‘Petya’ CIA-Sponsored Virus and Ransomware (with 1EarthUnited)

Jul 1

Posted by

LADA’S OVERVIEW

The author of the article below contends that the ‘Petya virus is a state-sponsored attack on Ukraine.’ However, a number of European countries have been affected too. What’s more, some large Russian companies were affected as well.

I think you’ll orient yourself better in what the latest Petya virus and its counterpart NotPetya mean if I explain what’s in the name. “Petya” is diminutive for Piotr, or Petro, if you wanted to say it with a Ukrainian accent — as in Petro Poroshenko. Someone with a wicked sense of humor named this new malicious, ransom-demanding wiper malware after the Ukrainian president. In the end, even when victims do pay up, the computer still fails to reboot, making it a total loss. Knowing Poroshenko, very close to the truth, I’d say.

A new joke in Russia is that the virus’s name is Petya, while the anti-virus is called Vladimir Vladimirovich (Putin’s name). 

In conclusion, my personal opinion is that there is much more going on here than meets the eye. It is a promo for a specific new 4th Dimension MEGA-project by the global elites, bankers and related organizations.

What is it? I’ll discuss what I mean and make some bold predictions in the upcoming

EARTH SHIFT WEBINAR 3: THE FUTURE OF MONEY!

If you haven’t yet,

Buy complete THREE WEBINAR SERIES — and SAVE!
Buy EARTH SHIFT WEBINAR 2 INVERTED COLLAPSE!
Buy EARTH SHIFT WEBINAR 3 THE FUTURE OF MONEY!
Buy EARTH SHIFT WEBINAR 4 LADA RAY PERIOD 8 PREDICTIONS!
GO TO ALL WEBINARS @ LadaRay.com!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can brush up on technical details of what the hoo-ha is all about below. Thanks to 1EarthUnited for the material!

Hacker News: Petya Ransomware “Wiper malware” is a state-sponsored attack on Ukraine?

petya-ransomware-wiper-malware

What if I say the Tuesday’s devastating global malware outbreak was not due to any ransomware infection?

Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a “Wiper malware,” not ransomware.

Security experts even believe the real attack has been disguised to divert world’s attention from a state-sponsored attack on Ukraine to a malware outbreak.

“We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker,” Suiche writes.

Is Petya Ransomware Faulty or Over-Smart?

Petya is a nasty piece of malware that, unlike other traditional ransomware, does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Then Petya ransomware takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot.

petya-ransomware-attack

However, this new variant of Petya does not keep a copy of replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if victims get the decryption keys.

Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines (even fully-patched) on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.

Don’t Pay Ransom; You Wouldn’t Get Your Files Back

So far, nearly 45 victims have already paid total $10,500 in Bitcoins in hope to get their locked files back, but unfortunately, they would not.

Meaning, even if victims do pay the ransom, they will never recover their files. Kaspersky researchers also said same.

“Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks,” the security firm said.

“To decrypt a victim’s disk threat actors need the installation ID. In previous versions of ‘similar’ ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery.”

If claims made by the researcher is correct that the new variant of Petya is a destructive malware designed to shut down and disrupt services around the world, the malware has successfully done its job.

However, it is still speculation, but the virus primarily and massively targeted multiple entities in Ukraine, including the country’s local metro, Kiev’s Boryspil airport, electricity supplier, the central bank, and the state telecom.

Other countries infected by the Petya virus included Russia, France, Spain, India, China, the United States, Brazil, Chile, Argentina, Turkey and South Korea.

How Did Petya get into the Computers in the First Place?

According to research conducted by Talos Intelligence, little-known Ukrainian firm MeDoc is likely the primary source of the yesterday’s global ransomware outbreak.

Researchers said the virus has possibly been spread through a malicious software update to a Ukrainian tax accounting system called MeDoc, though MeDoc has denied the allegations in a lengthy Facebook post.

“At the time of updating the program, the system could not be infected with the virus directly from the update file,” translated version of MeDoc post reads. “We can argue that users of the MEDoc system can not infect their PC with viruses at the time of updating the program.”

However, several security researchers and even Microsoft agreed with Talo’s finding, saying MeDoc was breached and the virus was spread via updates.

 

Hacker News: Original Author of Petya Ransomware is Back & He Wants to Help NotPetya Victims

petya-ransomware-decryption-key

The author of original Petya ransomware is back.

After a long 6 months of silence, the author of now infamous Petya ransomware appeared on Twitter today to help victims unlock their files encrypted by a new version of Petya, also known as NotPetya.

“We’re back having a look in NotPetya,” tweeted Janus, a name Petya creator previously chose for himself from a James Bond villain. “Maybe it’s crackable with our privkey. Please upload the first 1MB of an infected device, that would help.”

This statement made by Petya author suggests he may have held on a master decryption key, which if worked for the new variant of Petya infected files, victims would be able to decrypt their files locked in the recent cyber outcry.

Janus sold Petya as a Ransomware-as-a-Service (RaaS) to other hackers in March 2016, and like any regular ransomware, original Petya was designed to lock victim’s computer, then return them when a ransom is paid.This means anyone could launch the Petya ransomware attack with just the click of a button, encrypt anyone’s system and demand a ransom to unlock it. If the victim pays, Janus gets a cut of the payment. But in December, he went silent.

However, On Tuesday, computer systems of the nation’s critical infrastructure and corporates in Ukraine and 64 other countries were struck by a global cyber attack, which was similar to the WannaCry outbreakthat crippled tens of thousands of systems worldwide.

Initially, a new variant of Petya ransomware, NotPetya, was blamed for infecting systems worldwide, but later, the NotPetya story took an interesting turn.

Yesterday, it researchers found that NotPetya is not a ransomware, rather it’s a wiper malware that wipes systems outright, destroying all records from the targeted systems.

NotPetya also uses NSA’s leaked Windows hacking exploit EternalBlue and EternalRomance to rapidly spread within the network, and WMIC and PSEXEC tools to remotely execute malware on the machines.

Experts even believe the real attack has been disguised to divert world’s attention from a state-sponsored attack to a malware outbreak.The source code to Petya has never been leaked, but some researchers are still trying hard to reverse engineer to find possible solutions.

 

Tuesday’s cyber outbreak is believed to be bigger than WannaCry, causing disaster to many critical infrastructures, including bricking computers at a Ukrainian power company, several banks in Ukraine, and the country’s Kyiv Boryspil International Airport.

The NotPetya also canceled surgeries at two Pittsburgh-area hospitals, hit computers at the pharmaceutical company Merck and the law firm DLA Piper, as well as infected computers at the Dutch shipping company A.P. Moller-Maersk forced to shut down some container terminals in seaports from Los Angeles to Mumbai.

Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

SOURCE: 1EARTHUNITED BLOG

 

About Lada Ray

Lada Ray is the creator of the EARTH SHIFT AND GREAT REBALANCING TEACHING, AS WELL AS QUANTUM CALIBRATIONS & MULTIDIMENSIONAL TEACHINGS! Author of several books, multiple Webinars, Quantum Reports, and more! ** Lada has extensively written and spoken on global events, world cultures, geopolitics, empire collapse, feng shui and higher consciousness. She is world-renowned for her accurate predictions, which are currently materializing one by one! ** The world is going through a massive tectonic shift of consciousness on all levels and in all aspects of life. Make sure you are prepared! Subscribe to Lada's blogs, SM and Patreon, to stay ahead of the curve and to learn the REAL DEAL! ** Main sites: LadaRay.com - ALL WORK, BOOKS, FREEBIES, BUY WEBINARS & REPORTS! ** LRP: Join long-term monthly subscription: Patreon.com/LadaRay - regular reports and articles, advanced intel, analysis, predictions ** Twitter @Ladatweets ** Blogs: FuturisTrendcast.wordpress.com - geopolitics and predictions - huge archives LadaRay/wordpress.com - books, writing, world cultures - big archives ** YouTube: Lada Ray Channel

Posted on July 1, 2017, in Ask Lada, Russia, Ukraine, USA/EU/West and tagged , , , , , , , , , , , , , , , , , , . Bookmark the permalink. 8 Comments.

  1. Casey | July 1, 2017 at 1:28 pm

    Lada:

    I’m surprised you indicate that these attacks might be part of a 4D effort by the NWO cabal. I thought they were strictly low-vibration, lower 3D. Interested to hear more. Why did Putin meet with the Ethereum creator not long ago? Does that have some bearing on these state-sponsored attacks?

    Like

    • Lada Ray | July 1, 2017 at 4:41 pm

      As I said, I’ll reveal all that in ESW3 The Future of Money, incl Bitcoin and Ethereum.

      Like

    • Nemo1024 | July 2, 2017 at 3:34 pm

      Well done noting the news of Putin’s meeting with the developer behind Ethereum. Many would have seen it as an inconsequential sideline event, but it appears that Russia is starting to seriously look into the digital currency, with support voiced even by German Gref.

      One thing that is worth mentioning about Ethereum: it is much more than just another digital currency. True, Ether is a payment method for the operations conducted on the Ethereum network, but the network protocol itself is an innovative blockchain-based system that allows for development of decentralised, provably fair (ones that cannot be tempered with) applications. This opens up for a whole new dimension of direct democracy – for example referendums or, ultimately – presidential elections, run on the Ethereum network, fully cryptographically protected against any manipulations, fraud and tempering!

      Like

      • Lada Ray | July 2, 2017 at 5:01 pm

        Nemo, I know you are a big supporter of crypto-currencies, and that’s great, but let’s not get carried away.
        I’ll talk about how I see the full picture in The Future of Money, incl why Putin met Vitalik.
        Incidentally, the fact that German Gref supports something is more of an indictment in Russia, than a compliment, didn’t you know? Gref is considered a direct agent of the global banksters.
        More during webinar. If you have any questions on this, I can answer them during the webinar too.

        Like

        • Nemo1024 | July 3, 2017 at 12:36 pm

          You are right, Lada. I can get a bit carried away when it comes to innovative technologies. 🙂

          I do, indeed, know about Gref and his connection to the Bank of Russia, with all that it in turn implies (I am sure you are going to touch upon it in the Webinar), so a few warning bells did ring while I was typing that yesterday. However, seeing that Bank of Russia was initially opposed to Bitcoin, almost criminalising its use, while they are at least considering it now, I thought that this act was a kind of concession on the globalist part.

          Like

  2. Nemo1024 | July 2, 2017 at 7:21 am

    As usual, the best defence is being prepared. Viruses infecting MBR are as old as DOS system… The best defence is to either have a backup of MBR or, better still, to have off-line backups of both your data and system. I could recommend the German O&O DiskImage which I’ve been using for years – take an image of your entire system partition/disk and keep it on an off-line disk. Add new back-ups as time passes. If you get infected, simply, restore to an older backup, booting from a recovery DVD or a memory stick.

    Liked by 1 person

  3. Nemo1024 | July 2, 2017 at 3:26 pm

    Heads up: There may be a pending chemical false flag in Syria that US will use as a pretext for more strikes or an outright invasion. I want to reference the following article at Russia Insider:

    http://russia-insider.com/en/politics/us-military-put-alert-washington-waiting-excuse-attack-syria-russian-senator/ri20238

    Russia Insider is crowd-funded cooperative of investigative journalists and analysts from many parts of the world, who did not want to play the MSM game. I know that on at least one occasion RT referenced their report in their article. I’ve been following their publications for over a year now, occasionally supporting them with donations, and can vouch for the quality of their reporting (though an occasional article can a be a tad tongue-in-cheek sarcastic).

    Like