Petya at Rosneft: the oil company complained of a powerful hacker attack. Petya Virus: Battlefield – Rosneft
The ransomware virus attacked the computers of dozens of companies in Russia and Ukraine, paralyzing the work of government agencies, among others, and began to spread throughout the world
In the Russian Federation, Bashneft and Rosneft became victims of the Petya virus, a clone of the WannaCry ransomware that infected computers around the world in May.
All computers at Bashneft are infected with the virus, a source at the company told Vedomosti. The virus encrypts files and demands a ransom of $300 to a Bitcoin wallet.
“The virus initially disabled access to the portal, to the internal messenger Skype for business, to MS Exchange, they thought it was just a network failure, then the computer rebooted with an error. The hard drive died, the next reboot already showed a red screen,” the source said.
Almost simultaneously, Rosneft announced a “powerful hacker attack” on its servers. IT systems and production management have been transferred to reserve capacity, the company is operating as normal, and “distributors of false and panic messages will be held accountable along with the organizers of the hacker attack,” company press secretary Mikhail Leontyev told TASS.
The websites of Rosneft and Bashneft do not work.
The attack was recorded at about 14.00 Moscow time, and currently there are 80 companies among its victims. In addition to oil workers, representatives of Mars, Nivea and Mondelez International (maker of Alpen Gold chocolate) were affected, reported Group-IB, which prevents and investigates cybercrimes.
The metallurgical company Evraz and the Home Credit bank, which was forced to suspend the work of all its branches, also reported an attack on their resources. According to RBC, at least 10 Russian banks contacted cybersecurity specialists on Tuesday in connection with the attack.
In Ukraine, the virus attacked government computers, Auchan stores, Privatbank, telecom operators Kyivstar, LifeCell and Ukrtelecom.
The Boryspil Airport, the Kiev Metro, Zaporozhyeoblenergo, Dneproenergo and the Dnieper Electric Power System were under attack.
The Chernobyl nuclear power plant switched to manual radiation monitoring of the industrial site due to a cyber attack and a temporary shutdown of the Windows system, the press service of the State Agency for Exclusion Zone Management told Interfax.
The ransomware virus has affected a large number of countries around the world, said Costin Raiu, head of the international research unit of Kaspersky Lab, on his Twitter account.
According to him, the new version of the virus, which appeared on June 18 this year, contains a fake Microsoft digital signature.
At 18.05 Moscow time, the Danish shipping company A.P. announced an attack on its servers. Moller-Maersk. In addition to Russia and Ukraine, users in the UK, India and Spain were affected, Reuters reported, citing the Swiss government's Information Technology Agency.
General Director of InfoWatch Group Natalya Kasperskaya explained to TASS that the encryption virus itself appeared more than a year ago. It is distributed mainly through phishing messages and is a modified version of a previously known malware. “It teamed up with some other ransomware virus Misha, which had administrator rights. It was an improved version, a backup encryptor,” Kasperskaya said.
According to her, the WannaCry ransomware attack in May was quickly defeated due to a vulnerability in the virus. “If the virus does not contain such a vulnerability, then it is difficult to fight it,” she added.
A large-scale cyber attack using the WannaCry ransomware virus, which affected more than 200 thousand computers in 150 countries, occurred on May 12, 2017.
WannaCry encrypts user files and requires payment in Bitcoin equivalent to $300 to decrypt them.
In Russia, in particular, the computer systems of the Ministry of Internal Affairs, the Ministry of Health, the Investigative Committee, the Russian Railways company, banks and mobile operators were attacked.
According to the British Cyber Security Center (NCSC), which is leading the international investigation into the May 12 attack, North Korean hackers from the government-linked Lazarus group were behind it.
One of the key speakers at Positive Hack Days 9 will be the famous GSM network security researcher Karsten Nohl. During his student years he was known as a member of the Chaos Computer Club community; today Carsten is an expert in the field of encryption and data security. Questions and often refutes conventional wisdom about proprietary software. In its work, it relies on the support of Reliance Jio, the fastest growing company in the world.
Karsten first made his presence known in 2009, when he managed to crack the data encoding algorithm in GSM networks. At the Chaos Communication Congress in Berlin, he was the first to publicly demonstrate the hacking process.
In 2013, he discovered a vulnerability in SIM cards, which was contained in the DES (Data Encryption Standard) encryption algorithm - it was used by many manufacturers and supported by millions of SIM cards. The essence of the attack was to send a special message to the phone, the device mistook it for an SMS from the operator and issued a cryptographic signature in the response message. Having received this, the attacker could eavesdrop on the phone owner's conversations, intercept SMS and make payments. It could only take an attacker a couple of minutes to hack a phone.
Together with Jakob Lell, a researcher at Security Research Labs, Karsten reported a vulnerability in USB devices in 2014. With its help, attackers could hack the microcontroller and gain the ability to control the victim’s computer. The method is called BadUSB. That same year, at the Chaos Communication Congress, Carsten Nohl and researcher Tobias Engel described serious vulnerabilities in SS7 that allow attackers to easily intercept telephone conversations and SMS messages, even when cellular networks use the latest encryption standards. All phones and smartphones are vulnerable, regardless of operating system.
Last year, Carsten Nohl and Jakob Lell shared the results of a two-year study at the Hack In The Box conference in which they examined the composition of security updates released by the largest Android device manufacturers. It showed that many large manufacturers only create the appearance of releasing patches, but in reality many bugs remain unfixed.
At PHDays 9, which will take place on May 21–22, 2019, Karsten Nohl will give a presentation “What's under the iceberg: let's talk about real cyber threats.” A global analysis of security data from thousands of companies across dozens of industries shows how difficult it is for most organizations to integrate core security principles. Karsten will discuss with the forum participants what a society striving for information security should really care about.
So now a new virus has appeared.
What kind of virus is it and should you be afraid of it?
This is what it looks like on an infected computer
A virus called mbr locker 256 (which calls itself Petya on the monitor) attacked servers of Russian and Ukrainian companies.
It locks Files on your computer and encrypts them. Hackers demand $300 in bitcoins for unlocking.
MBR- This is the master boot record, the code necessary for the subsequent boot of the OS. It is located in the first sector of the device.
After turning on the computer's power, the POST procedure goes through, testing the hardware, and after it, the BIOS loads the MBR into RAM at address 0x7C00 and transfers control to it.
Thus, the virus enters the computer and infects the system. There are many modifications of the malware.
It runs under Windows, just like the previous malware.
Who has already suffered
Ukrainian and Russian companies. Here is part of the entire list:
Many companies quickly repelled the attack, but not all were able to do so. Because of this, some of the servers are not working.
Banks cannot carry out a number of monetary transactions because of Petit. Airports are postponing or delaying flights. The Ukrainian Metro did not accept contactless payments until 15:00.
As for office equipment and computers, they do not work. At the same time, there are no problems with the energy system or energy supply. This affected only office computers (running on the Windows platform). We were given the command to turn off the computers. - Ukrenergo
Operators complain that they also suffered. But at the same time they try to work for subscribers as usual.
How to protect yourself from Petya.A
To protect against it, you need to close TCP ports 1024-1035, 135 and 445 on your computer. This is quite simple to do:
Step 1. Open the firewall.
Step 2. On the left side of the screen, go to “Rules for incoming connections”.
Step 3. Select “Create rule” -> “For port” -> “TCP protocol” -> “Specific local ports”.
Step 4. We write “1024-1035, 135, 445”, select all profiles, click “Block connection” and “Next” everywhere.
Step 5. We repeat the steps for outgoing connections.
Well, secondly, update your antivirus. Experts report that the necessary updates have already appeared in the anti-virus software databases.
The Rosneft company was subjected to a powerful hacker attack, as reported on its Twitter.
“A powerful hacker attack was carried out on the company’s servers. We hope that this has nothing to do with ongoing legal proceedings,” the statement said. The Rosneft website was unavailable at the time of publication of the note.
The oil company reported that it contacted law enforcement authorities in connection with the incident. Due to the prompt actions of the security service, the work of Rosneft was not disrupted and continues as normal.
“A hacker attack could lead to serious consequences, however, due to the fact that the company switched to a backup system for managing production processes, neither oil production nor oil preparation was stopped,” company representatives told a Gazeta.Ru correspondent.
They warned that anyone who spreads false information “will be considered accomplices of the attack organizers and will be held accountable together with them.”
In addition, the computers of the Bashneft company were infected, they reported "Vedomosti". The ransomware virus, like the infamous WannaCry, has blocked all computer data and demands a ransom in bitcoins equivalent to $300 be transferred to the criminals.
Unfortunately, these are not the only victims of a large-scale hacker attack - the Cybersecurity and Co. Telegram channel. reports a cyber hack of Mondelez International (Alpen Gold and Milka brands), Oschadbank, Mars, Nova Poshta, Nivea, TESA and other companies.
The author of the channel, Alexander Litreyev, said that the virus is called Petya.A and that it is really similar to WannaCry, which infected more than 300 thousand computers around the world in May of this year. Petya.A attacks the hard drive and encrypts the master file table (MFT). According to Litreev, the virus was distributed in phishing emails with infected attachments.
IN blog Kaspersky Lab has published a publication with information about how infection occurs. According to the author, the virus spreads mainly through HR managers, since the letters are disguised as a message from a candidate for a particular position.
“An HR specialist receives a fake email with a link to Dropbox, which supposedly allows you to go to and download a “resume.” But the file at the link is not a harmless text document, but a self-extracting archive with the .EXE extension,” says the expert.
After opening the file, the user sees a “blue screen of death”, after which Petya.A blocks the system.
Group-IB specialists told Gazeta.Ru that the Petya encryptor was recently used by the Cobalt group to hide traces of a targeted attack on financial institutions.
Russian hackers again
Ukraine was hit hardest by the Petya.A virus. Among the victims are Zaporozhyeoblenergo, Dneproenergo, Kiev Metro, Ukrainian mobile operators Kyivstar, LifeCell and Ukrtelecom, the Auchan store, Privatbank, Boryspil airport and other organizations and structures.
In total, over 80 companies in Russia and Ukraine were attacked.
A member of the Ukrainian Rada from the Popular Front, a member of the board of the Ministry of Internal Affairs, Anton Gerashchenko, said that the Russian special services were to blame for the cyber attack.
“According to preliminary information, this is an organized system by the Russian special services. The targets of this cyber attack are banks, media, Ukrzaliznytsia, Ukrtelecom. The virus arrived on computers for several days, even weeks, in the form of various types of email messages; users who opened these messages allowed the virus to spread across all computers. This is another example of the use of cyber attacks in a hybrid war against our country,” Gerashchenko said.
The WannaCry ransomware attack occurred in mid-May 2017 and paralyzed the work of several international companies around the world. The damage caused to the global community by the large-scale WannaCry virus was estimated at $1 billion.
The malware exploited a vulnerability in the Windows operating system, blocked the computer and demanded a ransom. The spread of the virus was stopped by accident by one British programmer - he registered the domain name that the program accessed.
Despite the fact that the WannaCry cyberattack had a planetary scale, in total only 302 cases of ransom payments were recorded, as a result of which the hackers were able to earn $116 thousand.
On the afternoon of June 27, Rosneft reported a hacker attack on its servers. At the same time, information appeared about a similar attack on the computers of Bashneft, Ukrenergo, Kyivenergo and a number of other companies and enterprises.
The virus locks computers and extorts money from users, it is similar to .
A powerful hacker attack was carried out on the Company's servers. We hope this has nothing to do with ongoing legal proceedings.
In response to the cyber attack, the Company contacted law enforcement agencies.
— PJSC NK Rosneft (@RosneftRu) June 27, 2017
A source close to one of the company’s structures notes that all computers at the Bashneft refinery, Bashneft-Production and Bashneft management “rebooted at once, after which they downloaded uninstalled software and displayed the WannaCry virus splash screen.” On the screen, users were asked to transfer $300 in bitcoins to the specified address, after which users would be sent a key to unlock their computers by e-mail. The virus, judging by the description, encrypted all data on user computers."Vedomosti"
“The National Bank of Ukraine warned banks and other participants in the financial sector about an external hacker attack by an unknown virus on several Ukrainian banks, as well as on some enterprises in the commercial and public sectors, which is happening today.As a result of such cyber-attacks, these banks are having difficulty servicing customers and conducting banking transactions.”
National Bank of Ukraine
The computer systems of the capital's energy company Kyivenergo were subject to a hacker attack, the company told Interfax-Ukraine.“We were subjected to a hacker attack. Two hours ago we were forced to turn off all computers, we are awaiting permission to turn on from the security service,” said Kievenergo.
In turn, NEC Ukrenergo told Interfax-Ukraine that the company also encountered problems with its computer systems, but they were not critical.
“There were some problems with the operation of computers. But overall, everything is stable and controlled. Conclusions on the incident can be drawn based on the results of an internal investigation,” the company noted.
"Interfax-Ukraine"
The networks of Ukrenergo and DTEK, Ukraine's largest energy companies, were infected with a new form of ransomware reminiscent of WannaCry. TJ was told about this by a source inside one of the companies who was directly confronted with the virus attack.According to the source, on the afternoon of June 27, his computer at work rebooted, after which the system allegedly began checking the hard drive. After that, he saw that a similar thing was happening on all the computers in the office: “I realized that an attack was underway, I turned off my computer, and when I turned it on, there was already a red message about Bitcoin and money.”
Computers on the network of logistics solutions company Damco are also affected. Both in European and Russian divisions. The spread of infection is very wide. It is known that in Tyumen, for example, everything is also screwed up.But let’s return to the topic of Ukraine: almost all computers of Zaporozhyeoblenergo, Dneproenergo and Dnieper Electric Power System are also blocked by a virus attack.
To be clear, this is not WannaCry, but a malware similar in behavior.
Rosneft Ryazan Refinery - the network was turned off. Also an attack. In addition to Rosneft/Bashneft, other large companies were also attacked. Problems have been reported at Mondelēz International, Oschadbank, Mars, Nova Poshta, Nivea, TESA and others.
The virus has been identified - it is Petya.A. Petya.A is eating hard drives. He encrypts the master file table (MFT) and extorts money for decryption.
The Kyiv metro was also subject to a hacker attack. Government computers of Ukraine, Auchan stores, Ukrainian operators (Kyivstar, LifeCell, UkrTeleCom), PrivatBank were attacked. There are reports of a similar attack on KharkovGaz. According to the system administrator, Windows 7 with the latest updates was installed on the machines. Pavel Valerievich Rozenko, Deputy Prime Minister of Ukraine, was also attacked. Boryspil Airport was also allegedly subject to a hacker attack.
Telegram channel "Cybersecurity and Co.
June 27, 16:27 At least 80 Russian and Ukrainian companies were affected by the Petya.A virus, said Valery Baulin, a representative of Group-IB, which specializes in early detection of cyber threats.
“According to our data, more than 80 companies in Russia and Ukraine were affected as a result of the attack using the Petya.A encryption virus,” he said. Baulin emphasized that the attack is not related to WannaCry.To stop the spread of the virus, it is necessary to immediately close TCP ports 1024–1035, 135 and 445, Group-IB emphasized<...>
“Among the victims of the cyber attack were the networks of Bashneft, Rosneft, Ukrainian companies Zaporozhyeoblenergo, Dneproenergo and the Dnieper Electric Power System; Mondelēz International, Oschadbank, Mars, Novaya Poshta, Nivea, TESA and others were also blocked by the virus attack. The Kiev metro was also subject to a hacker attack. Government computers of Ukraine, Auchan stores, Ukrainian operators (Kyivstar, LifeCell, UkrTeleCom) were attacked, and Privat Bank Boryspil Airport was also allegedly subject to a hacker attack,” Group-IB points out.
Group-IB specialists also found that the Petya.A ransomware was recently used by the Cobalt group to hide traces of a targeted attack on financial institutions.
