MegaSack DRAW - 6pm Christmas Eve - LIVE on our YouTube Channel
My colleagues and I got back from the canteen to find that all our laptops were showing a DOS type black screen, which a statement that no operating system could be found. Calls to other offices have concluded that this is a widespread, possibly global, problem. Someone is going to be in deep trouble here I think... X thousand employees now twiddling their thumbs.
At least we don't have to operate on anyone!
🙂
Waterstones.
Have you tried turning it off and then on again?
That's quite odd.
Assuming that this is not Grade A trolling, I'd really be looking to make sure that you say nothing further about this on a public forum and to let your SIRT team have a shot at finding out what has gone wrong.
. X thousand employees now twiddling their thumbs.
STW's ad revenue is going to plummet
Assuming that this is not Grade A trolling, I'd really be looking to make sure that you say nothing further about this on a public forum and to let your SIRT team have a shot at finding out what has gone wrong.
It seems to be widespread.... I'm getting multiple warnings at work not to connect to specific client networks
[img] 
[/img]
Stevextc, if you have details that you can share, IOCs, that sort of thing, I'd appreciate the intel. I think my mail is in my profile.
I don't know what kind of setup they run but it sounds more like some centralised network boot system e.g. pxe has failed.
*waits for PEBKAC comments*
meh
Stevextc, if you have details that you can share, IOCs, that sort of thing, I'd appreciate the intel. I think my mail is in my profile.
Not really ...(sorry) I'm just getting work emails saying not to connect to certain client sites until further notice....that is quite honestly the extent of information being shared with me.
I guess I can say they are not all UK based...
I don't know what kind of setup they run but it sounds more like some centralised network boot system e.g. pxe has failed.
I guess I can say that one I know for sure runs thin client.
Apart from the attack happening against Ukraine we have no current intel on a widespread attack happening at the moment... As retro83 says it sounds more like someone has messed up a PXE boot environment/SCCM deployment although it could be a known vector has just been exploited on your systems (sounds worm based if it has).
Ukraine being targeted [url= http://www.independent.co.uk/news/world/europe/ukraine-cyber-attack-hackers-national-bank-state-power-company-airport-rozenko-pavlo-cabinet-a7810471.html ]apparently[/url]
Ah, the next move from comrade Putin.
[img] 
[/img]
One of your IT drones has cocked up spectacularly. Probably the SCCM admin by the looks of it.
Has Tom reappeared yet? Makes you think....
New Ransomware attack emerging in lots of places
Love the fact that the independent article refers to the screen showing a ransomware demand, but the photo is a chkdsk screen...
Maersk reporting they have been hit:
https://twitter.com/Maersk/status/879689865184636928
payte, using eternalblue and doublepulsar exploits, wanacry without the kill switch, samples are already on virus total
[i]Love the fact that the independent article refers to the screen showing a ransomware demand, but the photo is a chkdsk screen..[/i]
Rozenko Pavlo has been cyber attacked by a bad sector 😆
Does anyone know for definite what the attack vector is?
Love the fact that the independent article refers to the screen showing a ransomware demand, but the photo is a chkdsk screen..
I think the "chkdsk" is the cover for the encryption....
Does anyone know for definite what the attack vector is?
If they do they aren't saying.
Looks like it might be payte but spread using the Petrwrap malware. This can make use of the Eternal Blue SMB exploit - or just use PsExec to remote execute commands on domain joined machines that are accessible.
https://securelist.com/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/77762/
Sounds a bit like the PivotTable Takedown we had recently.
Comes from fiddling with Excel hidden macros without reading the code. But unlikely to be that unless you have been fiddling with Excel Pivot tables
If the virus is using Payte, and uses the DoublePulsar exploit it could in theory be hitting different machines with different payloads - Double Pulsar allows.
I can confirm that some machines show a generic disk problem error and others a demand for bitcoin payment. I also wonder if they attacked Win 10 and Win 7 machines differently depending on patch level, but can't confirm that (since sat at home).
Either way it's nasty for those affected.
Beeb just announced it as WPP, DLA Piper and Maersk and others plus some Russian and Ukrainian companies.
http://www.bbc.co.uk/news/technology-40416611
Well.
[i]Chornobyl nuclear power plant has switched to manual radiation monitoring of site b/c cyberattack, says Exclusion Zone agency press service.[/i]
• Extensions currently known as being affected are: .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip• We have confirmed with the samples that SMB is being used as a propogation method, and are aware of reports that RDP may also be used but have yet to confirm this
seems to be spreading quite fast now........
Love the fact that the independent article refers to the screen showing a ransomware demand, but the photo is a chkdsk screen...
Except it’s not. It’s cleverly disguised as a chkdsk screen...
The giveaway is in the caps. A legitimate screen shows ‘chkdsk’ and not ‘CHKDSK’.
Sod being a sysadmin these days. No matter how good you are, you’ll one day be the fall guy due to someone smarter than you. Despite how well you patch and firewall your systems.
Of course if there’s a team of you then that’s a different matter. You’ll still suffer from a targeted breach but at least you can all blame each other and hopefully save your sorry, unfortunate arse.
Oh bollocks. Not much makes me nervous these days but this stuff does. Time to go isolate backups for a bit
I think I'll call in sick tomorrow.
.3ds
is this attack from 1998 ?
As far as I can tell so far, the ransomware is a Petya variant, which is akin contracting Polio, and the worm infection method is the same vulnerability as exploited by PerfectBlue (Wannacry). So if you patched for the latter you're safe from the former, user [s]stupidity[/s] education aside.
is this attack from 1998 ?
The last I heard is that payload pretty much is. It manipulates the MBR and MFT, which makes it actually more dangerous on modern UEFI systems and it just hoses them rather than encrypts them. However,
• We have confirmed with the samples that SMB is being used as a propogation method, and are aware of reports that RDP may also be used but have yet to confirm this
SMB aside, this entire post is contradictory to what I understood (which doesn't mean it's wrong, I may have out-of-date info - I'm a few hours behind and playing catchup). Have you got a source for it please?
One of my colleages is enjoying some free time off from his client as their office is shut down.
Time to go isolate backups for a bit
Yes indeed. Following the WannaCry events, I've modified the batch file that saves my backup to USB; it now disables the drive using devcon when the backup is complete, and re-enables it each time it runs. In the meantime the drive is invisible and unwritable.
Greybeard, I'd be interested in some more details on your batch file if you don't mind?
This guy is getting somewhere understanding tghis thing - https://twitter.com/0x09AL
It's all getting a bit Dr. Who isn't it?
I've read all of this and have no idea what's going on. Can somebody please explain in idiot speak?
Greybeard, I'd be interested in some more details on your batch file if you don't mind?
I'm on Windows 10. The batch file runs from Task Scheduler, as a user with Admin rights. You can't use devcon as a limited user, but you can cache admin credentials in Task Scheduler. Key bits of the batch file (f: is the backup drive and my data is on e:)
devcon enable "SanDisk_Cruzer_Slice____1"
xcopy e:\foo\bar /eym f:\foo\bar
: add as many xcopy lines as necessary
timeout /T 120 /nobreak
echo %date%%time%>>c:\logs\backuplog.txt
devcon disable "SanDisk_Cruzer_Slice____1">>c:\logs\backuplog.txt
You need the timeout, to allow the backup activity to clear fully before trying to disconnect the drive, otherwise you get a message that a reboot is needed before it can be disabled. To give me confidence that it's working, I append the date, time, and output from devcon disable to a log file.
Hope that's useful; I'm an enthusiastic amateur and have put it together myself, so I'd welcome any observations from professionals. While I can hack batch files, I can't write proper code, so there may be more elegant solutions.
It's all getting a bit Dr. Who isn't it?
😆
While I can hack batch files, I can't write proper code
Ditto. But look into robocopy (for all practical purposes it's xcopy's successor).
Took me quite a while to get it to create a directory name with the date and time in it like project-2017-06-27-22-03 and so on.
SMB aside, this entire post is contradictory to what I understood (which doesn't mean it's wrong, I may have out-of-date info - I'm a few hours behind and playing catchup). Have you got a source for it please?
Looks to be from the McAfee notification emails, they're tracking it at https://kc.mcafee.com/corporate/index?page=content&id=KB89540
Apparently if you hard power down as soon as you see this the encryption process is halted.
I think it's been mentioned above but thought i'd spell it out for the hard of understandign like me.
[img] 
[/img]
