[npnog] SECOND GLOBAL RANSOMWARE OUTBREAK UNDER WAY

Wed Jun 28 10:01:16 NPT 2017

Thanks Rupesh for the mid-night reminder. Surprised that so many people did not learn from Wannacry. Petya seems to have spread in the wild and is more sinister.

I used to come across few ATMs in Kathmandu still running Windows XP, not sure if they are protected adequately or replaced by new ones. Then again, any box using 15yr old OS and hardware is bound to run into trouble.

Thanks
Indiver

> On Jun 28, 2017, at 12:09 AM, Rupesh Basnet via npnog <npnog at npnog.org> wrote:
> 
> A SCARY NEW RANSOMWARE OUTBREAK USES WANNACRY’S OLD TRICKS
> 
> A global WannaCry-like ransomware outbreak–which began in Russia and Ukraine and spread across Europe–is being reported today. The attack is locking down networks in a number of industries, including energy, transportation, shipping and financial.
> 
> Reports suggest that ransomware is similar in scope and intensity to WannaCry and could be spreading using the same leaked NSA EternalBlue exploit that WannaCry used in early May to infect machines in more than 150 countries.
> 
> 
> 
>  Here’s what is know right now:
> 
> Various media reports say the ransomware bares similarities to the Petya ransomware family <https://nakedsecurity.sophos.com/2016/04/04/new-ransomware-with-an-old-trick-petya-parties-like-its-1989/> that encrypts MFT (Master File Tree) tables and overwrites the MBR (Master Boot Record), dropping a ransom note and leaving victims unable to boot their computer. Because it blocks boot efforts and prevents affected systems from working altogether, it’s considered more dangerous than typical ransomware strains.
> Various media reports suggest the attacker took inspiration from last month’s WannaCry outbreak <https://www.sophos.com/en-us/lp/wanna-ransomware-outbreak-how-to-stay-protected.aspx?cmp=70130000001xKqzAAE>, which infected hundreds of thousands of computers across the globe by exploiting NSA code leaked by Shadow Brokers <https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/>. Specifically, it used a variant of the Shadow Brokers’ APT EternalBlue Exploit (CC-1353), which targeted a flaw in the Windows Server Message Block (SMB) service.
> Attackers are demanding payment of a $300 ransom in Bitcoins to regain control, according to various reports.
> Defensive measures
> 
> Here’s what we urge you to do right now:
> 
> Patch your systems, even if you’re using an unsupported version of XP, Windows 8 or Windows Server 2003 <http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598>
> Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands
> Avoid opening attachments in emails from recipients you don’t know.
> 
> --
> 
> Regards,
> Rupesh Basnet
> M: +9779801043594
> Skype: roopeess
> _______________________________________________
> npnog mailing list
> npnog at npnog.org
> https://lists.npnog.org/listinfo/npnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.npnog.org/pipermail/npnog/attachments/20170628/c3ed1955/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.npnog.org/pipermail/npnog/attachments/20170628/c3ed1955/attachment.sig>