Ukraine has undergone the largest virus in the history of cyber attack Petya

This morning, my clients approached me with a panicked cry “Nikita, everything is encrypted with us. How did this happen? ” It was a large company of 1000+ machines, with the latest updates of the licensed Windows, a customized firewall, chopped rights for users and anti-phishing filters for mailers.

An hour later, representatives of another large company called, everything was also encrypted, under 2000 machines. The attack began with large business structures and an hour or two later I learned that Oschadbank, UkrPoshta, TASKOMERZBANK, and OTP Bank were under attack (the full list is in UPD5 ).
')
What happened? And about the development of the situation under the cut.

What all cyber experts, including myself, have been saying day and night! Ukraine is not protected from cyber attacks, but now is not about that.

The Ukrainian cyber segment has been attacked again, this time by Ransomware encryptors Petya and Misha encrypting the computer of large Ukrainian enterprises, including critical infrastructure, such as Kyivvenergo and Ukrenergo, I think, in fact, there are thousands of times more, but officials as usual, they will be silent about it until the light goes out.

At the moment, the rate of spread of the virus was so fast that the state fiscal service turned off all communications with the Internet, and in some important public institutions only closed government communications work. According to my personal information, the relevant divisions of the SBU and Cyberpolice have already been transferred to emergency mode and are dealing with this problem. I do not deny that some sites and services can be disabled as a preventive measure against infection . The situation is developing dynamically and we will cover it. Not only large companies are encrypted, but also ATMs along with entire branches of banks, television companies, and so on ...

Now about the technical details

The first versions of Petya were discovered significantly earlier. However, today the new modification of Petya is rampant in the network. So far, it is known that “New Petya” encrypts the MBR boot sector of the disk and replaces it with its own, which is a “novelty” in the world of Ransomware, he is a friend of #Misha (name from the Internet) who arrives a little later, already encrypts all files on the disk ( not always). Petya and Misha are not new, but there has not been such a global distribution before. Suffered and fairly well protected companies. Everything is encrypted, including the boot sectors (original) and you just have to read the text of the extortionist, after turning on the computer. This virus is spread using the latest, presumably, 0day vulnerabilities.

On the Internet, there have already been attempts to write codebreakers that only fit old versions of Petya.

However, their performance has not been confirmed.

The problem also lies in the fact that for rewriting MBR, Petya needs to restart the computer, which users panic successfully and do, “panic pressing the button off” I would call it that.

Of the current recommendations as of 17 o'clock on June 27, I would advise NOT to turn off the computer if the encrypter was found, but to switch it to ACPI S3 Sleep (suspend to RAM) sleep mode (thanks to 4eyes for the clarification), disconnecting from the Internet when any circumstances.

Personal assumptions:

The virus was named “Petya” in honor of the President of Ukraine, Petro Poroshenko, and the most massive surge of infection is observed, namely in Ukraine and precisely in large and important enterprises of Ukraine.

Instruments:

On the site we will create a section Petya and Misha Decrypt, where we will lay out all the found tools for decryption, which we do not have time to check on our own. We ask other experts and specialists in the field of information security to send information to private messages for effective communication. See also UPD №6 and UPD №7


UPD1: Decoder yet, those that are posted on the Internet ( here ), are suitable only for older versions. Attention descrambler at the moment does not exist!

UPD2: The website of the Ministry of Internal Affairs of Ukraine is disabled. Siloviki go into emergency mode.


UPD3: I ask you not to count for advertising , who suffered from the attack, send samples of encrypted files or the cryptographer himself to info@protectmaster.org for the development of the decoder. We, in turn, are ready to provide information to any IB companies on this case.

UPD4: Large supermarkets in Kharkiv were also subjected to encryption, the photo of the “GROWTH” supermarket is a queue at the checkout due to a cryptor. (Photo from social networks):



UPD5: List of sites and structures subjected to cyber attack:
State structures: Cabinet of Ministers of Ukraine, Ministry of Internal Affairs, Ministry of Culture, Ministry of Finance, National Police (and regional sites), Cyber ​​Police, KSCA, Lviv City Council, Ministry of Energy, National Bank
Banks: Oschadbank, Sberbank, TASKOMERZBANK, Ukrgasbank, Pivdenny, OTR Bank, Kredobank.
Transport: Boryspil Airport, Kiev Metro, Ukrzaliznytsya
Media: Radio Era-FM, Football.ua, STB, Inter, First National, Channel 24, Radio Lux, Radio Maximum, KP in Ukraine, ATP Channel, Korrespondent.net
Large companies: Novaya Pochta, Kyivenergo, Naftogaz Ukrainy, DTEK, Dniproenergo, Kievvodokanal, Novus, Epicentra, Arcellor Mittal, Ukrtelecom, Ukrposhta
Mobile operators: Lifecell, Kyivstar, Vodafone Ukraine,
Medicine: Farmak, Boris Clinic, Feofania Hospital, Arterium Corporation,
Gas stations: Shell, WOG, Klo, TNK

UPD 6:

To identify the file encryptor, you must complete all local tasks and check for the following file:

C: \ Windows \ perfc.dat

Depending on the version of the Windows OS, install the patch from the Microsoft resource (attention, this does not guarantee 100% security since the virus has many infection vectors) , namely:

- for Windows XP
- for Windows Vista 32 bit
- for Windows Vista 64 bit
- for Windows 7 32 bit
- for Windows 7 64 bit
- for Windows 8 32 bit
- for Windows 8 64 bit
- for Windows 10 32 bit
- for Windows 10 64 bit

Find links to download the corresponding patches for other (less common and server versions) Windows OS can be here on the Microsoft website .

UPD7: It looks like the new subspecies Petya.A, which today attacked Ukraine, is a combination of vulnerabilities CVE-2017-0199 and MS17-010 (ETERNALBLUE, used in Wcry for leakage results through ShadowBrokers)

You can download the latest patch from MicroSoft and one more .

UPD8: A bot has already appeared on the network that monitors bribes for decrypting files infected with Petya

UPD9: According to information from Facebook Cyberpolice of Ukraine and a number of large information security companies, as well as MicroSoft, one of the vectors of attack on the business structure of Ukraine was the spread of the virus through the MEdoc program (electronic reporting and document management software)

Most likely, the MEdoc developers were also hacked and this update was downloaded by hackers.

UPD10: Positive Technologies specialists found a local “kill switch” for Petya, you can stop the cryptographer by creating the file “C: \ Windows \ perfc (perfc - file without extension)

There is also good news: if you saw the computer restart and the start of the “disk check” process, at that moment you should immediately turn off the computer and the files will remain unencrypted. Booting from a LiveCD or USB disk will give access to files.

UPD11: MicroSoft finally put all the details and analysis of the Petya virus on its website with recommendations and patches.