Virus-the extortioner struck Petya network of about 80 organizations in Russia. In Ukraine, the attack was subjected to a government network
Uncategorized June 27, 2017
The virus-the extortioner WannaCry replaced the same cipher, but with a less fancy name is Petya. In the afternoon of 27 June, “Peter” was attacked by about 80 organizations in Ukraine and Russia. Later reports of hacking attacks came from Europe and India. According to preliminary data, a similar virus-the extortioner was infected a computer network in the Netherlands, France and Spain.
Ukraine was struck by a governmental network in Russia – the company “Rosneft”, Mars, Nivea and others. The Kremlin said that their virus was not affected. Meanwhile, Kiev blamed the attack on Russian secret services, calling the events an element of a hybrid war.
According to Group-IB, the virus Petya.A block of computers and does not start the operating system. For resume and decrypt the files it demands a ransom of $300 in bitcoins. A large-scale attack on the oil, telecommunications and financial companies in Russia and Ukraine was recorded around 14:00 in Moscow, reports TASS.
According to “Kaspersky Lab”, the Trojan uses fake electronic signature Microsoft. The technology of electronic signature code is used to indicate to the user that the program is developed by a trusted author and ensures that will not harm. In “Kaspersky Lab” believe that the virus was created by 18 June 2017.
To stop the spread of the virus in Group-IB is recommended to immediately close the TCP ports 1024-1035, 135 and 445.
Petya virus has spread around the world
Experts have said that the new virus-extortionist Petya has spread beyond the CIS and struck computer networks around the world.
“The virus Petya with contact address wowsmith123456@posteo.net spreads worldwide, a huge number of countries being affected,” he wrote on his page in Twitter the head of the international research team of “Kaspersky Lab” Kostin adds.
He said that You uses a fake digital signature from Microsoft. According to Raya, the hackers ransomware has already received at least seven payments as ransom for the return of access to computers attacked by virus.
Reuters reporters reported that the hacking extended to the countries of Europe. Virus-extortionist has penetrated, in particular in computer networks in the UK and Norway. In addition, traces of the virus Petya was discovered in India.
According to BNS, the virus Petya reached and Lithuania. “We have received several messages and conduct their investigation,” – said the official representative of the Service regulation of Ritis Rainis, while refusing to name the businesses that could suffer from the virus.
About attacks on their systems was reported by British advertising firm WPP. Dutch transport company APM also saidthat its computers infected with a ransomware. While the screen of the infected computer reminds the evidence of the attacks, which began in Ukraine.
Hardest-hit Ukraine
In the Ukraine, among others, has come under attack TASS banks, “Sberbank”, “Pivdenny” TNA “PrivatBank”; Borispol airport, “Ukrposhta”, Kyiv metro, “New mail”, “Ukrenergo”, “Kyivenergo”, a network of filling stations TNK, the channel ATR, Kyivvodocanal, the official website of the government, Antonov company, SE “Document”, according to “112.Ukraine”.
Vice Prime Minister of Ukraine Pavlo Rozenko on his page in Facebook reported that in the government Secretariat for an unknown reason, stopped working network. “TA-dam! If anything, we also have a network of “lay” on the go! This picture shows all the computers of the Cabinet of Ministers of Ukraine”, – he wrote.
The national Bank of Ukraine (NBU) has warned banks and other participants in the financial sector on external hacker attack by an unknown virus. The NBU also noted that in connection with cyberattacks in the financial sector of Ukraine were stepped up security and counter hacking attacks, according to a press release of the regulator.
In the “Ukrtelecom”, said that company continues to provide Internet access and telephony, and computer systems accompanying the call center and customer service centers do not work.
At the airport Borispol, in turn, warned that “due to extraordinary event possible delays”. Currently, the official website of airport passengers available online schedule.
In the Kyiv metro said that the attack was blocked by the function of the card payment. “Contactless metro card work in a regular mode”, – noted in the Metropolitan subway.
In “Ukrenergo” reported that the company has already carried out an investigation into cyber attacks.
In Russia the virus attacked Rosneft
Computer servers “Rosneft” has undergone a powerful attack, said the official Twitter of the company. A little later began to receive a message infected by a virus of other companies.
In connection with the cyberattack “Rosneft” has addressed in law enforcement bodies. The company hopes that the incident has nothing to do with the current judicial procedures.
Vedomosti , citing two sources close to Bashneft write that virus-ransomware infected all the computers of “Bashneft”. The virus has warned users that their files are infected and attempt self-recovery is useless.
Reports of the cyber attack have already commented on the press Secretary of the President Dmitry Peskov. New hacker attack on the system of a number of companies in Russia has compromised the computer systems of the presidential administration of the Russian Federation and the official website of the Kremlin, he told TASS. “(All) is stable”, – said Peskov.
Later, the Central Bank reported the detection of cases of infection of computer systems of the domestic banks as a result of a hacker attack.
“The Bank of Russia informs about the detection of computer attacks on the Russian credit organizations. According to the Bank of Russia, as a result of attacks, recorded isolated cases of infection information infrastructure. The disruption of banking systems and disorders provide services to clients not recorded,” – said the press service of the regulator (quoted by RNS).
Currently, the Center for monitoring and responding to computer attacks in the financial sphere (Finart) of the Bank of Russia together with the credit organizations working on elimination of consequences of the identified computer attacks, said the Central Bank.
Hacking attack allegedly suffered and all computers on the corporate server of the Moscow restaurant chain “Tanuki-Yorsh”, reports TASS.
The press service of Rosenergoatom reported that all nuclear power plants of Russia are operating normally. No traces of the hacker attacks also confirmed in the “inter RAO UES”, OJSC “Enel Russia”, “Russian grids” and the “System operator UES”. In “Rossetti” added that to prevent possible hacker attacks have already been taken appropriate measures.
The virus is ransomware that locks access to the data and demands $ 300 in bitcoins per unlock, known in various versions even in 2016.
The malware spreads via spam email. In particular, the first version of the Petya disguised as summary. When a user opened an infected e-mail, on the screen there was a Windows program that required admin rights.
If an inattentive user has agreed to provide the program with relevant law, that the virus rewrote the boot sector of the hard drive and showed “blue screen of death”, offering to urgently restart the computer.
According to experts Kaspersky Labs, at this stage, the hard disk is not encrypted, and data can be saved by turning off computer and plugging the hard drive to another computer to copy information without loss.
After reboot You launch the program automatically, masquerading as a CHKDSK, which, however, does not check hard disk for errors, and encrypts it.
Once encrypted, the computer displays a black screen with a message indicating that the user has become a victim of the virus-the extortioner Petya. Hackers offer $ 300 in bitcoins to restore access to the data.
Kiev has accused Russia of hacking
The people’s Deputy of the Verkhovna Rada from the “popular front”, member of the Board of the interior Ministry Anton Gerashchenko said that the cyber attack under the guise of the implementation of the virus-the extortioner was organized by the Russian special services.
“Cyber attack is done under the disguise that it is supposedly a virus that extorts users with computer money. According to preliminary information, it is organized by the security services of the Russian Federation. The aim of the cyber attacks are banks, the media, “Ukrzaliznitsya”, “Ukrtelecom”, – said Gerashchenko.
“The virus got on the computers for several days, even weeks in the form of various kinds of messages on the mail users that opened the message, allowed the virus to spread through all the computers. This is another example of using cyberattacks in a hybrid war against our country,” he continued.
According to Gerashchenko, as a result of cyber attacks “physically no one was hurt.” He also noted that “Ukraine, like the US, Europe is a target for cyber-attacks, the Russian Federation. You know that in the United States carried out investigations on direct intervention in the election campaign. We see now an attempt to destabilize the economy in the media. We are not so experienced and it will survive,” – said the Deputy.
The press Secretary of the Ukrainian security Service (SBU) Elena Gitlyanskaya, in turn, said that the mass hacker attacks on a number of Ukrainian companies could be organized from the territory of the Russian Federation and the Donbass, which in Kiev is considered occupied territory, reports “Tigania”.
Before Petya was WannaCry
Previous large-scale attack organizations worldwide, a weapon which was the virus WannaCry, occurred on 12 may. Virus Trojan horse EN masse, disabling the computers and demanded a ransom for the decryption of user files. It was reported that Russia more than other countries suffered from WannaCry. Cyber attack, in particular, has affected the company “MegaFon”, the interior Ministry, “Sberbank”, the Ministry of health. About the attempt of infection reported in the Railways and the Central Bank, where he stressed that the attack was unsuccessful.
Experts of the American company Flashpoint came to the conclusion that the creators of the virus-the extortioner WannaСry can be the natives of southern China, Hong Kong, Taiwan or Singapore. In Group-IB suspected hackers from North Korea, who also tried to impersonate a Russian.