New global ransomware attack hits East Europe and spreading

Another massive attack is going on at the moment. It started in Ukraine and Russia and is already all over Europe and US too.

Bitdefender Labs confirms that the GoldenEye / Petya ransomware leverages the EternalBlue exploit to spread from one computer to another. Additional exploits are also used to propagate

Read more on bitdefender.com | massive-goldeneye-ransomware-campaign-slams-worldwide-users/

Independent is reporting about Patya (Kaspersky identification of the same..)

The so-called "Petya" cyberattack, which started in Ukraine, has spread across the globe over the last 24 hours. The attack hit major companies in countries like Spain, India, and the UK, and now appears to have reached the US.

A lot of news around. thehackernews.com | 2017/06/petya-ransomware-attack

"Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit." Mikko Hypponen confirms, Chief Research Officer at F-Secure.

HippsieGypsie said:

Thanks for reporting this here, Andre.

What a crime. Will it ever end?!!

This is business oriented attack and spreads very similar like WannaCry did, but exploits additional vulnerabilities. Disabling SMBv1 is smart move.

thehackernews.com | windows-10-redstone3-smb

Microsoft has recently announced the beta release of Windows 10 "Creators Update," also known as "Redstone 2" (Version 1703), which disables the SMB1 protocol by default, and after testing and getting feedback from the community, the company has decided to completely remove the protocol in the next stable version of the operating system.

A Microsoft representative has just confirmed this to Threatpost, saying "We can confirm that SMBv1 is being removed for Redstone 3 [codename for the Windows 10 Fall Creators Update]."

Luckily, this little beauty has got the kill switch.

Create a file called perfc with no extension in %windir% and #Nopetya won't run! SHARE!!

Source: Amit Serper (@0xAmit) | Twitter


If you add "PsExec.exe" to disallowed apps, you can stop it from spreading from your computer.

Code:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "PsExec.exe" /f

If you see the message bellow, pull off the cable and DO NOT turn on the computer.

You can still save data from HDD. Source: Hacker Fantastic on Twitter:

TairikuOkami said:

Luckily, this little beauty has got the kill switch.

Source: Amit Serper (@0xAmit) | Twitter


If you add "PsExec.exe" to disallowed apps, you can stop it from spreading from your computer.

Code:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "PsExec.exe" /f

If you see the message bellow, pull off the cable and DO NOT turn on the computer.

You can still save data from HDD. Source: Hacker Fantastic on Twitter:

Thanks for posting this TairikuOkami. Could help a lot of users

Important notice: Paying the ransom will not help you get your data back.

Posteo, the email provider where the Petya author is hosting an inbox to handle victims from today's massive ransomware outbreak, has announced that it shut down the crook's email account: wowsmith123456@posteo.net.

The German email provider's decision is catastrophic news for Petya victims, as they won't be able to email the Petya author in the case they want to pay the ransom to recover sensitive files needed for urgent matters.

Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files