New MBR Infecting Ransomware 'Petya' Found In The Wild - Polidicks

[quote]GData and TrendMicro report a new ransomware they refer to as 'Petya' is circulating in the wild largely affecting German 'Human Resources' departments. Like other ransomware Petya encrypts files on an infected machine, but it goes further than other ransomware by living in a computer's masterboot record and presenting its demands through a DOS boot screen when the infected machine is powered on. In its present incarnation Petya demands a 0.99 Bitcoin ransom which doubles if its payment deadline is missed. If an affected user goes through the FBI approved manner of recovering their files by paying the ransom, they would be well advised to physically destroy the disk and handle recovered files with care. This is because if anything was learned from the MBR infecting rootkit Sony distributed on their music CDs, it is that people who care enough to put their malware in the MBR tend to make complete eradication of the malware a tremendous pain.[/quote] [url]http://qntra.net/2016/03/new-mbr-infecting-ransomware-petya-found-in-the-wild/[/url]

Bootkits are always a massive pain in the arse to remove. This is really evil stuff since it's ransomware too.

Maybe companies should revert to requiring plaintext CVs and just throw out all other attachments and block .exe downloads for everyone but IT. This is a surprisingly polite virus though. The author must have taken extra care to make it user-friendly (as far as that applies here).

[QUOTE=Tamschi;50016346]Maybe companies should revert to requiring plaintext CVs and just throw out all other attachments and block .exe downloads for everyone but IT. This is a surprisingly polite virus though. The author must have taken extra care to make it user-friendly (as far as that applies here).[/QUOTE] Work computers that deal with opening 3rd party stuff should be running in a VM anyway. Who cares if it gets a ransomware, purge it and set up a new one.

[QUOTE=rndgenerator;50016475]Work computers that deal with opening 3rd party stuff should be running in a VM anyway. Who cares if it gets a ransomware, purge it and set up a new one.[/QUOTE] many companies probably have people in HR who don't know what a vm is

[QUOTE=Ninja Gnome;50016490]many companies probably have people in HR who don't know what a vm is[/QUOTE] Good thing VM's are IT's department, and not HR.

[QUOTE=FalconKrunch;50016517]Good thing VM's are IT's department, and not HR.[/QUOTE] there are many small businesses that don't have an IT department.

just back up your important files in one of the countless online backup options and ransomware will never be an issue

[QUOTE=koeniginator;50016556]just back up your important files in one of the countless online backup options and ransomware will never be an issue[/QUOTE] The only issue with this train of thought is that many online backup providers don't let you personally handle the encryption keys. This means that if you're working on sensitive projects where files may be worth 10s of millions of dollars you can't rely on a backup option. Also if you live in a country that doesn't have fantastic upstream bandwidth it may not be possible to upload TBs worth of data in any reasonable amount of time. I honestly think by the time gigabit becomes standard many of these issues will turn into non-issues. But there is much to prevent people from backing up all of their data effectively right now. I think even for me if I was affected with ransomware or any trojan for that matter, my first thought would be towards the integrity of my personal data.

[QUOTE=icarusfoundyou;50016598]The only issue with this train of thought is that many online backup providers don't let you personally handle the encryption keys. This means that if you're working on sensitive projects where files may be worth 10s of millions of dollars you can't rely on a backup option. Also if you live in a country that doesn't have fantastic upstream bandwidth it may not be possible to upload TBs worth of data in any reasonable amount of time. I honestly think by the time gigabit becomes standard many of these issues will turn into non-issues. But there is much to prevent people from backing up all of their data effectively right now. I think even for me if I was affected with ransomware or any trojan for that matter, my first thought would be towards the integrity of my personal data.[/QUOTE] Then back it up and put it in a fireproof safe. Or do weekly's into a safe deposit box. There's no reason to not have a backup to revert to in a situation like this.

[QUOTE=Levelog;50016755]Then back it up and put it in a fireproof safe. Or do weekly's into a safe deposit box. There's no reason to not have a backup to revert to in a situation like this.[/QUOTE] Unfortunately many people work in an environment where data is stored in a central location and they don't seem to be aware of the consequences of such a location/server being knocked offline by natural disaster/malware etc. It really is something the IT department should be paying attention to.

[QUOTE=Tamschi;50016346]Maybe companies should revert to requiring plaintext CVs and just throw out all other attachments and block .exe downloads for everyone but IT. This is a surprisingly polite virus though. The author must have taken extra care to make it user-friendly (as far as that applies here).[/QUOTE] Exchange Admin here. There's no way in hell that I can pass such a policy, unless there's a Company wide data loss due to such a virus that would serve as an excellent example for Upper management to pass such a policy. It's really hard to justify a Complete ban on all kinds of Attachments (Office Documents, Executeable Files and archives), since it massively inconveniences Employees. It's Very common to send Documents And zip files around. Both of those carry big risks, as Zip files could contain all kinds of shit and Word Documents can carry Malicious Macros. Especially Documents are a big risk, since MS still igonring the massive security issues, and Enterprise Spamfilters and Mail AV Solutions cost hella $$$, which is also hard to justify to Upper Management, and they don't offer 100% Protection.

[QUOTE=koeniginator;50016556]just back up your important files in one of the countless online backup options and ransomware will never be an issue[/QUOTE] Ahh, yes, let me upload nearly two terrabytes of data at about 35KB/s every month...

[QUOTE=kaukassus;50016818]Exchange Admin here. There's no way in hell that I can pass such a policy, unless there's a Company wide data loss due to such a virus that would serve as an excellent example for Upper management to pass such a policy. It's really hard to justify a Complete ban on all kinds of Attachments (Office Documents, Executeable Files and archives), since it massively inconveniences Employees. It's Very common to send Documents And zip files around. Both of those carry big risks, as Zip files could contain all kinds of shit and Word Documents can carry Malicious Macros. Especially Documents are a big risk, since MS still igonring the massive security issues, and Enterprise Spamfilters and Mail AV Solutions cost hella $$$, which is also hard to justify to Upper Management, and they don't offer 100% Protection.[/QUOTE] I gotta ask as a very honest question. If you used a system like Google for Domains where PDF/word/excel attachments can be opened in browser rather than downloaded to the client--would the risks be much less?

[QUOTE=TestECull;50016821]Ahh, yes, let me upload nearly two terrabytes of data at about 35KB/s every month...[/QUOTE]It's either that or losing all your 2TB of data to ransomware. I think I know which option is better.

[QUOTE=icarusfoundyou;50016860]I gotta ask as a very honest question. If you used a system like Google for Domains where PDF/word/excel attachments can be opened in browser rather than downloaded to the client--would the risks be much less?[/QUOTE] Mostly since you move the attack space from Office, Acrobat, etc to your browser (and instead have to use the more traditional browser exploits). But that means you have to move your company to those services instead. And when your company is already heavily invested in Exchange and Office licenses, that can be a hard sell until the upgrade period comes around. And on top of that, people are creatures of habit. They buck, kick and scream if you move them off a system they are used to, because that means they have to learn. And if one of those people are the higher ups, good luck convincing them this way is "better".

Restoring MBR is not that difficult though? [editline]28th March 2016[/editline] any schmuck with a windows repair tool and a linux LiveCD could get the virus data off an infected PC relatively easily even easier if you just want to retrieve important docs. no need to touch the infected MBR

[QUOTE=.Lain;50018040]Restoring MBR is not that difficult though? [editline]28th March 2016[/editline] any schmuck with a windows repair tool and a linux LiveCD could get the virus data off an infected PC relatively easily even easier if you just want to retrieve important docs. no need to touch the infected MBR[/QUOTE] Anything affecting the MBR isn't worth trying to fix unless you really need data off it. Also you won't get past the boot screen if they made the virus well enough.

[QUOTE=DELL;50018083]Anything affecting the MBR isn't worth trying to fix unless you really need data off it. Also you won't get past the boot screen if they made the virus well enough.[/QUOTE] uh, no? the MBR has nothing to do with your boot selection. you can completely bypass the infected MBR and restore the original through the windows repair console It's not your BIOS. the MBR lies in a special partition on an HDD that the operating system uses to initialize itself It's as easy as setting up a recovery environment from a windows install disk and doing [B]bootsect /nt60 SYS /mbr [/B]whether or not it's worth even keeping the infected operating system? that's up to you. Chances are the MBR will just get fucked eventually anyways. Make an image from install and load that on instead. Use a linux LiveCD to take everything off the infected partitions and format it.

For those with slow internet, just backup important data and not your entire OS and keep a burnt disk (CDs are stupid cheap) with your OS handy. Or do what I do, and have 4 machines with the important stuff copied between them. Also does this affect GPT partition schemes? I think most modern windows installations use GPT because it allows for >2tb partitions. Source doesn't really say anything.

MBR viruses are amazingly ancient. I got a bunch of 5.25" floppies here that are "Stoned".

[QUOTE=thelurker1234;50018123]For those with slow internet, just backup important data and not your entire OS and keep a burnt disk (CDs are stupid cheap) with your OS handy. Or do what I do, and have 4 machines with the important stuff copied between them. Also does this affect GPT partition schemes? I think most modern windows installations use GPT because it allows for >2tb partitions. Source doesn't really say anything.[/QUOTE] GPT is far more rebust, it most likely doesn't target it either. that being said, the vast majority of PCs still use MBR

any solid ransomware targets MBR, GPT and UEFI ... if not it's not solid ... face it ... so don't be naïve that booting MBR or GPT saves your UEFI from being busted ;)

My godfather's company was recently ransomed. I had no idea this was a thing until recently, when he told me about it

[QUOTE=.Lain;50018040]Restoring MBR is not that difficult though? [editline]28th March 2016[/editline] any schmuck with a windows repair tool and a linux LiveCD could get the virus data off an infected PC relatively easily even easier if you just want to retrieve important docs. no need to touch the infected MBR[/QUOTE] Doesn't it also encrypt your important files? so even if you got them off they would be useless?

[QUOTE=TestECull;50016821]Ahh, yes, let me upload nearly two terrabytes of data at about 35KB/s every month...[/QUOTE] Unless you're actually generating 2TB of data each month, it only takes the initial backup + incrementals. [editline]28th March 2016[/editline] [QUOTE=icarusfoundyou;50016598]The only issue with this train of thought is that many online backup providers don't let you personally handle the encryption keys. This means that if you're working on sensitive projects where files may be worth 10s of millions of dollars you can't rely on a backup option. [/QUOTE] If it's that high stakes, it shouldn't be remotely hard to manage offsite backups. And even then, there are free and open solutions to the encryption problem: Either use something like True/Veracrypt, and only back up the encrypted file/volume, or PGP the files before backing them up.

[QUOTE=TestECull;50016821]Ahh, yes, let me upload nearly two terrabytes of data at about 35KB/s every month...[/QUOTE] You download/generate 2tb of data each month? Damn dude, what kind of dataserver are you running?

[QUOTE=thelurker1234;50018123]For those with slow internet, just backup important data and not your entire OS and keep a burnt disk (CDs are stupid cheap) with your OS handy. Or do what I do, and have 4 machines with the important stuff copied between them. Also does this affect GPT partition schemes? I think most modern windows installations use GPT because it allows for >2tb partitions. Source doesn't really say anything.[/QUOTE] Four machines with the data copied between them? Sounds like if you get a virus you're just kinda opening the door for it to spread through your whole network automagically

[QUOTE=phygon;50019896]Four machines with the data copied between them? Sounds like if you get a virus you're just kinda opening the door for it to spread through your whole network automagically[/QUOTE] How so? Infecting a backup server is not an easy task since it does not run what you send, merely stores it.

[QUOTE=rndgenerator;50019912]How so? Infecting a backup server is not an easy task since it does not run what you send, merely stores it.[/QUOTE] Not only that, but anyone who doesn't have a butthole for a brain in IT will surely enforce filesystem permissions that make it impossible to execute anything. This, plus tight network security, and the only way in becomes zero day exploits and targeted attacks, which are pretty unlikely (although they *do* happen). As with anything IT, backups are important. Redundancy is key to having fully functional IT systems. And the most important part is of course backups, in the majority of cases. Without going into compay details, I personally do backups using things like Borg, allowing me to do "full" and "incremental" seamless. It does (optional) compress, (optional) encryption, and deduplication, to allow each backup I take to function as a full backup, while taking up less space than an incremental backup. Here's a bit of info for those who care, a backup I ran yesterday: [code] Time (start): Sat, 2016-03-26 23:05:28 Time (end): Sat, 2016-03-26 23:12:53 Command line: borg create -s -p -C lz4 desktop::2016-03-27 /home/necrophcodr Number of files: 482756 Original size Compressed size Deduplicated size This archive: 338.33 GB 271.26 GB 2.21 GB All archives: 4.24 TB 3.33 TB 361.89 GB Unique chunks Total chunks Chunk index: 862291 7905892 [/code] One of the interresting parts of this is the "This archive, Original size", and "All archives, Deduplicated size". The former is the original size of that single backup. Before compression, and deduplication. The latter is all backups, after compression and deduplication. The total size has only increased by a few tens of gigabytes, due to games and shit. However, the single backup ended up taking up 2.21GB. And while I did not transfer it using wired technology, I could've just as easily have transfered it over the network. This entire process can be automated on both Windows, OSX, and Linux. It's free software too. In terms of both price and freedom. [editline]28th March 2016[/editline] Oh, and as can be read from the file, it only took about 7 minutes on my 8 year old desktop to scan through all files, compress the backup, and compare them to all the previous backups.