On the eve on the planet swept another wave of infection with a computer virus cryptography, which makes impossible the use of data and computer usage. For the decryption, the malware demands $ 300 that must be paid in bitcoins. Despite the fact that the virus affected some of the major European (and middle-sized Latvian) companies, such as Maersk, the main blow fell on Ukraine.
In particular, in Ukraine, the virus affected government organizations, banks, airports, private companies. Because of him the security management of the Chernobyl nuclear power plant had to transfer to the manual mode.
In Russia, the new virus has affected computers of the company “Rosneft” and a number of other smaller organizations. In Europe infection diagnosed in Denmark, the UK, Germany, France, the us, and in neighboring Lithuania. But nowhere we are not talking about scale, comparable to the damage in Ukraine.
While experts are still working with the virus and until the end find out its mechanisms of propagation, but the hour is enough to know for certain pretty much. And with a fairly high degree of confidence to talk about a few things.
The first reports that Ukraine attacked a known virus-cryptographer Petya was not confirmed. According to “Kaspersky Lab”, the world is not dealing with You and not with his variations but something completely new. The company Talos, who performed the most detailed at this hour the analysis of malware, called it Nyetya.
In particular, for a first infection by a new malware uses exactly the same mechanism that WannaCry — exploit EternalBlue underlying cyber-weapons from the Arsenal of U.S. intelligence, which “leaked” to the Network and accessible to hackers. It is an extra demonstration of how it is dangerous to allow intelligence agencies to have “the keys to all of the messengers” or “hacking” — once they lose them, the tools fall on the hacker black market and are used by criminals.
EternalBlue exploits a vulnerability in Microsoft Windows that the company was closed several months ago. This means that, as in the case of WannaCry victims Nyetya are to blame again.
What makes Nyetya particularly dangerous is the fact that for distribution within a computer network of the organization it uses Psexec and WMI (Windows Management Instrumentation), two regular tool used in the routine work of network administrators. With their help, for example, inside of the organization subject to the updates for the software. They rarely locked and monitored by administrators of networks, but also the antivirus and other special means of protection.
That is, the cost to get the same machine as the infected computer was immediately infected all whom he could reach in a computer network. But why it affected Ukraine? And how hackers managed to infect these “machine agent”? After all, no one voluntarily yourself a virus on a machine does not deliver… or?!
While no anti-virus company and no one can with 100 percent certainty that all the mechanisms of infection Nyetya, but different sources mention at least two facts.
First, unlike WannaCry, the attack was not carried out via e-mail. That is, the hackers at this time rule out the human factor — nobody’s clicked, no run, that run was not supposed to.
Secondly, at least one of the pathways Nyetya — Ukrainian program MeDoc, which is in the country use to “communicate” with the tax, and beyond — to work with Ukrainian government agencies and business. Talking about it as Talos, and the Ukrainian postal and telecommunications, although the company denies all charges. However, in comments to the last entry on Facebook, a lot of angry users leave message “on the machine were nothing, except you — and she’s infected!”.
According to experts, the virus could be embedded in one of the updates MeDoс perhaps that was distributed a week ago. MeDoс updates were set automatically, without user intervention, so that contamination occurred automatically. “Hour X” virus is just turned on and set to work.
It is possible that it was created by Ukrainian hackers, and they were Amateurs in terms of “working with clients”. Usually the authors of viruses encoders to communicate with victims using: a)a lot of bitcoin wallets and b)not an ordinary email, as communication channels in the “dark Internet” Tor. In this case, and one wallet, and when it was proposed to use an email registered with a German company. In the end, the company has blocked the address of the hackers, so they lost the opportunity to communicate with their victims. And victims to get the code to unlock the computers.
Some experts suggest that Nyetya — a “test flight” of some hacker group. They were able to access updates MeDoс and thought, “why not?!”. After all, any hacker infestation updates of the popular programs is the real Holy Grail. People and companies believe them, they put themselves, almost voluntarily become victims, and are unaware.
However, hackers by hackers and that we are most striking in the new viral history is the fact that many companies continue to show a fantastic carelessness. When security experts said, and the journalists wrote about WannaCry, all warned that the continuation necessarily follow, it is very “sweet” vulnerability EternalBlue, hackers just won’t leave her. All that was needed to make it was not followed to install the patches for Windows. Free and readily available, for all OS, including even the long-forsaken by God and Microsoft Windows XP. But still there are those who have not heard, not believed, not thought, is not understood and as a consequence is not delivered. Spiteful hackers to blame?