Blog Archives

‘Petya’ CIA-Sponsored Virus and Ransomware (with 1EarthUnited)

LADA’S OVERVIEW

The author of the article below contends that the ‘Petya virus is a state-sponsored attack on Ukraine.’ However, a number of European countries have been affected too. What’s more, some large Russian companies were affected as well.

I think you’ll orient yourself better in what the latest Petya virus and its counterpart NotPetya mean if I explain what’s in the name. “Petya” is diminutive for Piotr, or Petro, if you wanted to say it with a Ukrainian accent — as in Petro Poroshenko. Someone with a wicked sense of humor named this new malicious, ransom-demanding wiper malware after the Ukrainian president. In the end, even when victims do pay up, the computer still fails to reboot, making it a total loss. Knowing Poroshenko, very close to the truth, I’d say.

A new joke in Russia is that the virus’s name is Petya, while the anti-virus is called Vladimir Vladimirovich (Putin’s name). 

In conclusion, my personal opinion is that there is much more going on here than meets the eye. It is a promo for a specific new 4th Dimension MEGA-project by the global elites, bankers and related organizations.

What is it? I’ll discuss what I mean and make some bold predictions in the upcoming

EARTH SHIFT WEBINAR 3: THE FUTURE OF MONEY!

If you haven’t yet,

Buy complete THREE WEBINAR SERIES — and SAVE!
Buy EARTH SHIFT WEBINAR 2 INVERTED COLLAPSE!
Buy EARTH SHIFT WEBINAR 3 THE FUTURE OF MONEY!
Buy EARTH SHIFT WEBINAR 4 LADA RAY PERIOD 8 PREDICTIONS!
GO TO ALL WEBINARS @ LadaRay.com!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can brush up on technical details of what the hoo-ha is all about below. Thanks to 1EarthUnited for the material!

Hacker News: Petya Ransomware “Wiper malware” is a state-sponsored attack on Ukraine?

petya-ransomware-wiper-malware

What if I say the Tuesday’s devastating global malware outbreak was not due to any ransomware infection?

Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a “Wiper malware,” not ransomware.

Security experts even believe the real attack has been disguised to divert world’s attention from a state-sponsored attack on Ukraine to a malware outbreak.

“We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker,” Suiche writes.

Is Petya Ransomware Faulty or Over-Smart?

Petya is a nasty piece of malware that, unlike other traditional ransomware, does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Then Petya ransomware takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot.

petya-ransomware-attack

However, this new variant of Petya does not keep a copy of replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if victims get the decryption keys.

Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines (even fully-patched) on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.

Don’t Pay Ransom; You Wouldn’t Get Your Files Back

So far, nearly 45 victims have already paid total $10,500 in Bitcoins in hope to get their locked files back, but unfortunately, they would not.

Meaning, even if victims do pay the ransom, they will never recover their files. Kaspersky researchers also said same.

“Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks,” the security firm said.

“To decrypt a victim’s disk threat actors need the installation ID. In previous versions of ‘similar’ ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery.”

If claims made by the researcher is correct that the new variant of Petya is a destructive malware designed to shut down and disrupt services around the world, the malware has successfully done its job.

However, it is still speculation, but the virus primarily and massively targeted multiple entities in Ukraine, including the country’s local metro, Kiev’s Boryspil airport, electricity supplier, the central bank, and the state telecom.

Other countries infected by the Petya virus included Russia, France, Spain, India, China, the United States, Brazil, Chile, Argentina, Turkey and South Korea.

How Did Petya get into the Computers in the First Place?

According to research conducted by Talos Intelligence, little-known Ukrainian firm MeDoc is likely the primary source of the yesterday’s global ransomware outbreak.

Researchers said the virus has possibly been spread through a malicious software update to a Ukrainian tax accounting system called MeDoc, though MeDoc has denied the allegations in a lengthy Facebook post.

“At the time of updating the program, the system could not be infected with the virus directly from the update file,” translated version of MeDoc post reads. “We can argue that users of the MEDoc system can not infect their PC with viruses at the time of updating the program.”

However, several security researchers and even Microsoft agreed with Talo’s finding, saying MeDoc was breached and the virus was spread via updates.

 

Hacker News: Original Author of Petya Ransomware is Back & He Wants to Help NotPetya Victims

petya-ransomware-decryption-key

The author of original Petya ransomware is back.

After a long 6 months of silence, the author of now infamous Petya ransomware appeared on Twitter today to help victims unlock their files encrypted by a new version of Petya, also known as NotPetya.

“We’re back having a look in NotPetya,” tweeted Janus, a name Petya creator previously chose for himself from a James Bond villain. “Maybe it’s crackable with our privkey. Please upload the first 1MB of an infected device, that would help.”

This statement made by Petya author suggests he may have held on a master decryption key, which if worked for the new variant of Petya infected files, victims would be able to decrypt their files locked in the recent cyber outcry.

Janus sold Petya as a Ransomware-as-a-Service (RaaS) to other hackers in March 2016, and like any regular ransomware, original Petya was designed to lock victim’s computer, then return them when a ransom is paid.This means anyone could launch the Petya ransomware attack with just the click of a button, encrypt anyone’s system and demand a ransom to unlock it. If the victim pays, Janus gets a cut of the payment. But in December, he went silent.

However, On Tuesday, computer systems of the nation’s critical infrastructure and corporates in Ukraine and 64 other countries were struck by a global cyber attack, which was similar to the WannaCry outbreakthat crippled tens of thousands of systems worldwide.

Initially, a new variant of Petya ransomware, NotPetya, was blamed for infecting systems worldwide, but later, the NotPetya story took an interesting turn.

Yesterday, it researchers found that NotPetya is not a ransomware, rather it’s a wiper malware that wipes systems outright, destroying all records from the targeted systems.

NotPetya also uses NSA’s leaked Windows hacking exploit EternalBlue and EternalRomance to rapidly spread within the network, and WMIC and PSEXEC tools to remotely execute malware on the machines.

Experts even believe the real attack has been disguised to divert world’s attention from a state-sponsored attack to a malware outbreak.The source code to Petya has never been leaked, but some researchers are still trying hard to reverse engineer to find possible solutions.

 

Tuesday’s cyber outbreak is believed to be bigger than WannaCry, causing disaster to many critical infrastructures, including bricking computers at a Ukrainian power company, several banks in Ukraine, and the country’s Kyiv Boryspil International Airport.

The NotPetya also canceled surgeries at two Pittsburgh-area hospitals, hit computers at the pharmaceutical company Merck and the law firm DLA Piper, as well as infected computers at the Dutch shipping company A.P. Moller-Maersk forced to shut down some container terminals in seaports from Los Angeles to Mumbai.

Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

SOURCE: 1EARTHUNITED BLOG

 

3 Earth Shift Webinar Series Trailers + A WORD FROM LADA

TRAILERS FOR 3 EARTH SHIFT WEBINAR SERIES

​1st in the series Earth Shift Webinar 2 Inverted Collapse:

RELEASE JUNE 9-10, 2017!

full color promo

 

black&white promo

 

 

A WORD FROM LADA

In the upcoming series of THREE EARTH SHIFT WEBINARS I have included the answers to many frequently asked reader questions, which I am unable to cover in my free FuturisTrendcast articles and YT videos. To find out which of your burning questions and highly requested predictions will be included in each webinar, please click on links below to read webinar descriptions!

This is a once-in-a-lifetime event. My goal is to disseminate as much information and knowledge as possible in my lifetime. Once I’ve covered these subjects, most likely I won’t go back to them.

Each webinar is a treasure trove of info, practical and multidimensional knowledge you won’t find anywhere else. If you are interested in my point of view on the most important and prominent developments, predictions and hidden energy currents of this decade and next, THREE EARTH SHIFT WEBINARS are a must listen to!

2HORZ 3banner

ORDER NOW

3 WEBINAR SERIES SUBSCRIPTION (ESW 2,3,4) – AND SAVE!

 Or

go to individual pages to read webinar descriptions

and order each webinar individually

Per readers’ request! FuturisTrendcast now accepts Bitcoin Donations!

BITCOIN DONATIONS

If you want to donate BTC, you can go to LadaRay.com and click on SUPPORT tab on top. This is the general donations page for all Lada Ray’s work. On this page you can donate via BTC, PayPal, credit / debit card or check; one-time or monthly.

OR

For BTC donations, please copy and paste this address: 

1Djkb3st1Z7DUHCQ263FuM6tXBLNCz8FUx

Or scan this QR code

blockchain QR code.png

We are now working on accepting BTC for EARTH SHIFT REPORT donations, and as payment for LADA RAY WEBINARS. This option will be available later.

Thank you and have a great day!

%d bloggers like this: