June 27, 2017 at 17:09Another crypto ransomware attack paralyzes large companies
This afternoon, June 27, large Ukrainian companies announced another problem caused by a new wave of ransomware. Subsequently, blocking messages began to arrive from Russia, the USA and Europe.
In the list of victims as of 17:00:
- Cabinet of Ministers of Ukraine;
- Ukrposhta and New mail ;
- Mobile operators Vodafone and Kyivstar;
- Banks Oschadbank , Ukrgasbank, Pivdenny, Takskombank, OTP Bank;
- Editions "Correspondent", "24 channel"
- Kiev metro;
- Ukrainian railways;
- Ukrtelecom;
- Epicenter.
The exact name of the virus has not yet been established, the most likely version is "Petya.A".
The virus requires the equivalent of $ 300 in bitcoins, the facts of unlocking files after payment has not yet been reported.
UPD1: Toward evening, messages appeared that the virus had spread to Russian companies, among them:
- Rosneft ;
- Home Credit Bank".
UPD2: Cybersecurity specialist Vladimir Styran said that the initial infection occurs through phishing messages (file Petya.apx) or updating the accounting program MEdoc. Then the virus spreads through the local network "through DoblePulsar and EternalBlue, similar to WannaCry methods."
UPD3: Some Chernobyl computers were affected . Nothing wrong. Most have been turned off to avoid spreading. The electronic document management does not work. There is no radiation hazard , but so far there is no way to send reports with indicators, because used email.
UPD4: Detailed articleon Habré. In short: There is no decryptor yet, the virus spreads across Europe, if there are cases of infection in the USA.
Current list of companies affected by the virus
State structures:
Cabinet of Ministers of Ukraine
Ministry of Internal Affairs
Ministry of Culture
Ministry of Finance
National Police (and regional sites)
Cyber Police
KSCA
Lviv City Council
Ministry of Energy
National Bank
Banks:
Oschadbank
Sberbank
TASKomertsbank
Ukrgasbank
Pivdenny
OTR Bank
Kredobank.
Transport:
Boryspil Airport
Kiev Metro
Ukrzaliznytsia
Media:
Radio Era-FM
Football.ua
STB
Inter
First National
Television Channel 24
Radio Suite
Radio "Maximum"
, "KP in Ukraine"
TV channel ATR
"Korrespondent.net"
Large companies:
"New Mail"
"Kyivenergo"
"Naftohaz of Ukraine"
DTEK
"Dniproenergo"
, "Kyivvodocanal"
, "Novus"
, "Epicenter"
, "Arcelor Mittal"
, "Ukrtelecom"
Ukrposhta
Mobile operators:
Lifecell
Kievstar
Vodafone Ukraine
Medicine:
Farmak
clinic Boris
hospital Feofania
Arterium corporation
Gas stations:
Shell
WOG
Klo
TNK
Cabinet of Ministers of Ukraine
Ministry of Internal Affairs
Ministry of Culture
Ministry of Finance
National Police (and regional sites)
Cyber Police
KSCA
Lviv City Council
Ministry of Energy
National Bank
Banks:
Oschadbank
Sberbank
TASKomertsbank
Ukrgasbank
Pivdenny
OTR Bank
Kredobank.
Transport:
Boryspil Airport
Kiev Metro
Ukrzaliznytsia
Media:
Radio Era-FM
Football.ua
STB
Inter
First National
Television Channel 24
Radio Suite
Radio "Maximum"
, "KP in Ukraine"
TV channel ATR
"Korrespondent.net"
Large companies:
"New Mail"
"Kyivenergo"
"Naftohaz of Ukraine"
DTEK
"Dniproenergo"
, "Kyivvodocanal"
, "Novus"
, "Epicenter"
, "Arcelor Mittal"
, "Ukrtelecom"
Ukrposhta
Mobile operators:
Lifecell
Kievstar
Vodafone Ukraine
Medicine:
Farmak
clinic Boris
hospital Feofania
Arterium corporation
Gas stations:
Shell
WOG
Klo
TNK
UPD5: Found a way to stop encryption - a quote for those who have not read the post on the hub:
Positive Technologies experts found a local “kill switch” for Petya, you can stop the ransomware by creating the file “C: \ Windows \ perfc (perfc file without extension)
There is also good news: if you saw a computer reboot and the“ disk check ”process started , at this moment you need to immediately turn off the computer, and the files will remain unencrypted. Booting from a LiveCD or USB drive will give access to files.