

      Re: Are you freaking serious?

      @cosmogoblin

      Pertinent question: Do the radiation monitors run Windows, or are they some sort of hardware device that natively talks via RS232 (due to the age of the hardware), which would require computers that can still run the legacy drivers required to manage the interface?

      I've seen many a legacy system in my time, and I can't imagine you'd get many volunteers to deploy a new monitoring system in an environment as "hot" as that.

    3. markoer

      Re: Are you freaking serious?

      They are not mission critical systems; they are like the billboards of the train station.

    4. Thored

      Re: Are you freaking serious?

      I don't have any idea, but if I had to guess, they are using SCADA devices for the sensors and Windows machines for the eyes on glass monitoring.

  33. Anonymous Coward
    Anonymous Coward

    Why is that

    after reading the first few sentences I was certain that formidable Putin's hackers will be inevitably mentioned in the usual vague way of "there is no proof of any kind, but let's drop some ominous words anyway"? We used to have script-kiddies now it's nothing but script-journalists.

  34. Hazmoid

    Australian companies affected

    Looks like TNT transport has been hit hard. Yesterday I could login to their online booking service (although I was unable to complete booking in), but today there is just an announcement screen showing the phone numbers for their worldwide booking services.

  35. aaaa

    WMI (and seriously - passwords in memory?)

    The fact I've not seen anyone tell sysadmins to disable WMI - I assume means you can't feasibly do this without breaking exchange and/or ad? The port used is RPC - so blocking the port isn't an option because AD would barf.

    And seriously, Windows 2000 up to an including Windows 10 all store the system administrator password in a form that can be decrypted with a simple API call?

    Yeah - I know Windows 10 Enterprise Edition has the option of enabling 'credential guard', but it's hardly a single click exercise (and not an 'install' option without major scripting work) - and I've not seen a single PC with it on in the field... (actually I've seen very few W10EE in the field, most of it's "pro").

    1. patrickstar

      Re: WMI (and seriously - passwords in memory?)

      It's cached credentials, not the password store itself.

      They have to be readable by definition - otherwise they couldn't be used to authenticate... That's why you have the whole Credential Guard thingie to prevent reading them out even if you compromise the normal OS.

      Kerberos on *ix has the same problem, by the way.

      1. aaaa

        Re: WMI (and seriously - passwords in memory?)

        @patrickstar

        Cached credentials are presumably in the Kernel or at least another processes memory.

        In VMS, pa-risc HPUX and Sparc Solaris, user processes can't read the memory space of other user processes, and certainly not Kernel memory (not unless you are superuser). So no - kerberos doesn't have the same problem on *ix.

        I've been trying to google for an answer, what I found is vague - so I'll assume you are right- Linux and Windows both suffer from this malady of allowing any process free reign of reading all the memory space. So yes - kerberos on LINUX would have the same problem. There is a whole other thread in these comments about whether Linux is any better than windows or not.

        But if you know that OS allows your memory to be read, then you should code with that in mind - there is no need to keep the password itself in memory - you can hash it with a low collision hash. Or at least only keep the password in memory during the actual password compare and then zero the memory out.

        1. patrickstar

          Re: WMI (and seriously - passwords in memory?)

          Atleast MIT and Heimdal kerberos store the credentials in a file in /tmp...

          In Windows, they are stored in the LSASS process. I don't know where you think they are stored or how accessible they are, but at the very least you need an administrative account with SeDebugPrivilege.

          I don't have Kerberos on any of my Solaris boxes, but even if they are actually stored in kernel memory in the native Solaris implementation as opposed to a userspace process or file, none of these systems have a great track record of keeping attackers out of the kernel, especially when they have administrative privileges. And certainly none of them have a great track record of keeping attackers from gaining that.

          That's why you have the whole Credential Guard thing - so that even if the kernel is compromised you can't read them out without also compromising the minimal virtual system holding the creds.

          There is no difference between the ability of processes to read memory space on Linux, Solaris, Windows or any of the other systems, by the way. They all use the same basic VM/memory protection model.

          And you can't hash the credentials and still have them usable as a cache. The whole point of a cache is to be able to re-use them. At most you could encrypt them with a key that's harder to access than the credentials itself, which is basically what Credential Guard is doing (though a better solution would be a HSM/TPM enforcing rules for when they can be used).

          1. patrickstar

            Re: WMI (and seriously - passwords in memory?)

            PS. How can someone downvote a post containing nothing but statements of fact? If any of the facts are wrong I recommend that you post a reply explaining so instead, for the benefit of all.

            1. Kiwi
              Alert

              Re: WMI (and seriously - passwords in memory?)

              PS. How can someone downvote a post containing nothing but statements of fact? If any of the facts are wrong I recommend that you post a reply explaining so instead, for the benefit of all.

              Come on Patrick, this is El Reg! It's completely unreasonable to expect someone to explain a downvote, especially a lot of them!

              And you're supposed to downvote people for asking about them as well. But I'll do something completely forbidden here and give you an upvote before the first downvote gets here!

          2. aaaa
            Unhappy

            Re: WMI (and seriously - passwords in memory?)

            @patrickstar

            I haven't seen anyone mention that NotPetya requires Admin privileges in order to get the admin credentials from memory. I'm sure I've read quite the opposite - admin privs are NOT required. My bit of googling gave similar results for Linux (but I'm no expert there - I'm just agreeing with what other posts here have said - Linux has the same deficiency).

            I have seen a little suggestion it's related to the ability to run gdb on linux (which I think all users can), and the SYSTEM account in Windows (not the SeDebugPrivilege priv), i.e.: via "psexec -s", via post exploitation tools, scheduled tasks, etc - see the mimikatz doco for details.

            So all my comments are based on the assumption that NotPetya doesn't require admin privs to read the memory where the credentials are - so from my POV there is a quite fundamental difference in memory space security on Linux/Windows compared with to Solaris/HPUX/OS400 etc.

            @thored

            The GPO setting “Interactive logon: number of previous logons to cache (in case domain controller is not available)” controls the caching of logins to the HKEY_LOCAL_MACHINE\Security\Cache registry key, not to the LSASS memory AFIACT. Surely if there was a GPO setting to mitigate this the article would have mentioned that in addition to CredentialGuard. No - I think the point of the article (and @ patrickstar's comments too) are that on Windows that CredentialGuard is the only feasible mitigation.

            I've not seen anyone else suggest a way to shut down WMI command line access either - so I assume it's a bust too.

        2. Thored

          Re: WMI (and seriously - passwords in memory?)

          Cached credentials in windows are held in the lsass.exe process. However, there is a group policy setting that turns off credential caching.

          The side effect is that any machine that cannot contact a domain controller will be unable to log anyone on to a domain account (because credentials are not cached, the machine has to contact the domain controller for every login).

          This should not be an issue for servers in the core or static workstations. It should not be enabled on laptops that are used for remote access.

    2. Thored

      Re: WMI (and seriously - passwords in memory?)

      It is even worse than that. You don't have to decrypt the hash. You can use the hash for authentication.

  36. Anonymous Coward
    Anonymous Coward

    Major flaw in article

    The article states:

    "since the malware writers must have known that the email address would be shut down quickly, which cut off access to funds".

    That's not true at all. BitCoin doesn't use email. The email was to tell the writers that you sent them a BitCoin so that in theory they'd email you back your decryption key. They can still receive the ransom even without access to the email account!

  37. Anonymous Coward
    Anonymous Coward

    Another Conspiracy Theory

    According to Cybereason.com (h**ps://www.cybereason.com/blog-petya-like-ransomware-attack-what-you-need-to-know/):

    "It [NotPetya] kills itself prior to infection if the en_US keyboard layout is the only keyboard layout installed."

    Hmmm... Better type white, you scums!

  38. markoer

    "Mimikatz"

    Not "Minicatz". It is a Windows Kerberos hacking tool.

    Also, creating C:\Windows\perfc.dat may not be useful. According to McAfee (https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/) the file name can be different, and the victim's machine will reuse the same name as the source one, but the exact file name cannot be foreseen.

  39. Mahhn

    How to find who did it

    Since there is an "immunization" of having a file "perfc" with no extension in the "c:\windows\" directory, when we find a PC that has the perfc file on it that predates the initial infection, it can lead us to exactly who knew of it prior to deployment and lead us to the bad guys.

  40. Ybot

    Russia to blame?

    Who has the most to gain from this? USA. Their politicians, are to blame because they follow the military establishment without question. The military establishment is to blame for creating these exploits and not informing companies of the security flaws in products. Lastly the end user or company are to blame for not having an offsite or disconnected backup. Backup, backup. I have spent years telling clients that they need backup systems and i still lots who arent willing to spend they money. Some just have to learn the hard way.

  41. patrickstar

    In case someone has missed it (and I can't find a Reg article mentioning it, but that might just be me being a retarded starfish as usual) - apparently this "NotPetya" is not ransomware: https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/

    It simply isn't possible for anyone, including the attacker, to decrypt the data.

    1. Thored

      You are correct.

      The initial analysis was that the entity behind the attack made a mistake by using a conventional email and a single bitcoin wallet.

      Posteo, disabled the email account within a few hours of the attack happening and victims were still sending ransom emails to the address in the hopes of getting their data back.

      As it turns out, the "Personal Installation Key" generated by the malware was just a random string of characters unrelated to the encryption key used to encrypt the data, making it useless for retrieving the files. The hackers couldn't give back the files if they wanted to. So, there are victims out there that paid about $10,000 collectively with no hope of getting their data back.

      1. patrickstar

        It's somewhat weird that they didn't implement all functionality needed for ransomware. They must have known that sooner or later, probably sooner, someone would realize that it's not possible for anyone to decrypt the data. Wouldn't exactly be a lot of extra work at that point.

        Did they actually intend for this to be discovered after the initial chaos?

        1. Thored

          They did it intentionally. The act of encrypting the data requires the key so the key was available. They purposely displayed a completely ineffective string of characters as the victim's ID. Probably to play on the victim's sense of hope that they could get their data back.

          The purpose of this software was just to brick Windows machines.

  42. Sam Therapy

    "The superficial resemblance to Petya is only skin deep,"

    Tautology... it is what it is.

  43. Anonymous Coward
    Anonymous Coward

    Re. ransomware wiper

    Some of the data can be recovered as the MBR was only partially wiped.

    Also possible to use heuristics but takes 4-5 hours per machine, assuming that the drive is not particularly fragmented.

    see http://blog.ptsecurity.com/2017/07/recovering-data-from-disk-encrypted-by.html

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like