WannaCry was the first major attack using tools developed from the NSA’s EternalBlue toolkit that were made available to the world following a leak published by Wikileaks. Last night, another ransomware attack was launched and this one doesn’t encrypt files – it encrypts drives.
This new ransomware, dubbed Petya or GoldenEye, attacks – you guessed it – unpatched computers.
Symantec, BitDefender, Sophos and others have released information on the attack and some mitigation strategies.
The EternalBlue exploit is is used to spread the ransomware from unpatched machine to unpatched machine.
And just to make this one even nastier, the email address used to pay the ransom has been blocked so if you’re hit, there’s no way to reach the bad guys to pay the ransom. Those that have paid have lost their money – which was about US$300 in bitcoin.
Petya/GoldeEye has hit computers all over The World with Eastern Europe hit the most. For example, this supermarket in the Ukraine has seen all its payment terminals attacked.
By the way, Twitter user @hackerdave says the attack can be blocked by changing the file attributes of C:Windowsperfc.dat to prevent it from writing/executing.
Every piece of security advice dispensed over the last decade has emphasised the importance of patching systems and not using unsupported software.
The Minister Assisting the Prime Minister on Cyber Security, Dan Tehan, put out a statement today encouraging businesses to ensure the security plans are up to date.
“All businesses should immediately update their Windows operating system with the latest security patches and there are instructions on the ACSC website to do this.”
If you must use unpatched or unwatchable systems – isolate them in sandboxes and either block or limit the sandbox’s connectivity.
Comments
3 responses to “NSA’s EternalBlue Is The Gift That Keeps On Giving”
404, 404, 404…
Yeah, I’m getting that too.
Here’s Kaspersky’s writeup over at Securelist.
https://securelist.com/schroedingers-petya/78870/
Apologies. I’m testing iOS 11 and it insisted on changing the quote marks to smart quotes in the HTML links – no matter what I did. Fixed now.