Yesterday, on June 27, 2017 in Ukraine was the biggest cyber attack in the history of the state. The virus-encryptor called “Petya.A” attacked computers of enterprises of national importance.
Here is the list: State structures: the Cabinet of Ministers of Ukraine, the Ministry of Internal Affairs, the Ministry of Culture, the Ministry of Finance, the National Council (and regional sites), the Cyberpolicy, the KCSA, the Lviv City Council, the Ministry of Energy, the National Bank. Banks: Oschadbank, Sberbank, TASKomertzbank, Ukrgasbank, Pivdenny, OTP Bank, Kredobank. Transport: Boryspil Airport, Kiev Metro, Ukrzaliznytsia. Media: Radio Era-FM, Football.ua, STB, Inter, First National, TV Channel 24, Radio Lux, Maximum Radio, CP in Ukraine, ATP Channel, Correspondent.net. Large companies: Novaya Pochta, Kyivenergo, Naftogaz of Ukraine, DTEK, Dniproenergo, Kievvodokanal, Novus, Epicenter, Arcelor Mittal, Ukrtelecom, Ukrposhta. Mobile operators: Lifecell, Kyivstar, Vodafone Ukraine. Medicine: “Farmak”, clinic Boris, hospital Feofaniya, corporation Arterium, Gas stations: Shell, WOG, Klo, TNK.
Also, many companies were forced to disconnect from the Internet, fearing the risk of being attacked.
On the topic of how it happened, what the virus is, way to protect it and who could organize such an attack, speaks Nikita Knish – Head of ProtectMaster, the organizer of the international forum on cybersecurity HackIT
It is known that The Petya virus encrypts the MBR boot sector of the disk and replaces it with its own. This is the “novelty” in the world of Ransomware, later comes his friend #Misha (name from the Internet), which already encrypts all the files on the disk (not always). Petya and Misha are familiar to us, but they have never been such a global spread. Suffered well-protected companies. All is encrypted, including the boot sector (original) and you can only read the text of the hacker, after turning on the computer.
There are three ways for the spread of the virus: 1. Spam-company with malicious attachments; 2. Distribution through weak points of open ports with vulnerable protocols; 3. Download the virus from the updates of the popular in Ukraine accounting software. Software itself downloaded the spoofed updates.
A descriptor is already exists in the network, which can decrypt files. It is spread by uneducated “experts”, without attention to the fact that this descriptor can decrypt only old files. With “Petya” the sample of 2017, this does not work.
How to stop the virus? Local “kill switch” for Petya: you can stop the cryptographer by creating the file “C: \ Windows \ perfc” perfc – file without extension. It is also important if you see the “disk check” process, at this moment you should immediately turn off the computer and the files would be protected. Downloading from a LiveCD or a USB drive will give access to the files.
It is also necessary to install a patch from the MicroSoft resource (attention: this does not guarantee 100% security, the virus has many ways for infection!), A list of patches.
It’s hard to give any comments about the author of the virus, the customer and the executor of the cyber attack.This can be said only after detailed research and analysis of the code, vectors of infection. And if someone says “this is mine,” it will not mean that it is so. Subscribe to such an effective attack will be a lot, but only those who have the full source code of the virus in their original form will be able to confirm their participation
Otherwise, the chance to prove with 100% possibility of the source of attacks will be the same as to find out who attacked the servers of the US Democratic Party. Everything will be with the formulation “With a certain degree of probability, it can be argued that ….” Well, and the most important question. Will cyber attacks continue affect Ukrainian enterprises? Yes, they will. And after the success of this attack, maybe even more often, so all companies need to work with IT security . Especially strategic objects and state institutions. The last question, which we asked Nikita, made me think seriously: – Are we so weak, or are they so strong?
– In cyberspace, there is no “we” – “they”, Hackers outside politics. But THEY have government hackers. We do not have.