New ransomware attack hits Europe

Discussion in 'News Editions' started by Ian, Jun 28, 2017.

  1. Ian

    Ian Administrator

    Joined:
    Feb 23, 2002
    Likes Received:
    729
    Airlines, powerstations, banks and other businesses have been hit by a new wave of "Ransomware" attacks. Affected PCs will find that the operating system has been encrypted, with demands for a payment to unlock the system. Windows XP - Windows 10 PCs could be vulnerable, so be sure you have installed all current Windows updates and have anti-virus software installed.

    This "Petya" cyber-attack has even caused problems at the infamous Chernobyl power station, meaning that radiation levels are now manually performed.

    As usual, take care when opening e-mail attachments or other unfamiliar files. The best defence is by having a fully patched operating system with AV software installed (even if it's Windows Defender).
     
    Ian, Jun 28, 2017
    #1
    1. Advertisements

  2. Ian

    Ian Administrator

    Joined:
    Feb 23, 2002
    Likes Received:
    729
    If looks like you'll get an image like this upon booting if you have been infected:

    DDWXCFWW0AA6pwD.jpg

    Turning your system off at this stage will prevent the encryption from completing, meaning that you can restore the data manually.

    Thanks to https://twitter.com/hackerfantastic for the image.
     
    Ian, Jun 28, 2017
    #2
    1. Advertisements

  3. Ian

    Abarbarian Acruncher

    Joined:
    Sep 30, 2005
    Likes Received:
    635
    Location:
    A cabin in the woods by a river
    Abarbarian, Jun 29, 2017
    #3
  4. Ian

    Captain Jack Sparrow New Cruncher

    Joined:
    Jul 1, 2007
    Likes Received:
    97
    Location:
    On the Black Pearl
    Of course, you should already be patched against the exploits which the ransomware spreads with; NotPetya uses the same NSA exploits that WannaCry used last month to cause worldwide chaos.

    However, it's still possible to receive NotPetya by email, malware dropper or malicious drive-by download. Therefore, it pays to take preventative measures:

    In the Windows directory (usually C:\Windows\), create the following read only files:

    perfc
    perfc.dat
    perfc.dll

    Source (external link, BleepingComputer)

    If the presence of these files annoys you, set these files to hidden.
    These files are allegedly how the ransomware's poorly implemented anti-re-infection mechanism works, so by simply creating these read only files, a potential infection of NotPetya will stop before delivering its payload (at least with the current strain of the ransomware).

    There are now unconfirmed reports that a new variant of the ransomware places these files in %ProgramData%. This seems like a quick and dirty workaround to continue targeting those who have discovered the information above. So I'd also recommend doing the same in this location too.

    Last night, I used a Group Policy Preferences item to automatically deploy these files to all computers, but if you're not as lucky as me, you can always use a script or batch file.

    - Capt. Jack Sparrow.
     
    Last edited: Jun 29, 2017
    Captain Jack Sparrow, Jun 29, 2017
    #4
    Core, Ian and EvanDavis like this.
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.