Tuesday’s massive ransomware outbreak was, in fact, something much worse


Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying data.

Initially, researchers said the malware was a new version of the Petya ransomware that first struck in early 2016. Later, researchers said it was a new, never-before-seen ransomware package that mimicked some of Petya's behaviors. With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive that it's impossible for victims to recover their data.In other words, the researchers said, the payload delivered in Tuesday's outbreak wasn't ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak.

Researchers at antivirus provider Kaspersky Lab, in a blog post published Wednesday, labeled the previous day's malware a "wiper." They explained that for attackers to decrypt a paying victim's computer, they need a "personal infection ID" that's displayed in the ransom note. In the 2016 version of Petya, the ID contained crucial information for the key recovery. Tuesday's malware, by contrast, was generated using pseudorandom data that was unrelated to the corresponding key. Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov wrote:

If we compare this randomly generated data and the final installation ID shown in the first screen, they are the same. In a normal setup, this string should contain encrypted information that will be used to restore the decryption key. For ExPetr, the ID shown in the ransom screen is just plain random data.

That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID.

What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.

In an e-mail, they stated the problem this way:

Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that, after disk encryption, the threat actor could not decrypt victims' disks. To decrypt a victim's disk, threat actors need the installation ID. In previous versions of "similar" ransomware like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery. ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.

Researcher Matt Suiche of Comae Technologies, in his own blog post published Wednesday, also called Tuesday's malware a wiper. But rather than focus on the pseudo-randomly generated installation ID, he highlighted the overwriting of key files stored on the infected hard drive.

"The ransomware was a lure for the media," he wrote. "This version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon." He went on to write: "We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon."

Suiche provided the above side-by-side code comparison contrasting Tuesday's payload with a Petya version from last year. Both pieces of code take aim at two small files—the master boot record and master file table—that are so crucial that a disk won't function if they are missing or corrupted. But while the earlier Petya encrypts the master boot record and saves the value for later decryption, Tuesday's payload, by contrast, was rewritten to overwrite the master boot record. This means that, even if victims obtain the decryption key, restoring their infected disks is impossible.

"Petya 2016 modifies the disk in a way where it can actually revert its modification," Suiche told Ars. "Whereas yesterday's one does some permanent damage to the disk."

Asked if the recovery made possible by Petya 2016 was related to the master boot record tampering, Suiche pointed to this analysis of the ransomware from researchers at Check Point Software. It described three stages:

  • Stage 0 “MBR Overwrite” – Overwrite the hard-drive’s Master Boot Record and implanting custom boot-loader.
  • Stage 1 “MFT Encryption” – Use the custom boot-loader introduced in Stage 0 to encrypt all Master-File-Table (MFT) records, which renders the file system completely unreadable.
  • Stage 2 “Ransom Demand” – Display the Petya logo and the ransom note detailing what must be done to decrypt the hard-drive.
"Both these values will be used further in the encryption process performed at Stage 1," Suiche told Ars. "At this point, Petya encrypts the original MBR by XORing its content with 0x37. It then saves this encrypted value to the 56th Disk Sector. Petya continues to encrypt disk sectors 1-34 (the physical range is 0x200h-0x4400h) with the exact same method."

Tuesday's malware, by contrast, destroys the 25 first sector blocks of the disk. In Wednesday's blog post, Suiche wrote:

The first sector block is being reversibly encoded by XORed with the 0x7 key and saved later in the 34th block. But since it replaces it with a new bootloader (41f75e5f527a3307b246cadf344d2e07f50508cf75c9c2ef8dc3bae763d18ccf) of 0x22B1 bytes it basically sets v19 to 0x19 (25).

16.0: kd:x86> ? 0x22B1 - (0x22B1 & 0x1FF) + 0x1024
Evaluate expression: 12836 = 00003224
16.0: kd:x86> ? 0x00003224 >> 9
Evaluate expression: 25 = 00000019That would mean that 24 sector blocks following the first sector block are being purposely overwritten, they are not read or saved anywhere. Whereas the original 2016 Petya version correctly reads each sector block and reversibly encode them.

Definitely not designed to make money

Another researcher who uses the handle the grugq //medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4" style="box-sizing: inherit; background-color: transparent; transition: all 0.17s; color: rgb(255, 78, 0);">published an analysis that also supported the theory that Tuesday's outbreak wasn't a true ransomware attack. The analysis noted that the malware used a single Bitcoin address to receive ransom payments, a shortcoming that's not found in most professionally developed ransomware because it requires attackers to manually process large numbers of payments. Tuesday's malware also required victims to manually type a long string of human-unfriendly characters into an e-mail address, a hurdle professional ransomware developers avoid because it decreases the likelihood that victims will pay. Tuesday's malware also required victims to contact attackers through an e-mail account that was closed within hours of Tuesday's outbreak, killing any incentive for victims to pay.

In almost all other aspects, Tuesday's malware was impressive. It used two exploits developed by and later stolen from the National Security Agency. It combined those exploits with custom code that stole network credentials so the malware could infect fully patched Windows computers. And it was seeded by compromising the update mechanism for M.E.Doc, a tax-filing application that is almost mandatory for companies that do business in Ukraine. The shortcomings in the ransomware functions aren't likely to be mistakes, considering the overall quality of the malware.

"The superficial resemblance to Petya is only skin deep," the grugq wrote. "Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of 'ransomware.'"

The theories are consistent with this post from Wired, which reports that Ukrainian government officials are saying Tuesday's attack was sponsored by a national government. The Ukrainian government has previously blamed Russia for attacks—one in December 2015 and another in December 2016—that both caused blackouts by hacking Ukrainian power facilities. A cover story Wired published last week lays out much of the evidence substantiating the claims of Russian involvement. Asked if Russia was behind Tuesday's attack, a government official told reporter Andy Greenberg: "It’s difficult to imagine anyone else would want to do this."

This post was updated to add details starting in the seventh paragraph, on how the permanent data destruction occurs. It was also edited to remove references to permanent hard drive destruction until those claims can be explicitly confirmed.


Microsoft, please stop doing things for our own good

Kaspersky claimed Microsoft has been disabling its antivirus software in Windows 10. Microsoft replied it was its duty to make sure antivirus protection was ‘always on.’

For over 20 years, Microsoft stomped on its competitors and then defended itself against the resulting antitrust lawsuits. But with desktop Windows waning in importance and its desktop software rivals largely gone, Microsoft seemed to have turned a new leaf. Or had it?

In the one software sphere left where it still has rivals — antivirus and security software — Microsoft is up to its old anti-competitive tricks. Late last year, Eugene Kaspersky, founder of the eponymous antivirus company, said, “When you upgrade to Windows 10, Microsoft automatically and without any warning deactivates all ‘incompatible’ security software and in its place installs… you guessed it — its own Defender antivirus. But what did it expect when independent developers were given all of one week before the release of the new version of the OS to make their software compatible?”

Kaspersky did more than just blog about it. First, he complained to the Russian Federal Antimonopoly Service, which opened a case against Microsoft for “abusing dominance.” His company, Kaspersky Lab, followed up this June by filing more antitrust complaints against Microsoft, with the European Commission and the German Federal Cartel Office.

Kaspersky claimed in his blog, “Microsoft uses its dominant position in the computer operating system (OS) market to fiercely promote its own — inferior — security software (Windows Defender) at the expense of users’ previously self-chosen security solution. Such promotion is conducted using questionable methods, and we want to bring these methods to the attention of the anti-competition authorities.”

That sounds like business as usual for the Evil Empire.

Microsoft replied with garden-variety public relations pabulum: “Microsoft’s primary objective is to keep customers protected and we are confident that the security features of Windows 10 comply with competition laws.”

But now Microsoft has taken a new tack. It admitted that it turned off rivals’ antivirus software. Rob Lefferts, Microsoft’s partner director of the Windows & Devices Group, Security & Enterprise, said, yes, Windows 10 Creators Update disabled third-party antivirus products — but only in a few circumstances, and for a short time.

Specifically, since “AV software can be deeply entwined within the operating system, we doubled down on our efforts to help AV vendors be compatible with the latest updates. … For the small number of applications that still needed updating, we built a feature just for AV apps that would prompt the customer to install a new version of their AV app right after the update completed. To do this, we first temporarily disabled some parts of the AV software when the update began. We did this work in partnership with the AV partner to specify which versions of their software are compatible and where to direct customers after updating.”

Somehow, I don’t think Kaspersky, who hasn’t replied yet to Microsoft’s latest move, agrees that Microsoft is working as a partner with antivirus providers. I’m sure he sees this as proof of his assertions that Microsoft’s “Daddy knows best” attitude is meant only to promote Microsoft Defender over all other antivirus programs.

Microsoft’s justification? It must act to protect users from the recent plague of WannaCry ransomware and similar fast-moving malware attacks.

To me, this is proof that the old Microsoft, which wanted absolute control, and thus profit, is still alive and well in the Windows division.

If you’re OK with Microsoft calling all the shots, that’s fine. I will remind you, though, that WannaCry wouldn’t have existed in the first place if Microsoft had properly secured its Server Message Block network protocol.

I’ve always thought that competition leads to better, more secure software. That’s one reason to hope Kaspersky continues to hold Microsoft’s feet to the fire for this latest attempt to create a monopoly.


Magic Wormhole is a clever way to send files easily and securely

If you need to transfer a couple hundred megs to a coworker or friend across the country, you aren’t short on options. In fact, options are thick on the ground, and all have their own issues. Don’t you wish you could just speak a few magic words and send stuff directly to them, no intermediate upload, no web interface, no login? Magic Wormhole, created by developer Brian Warner, is a clever way to do just that.

Assuming both you and your friend are online and have the minimal software installed, the steps are super simple:

  • Invoke a wormhole via command line (no GUI just yet) with the file you want to send
  • Server (public or private) gives you a simple, speakable, one-time-use password like 8-horse-happy or vile-4-content
  • You tell your friend that password over phone, chat or whatever
  • They enter it in their wormhole console, key exchange occurs
  • Encrypted download starts directly between your computers and password is discarded
All right, so maybe that’s a bit more complicated than, say, dropping the file into Slack. But it avoids all the complications of third-party tools, intermediary servers, logins and passwords, making a shortlink, worrying about making a file temporarily “public” or fiddling with permissions, and so on.

And really, properly used it could be simpler than anything else. Once it’s sitting there in a script or whatever on your desktop, you just drop a file on it, it pops up with the password and you tell that to the person. They get it directly and securely, and you never have to worry about it again.

https://tctechcrunch2011.files.wordpress.com/2017/06/sendreceive.png?w=150&h=63 150w, https://tctechcrunch2011.files.wordpress.com/2017/06/sendreceive.png?w=300&h=125 300w, https://tctechcrunch2011.files.wordpress.com/2017/06/sendreceive.png?w=768&h=321 768w, https://tctechcrunch2011.files.wordpress.com/2017/06/sendreceive.png?w=680&h=284 680w, https://tctechcrunch2011.files.wordpress.com/2017/06/sendreceive.png 1095w" sizes="(max-width: 1024px) 100vw, 1024px" style="box-sizing: content-box; max-width: 100%; height: auto; border-width: 1px; border-style: solid; border-color: rgb(213, 213, 213); outline: 0px; display: block; clear: both; margin: 0px auto;">Imagine being on the phone with someone and hearing “oh let me send you that file.” Will it be a Dropbox link? Will you have to log into something? Will you be waiting for Gmail to scan some huge attachment? Will it be — shudder — over FTP? Or will they just say “crocodile mighty 7” and boom, you’ve got it? I for one would love that.

I don’t know why I’m getting so pumped over a file transfer system! I just think it’s great.

You can download all the components or contribute your own code at the GitHub project page.

Read Original Article... 

No Known Ransomware Works Against Windows 10 S


No currently known ransomware strain can infect Windows 10 S, said Microsoft today with the release of a new report detailing the next-get ransomware protection features the company introduced with the release of the Windows 10 Creators Update last month.

Microsoft's statement is technically accurate because Windows 10 S won't allow the installation of apps from outside the official Windows Store, which greatly limits the ability of ransomware authors to launch their payloads on infected systems.

Nonetheless, this new version of the Windows 10 operating system is still in development, wasn't made available to the public, and has a market share of 0%.

This means that once Microsoft launches Windows 10 S, things are very likely to change, especially since Windows 10 S is advertised as an operating system for the business and educational sector, two industry verticals very popular among ransomware operators.

Ransomware and other malware authors will eventually turn their focus on finding ways to infect the OS, and ransomware strains capable of infecting Windows 10 S will likely appear, although, it's quite refreshing to hear that no known ransomware strain can infect it right now.

Microsoft: No Windows 10 user was affected by WannaCry

Presenting new anti-ransomware protection features added in Windows 10 Creators Update, Robert Lefferts, Director of Program Management, Windows Enterprise and Security, also confirmed today that no Windows 10 customer was affected by the recent WannaCry ransomware outbreak that took place in mid-May.

There were actually some Windows 10 users who got infected, but those users launched the ransomware by hand and were not infected via WannaCry's self-spreading worm, which didn't have the technical capabilities to infect Windows 10 devices.

New anti-ransomware features added to Windows 10 CU

The Microsoft exec shared these details with the release of a new report detailing the new anti-ransomware features added to Windows 10 in the Creators Update.

This list of new features includes:

⍈ Click-to-run for Adobe Flash in Edge — which prevents ransomware and other malware from landing on Windows 10 PCs via exploits kits and drive-by downloads
⍈ Instant cloud protection via Windows Defender — According to Microsoft, starting with Creators Update, Windows Defender AV can suspend a suspicious file from running and sync with the cloud protection service to further inspect the file.
⍈ Fast remediation mechanism at detection — Microsoft says it has made great strides to "remediate ransomware infection and
limit ransomware activity from minutes to seconds, reducing
its damage from hundreds of encrypted files to a few." Microsoft credits this to Windows Defender AV’s behavioral engine, who can aggregate malware behavior across processes and stages.
⍈ Improved detection for script-based attacks — Microsoft says its Antimalware Scan Interface (AMSI) was modified to intervene during the strategic execution points of JS or VBS script runtimes, two infection vectors often used by ransomware.
⍈ Wow64 compatibility scanning —In Creators Update, Windows Defender AV added a process-scanning feature that uses the Wow64
compatibility layer, enabling it to better inspect system interactions of 32-bit applications running on 64-bit operating systems.
⍈ Process tree visualizations — feature added to Windows Defender ATP, the commercial version of Windows Defender.
⍈ Artifact searching capabilities — feature added to Windows Defender ATP, the commercial version of Windows Defender.
⍈ Machine isolation and quarantine — feature added to Windows Defender ATP, the commercial version of Windows Defender.

    Read Original Article... 
Apple Repairs and Service
Member of the Internet Defense League

BitcoinCash Accepted