Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry

In the past few hours, multiple reports were published about a mass-scale cyber-attack taking place in Ukraine. The attack hit multiple government resources, as well as corporate, financial and critical infrastructure systems (Kyiv subway and airport, electricity and oil companies, etc).

Attacks on European targets were reported as well, including in Spain and France.

https://motherboard.vice.com/en_us/article/qv4gx5/a-ransomware-outbreak-is-infecting-computers-across-the-world-right-now

Capture

The majority of the initial reports pointed to a variant of the already known (since 2016) Petya ransomware (detected as Petya.A).

It was recommended to close the following TCP ports: 1024-1035, 135 and 445 (according to a Russian security company).

The distribution method is still unknown, however reports of Payload security claim the SMB EternalBlue exploit is involved.

There were also reports regarding spreading via social engineering (malicious email messages).

Other distribution methods are possible as well.

DDVK_wnV0AEFBsL

The affected file types appear in the figure below:

File Types

Update June 27, 2017 – 20:10 CET

Capture5

 Update June 27, 2017 – 20:17 CET

Recommendations based on already known details of the attack:

·    DO NOT PAY THE RANSOM. The files will not be decrypted as the email account is no longer existing.

·       DO NOT RESTART INFECTED MACHINES, since the Petya malware damages the MBR section of the booting process. Instead, disconnect them from the internet and use the hibernate option.

·       Apply Patch: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

·       Disable SMBv1

·       Update Anti-Virus hashes from the attached IOCs file

o  a809a63bc5e31670ff117d838522dec433f74bee

o  bec678164cedea578a7aff4589018fa41551c27f

o  d5bf3f100e7dbcc434d7c58ebf64052329a60fc2

o  aba7aa41057c8a6b184ba5776c20f7e8fc97c657

o  0ff07caedad54c9b65e5873ac2d81b3126754aac

o  51eafbb626103765d3aedfd098b94d0e77de1196

o  078de2dc59ce59f503c63bd61f1ef8353dc7cf5f

o  7ca37b86f4acc702f108449c391dd2485b5ca18c

o  2bc182f04b935c7e358ed9c9e6df09ae6af47168

o  1b83c00143a1bb2bf16b46c01f36d53fb66f82b5

o  82920a2ad0138a2a8efc744ae5849c6dde6b435d

o  myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6

o  BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

·       Block source E-mail address: wowsmith123456@posteo[.]net

·       Block IPs:

o  95[.]141.115.108

o  185[.]165.29.78

o  84[.]200.16.242

o  111[.]90.139.247

·       Block domains:

o  http://mischapuk6hyrn72[.]onion/

o  http://petya3jxfp2f7g3i[.]onion/

o  http://petya3sen7dyko2n[.]onion/

o  http://mischa5xyix2mrhd[.]onion

o  http://mischapuk6hyrn72[.]onion

o  http://petya3jxfp2f7g3i[.]onion

o  http://petya3sen7dyko2n[.]onion

o  http://benkow[.]cc

o  COFFEINOFFICE[.]XYZ

o  http://french-cooking[.]com/

More indicators can be found in this ongoing GitHub thread.

Update June 28, 2017 – 7:24 CET:

According to WolfStreet, these are among the companies that reported having been hit:

Rosneft

Russian banks

Russian steelmaker Evraz

Ukrainian government

The International Airport in Kiev, Ukraine

Ukrainian banks

Ukraine’s state power producer, a media company, and other firms

Deutsche Post’s Ukrainian operations of Express

Metro’s wholesale stores in Ukraine

A.P. Moller-Maersk

TNT Express, the Netherlands-based shipping company (a division of FedEx)

UK-based WPP, the world’s largest advertising agency

Heritage Valley Health System, USA

Merck & Co, US pharmaceutical company

French construction materials company Saint Gobain

Royal Canin pet food division of US-based Mars Inc.

US snack company Mondelez International

India-based operations of German personal-care company Beiersdorf

India-based operations of UK consumers goods company Reckitt Benckiser

An unnamed international company in Norway

SenseCy expert analysts are keeping close communications with our customers globally and will continue to monitor the developments on this issue. At this stage, many details are still unclear. We strive to bring concrete intelligence to our customers in near-real-time but at the same time, are still very carefully analyzing massive amounts of information on this issue to filter out a large amount of disinformation.

Updates will follow here on the SenseCy Blog as well.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s