Monthly Archives: June 2017

Petya Ransomware: What It Is, Who’s Behind It, How to Stop It

How did this begin?

The Petya ransomware worm began spreading Tuesday morning with a fake software update that was pushed out to businesses and other enterprises in Ukraine. The software concerned, called MEDoc, is a financial-monitoring application that all businesses in Ukraine must have installed.

MEDoc isn’t itself at fault — someone apparently broke into its software-update servers to pull this off. (The thieves who attacked Target’s point-of-sale systems in December 2013 did something similar.)

Russian antivirus firm Kaspersky Lab said Wednesday that it had found the Petya malware hidden on a Ukrainian website, possibly in an attempt to infect visitors to the site via drive-by downloads.


How did Petya spread?

From its initial infection point in Ukraine, the Petya worm quickly spread to companies in other European countries through enterprise networks. It’s likely that foreign companies with operations or subsidiaries in Ukraine were infected as the worm traveled “upstream” through corporate VPNs to attack central servers, and from there, all Windows PCs on a company network.

There’s some evidence that Petya also spread via infected email attachments, but that theory is not quite as well established.

What does Petya do?

Petya is really four things. It’s a worm that uses Windows networking tools, and exploits used by the NSA, to spread through local networks. It’s a piece of ransomware that encrypts the Master Boot Record — the guts of a Windows hard drive — to prevent a computer from starting up properly.

There’s also a second piece of ransomware that encrypts various files on the machine if the Master Boot Record attack fails. And there’s a fourth component that steals usernames and passwords from infected machines, possibly only so it can infect more machines.

Who is at risk?

The silver lining is that properly patched Windows systems that are not connected to enterprise networks, such as home computers, are at little risk of being infected by the Petya worm — at least for now. If you use a home computer to connect to a corporate VPN, however, you greatly increase the chances of your home network becoming infected.

Does the Petya worm infect Macs, iPhone, Android devices or Linux boxes?

Only Windows machines appear to be at risk.

Does fully patching a Windows computer stop Petya?

Even fully updated Windows computers on an enterprise network can be infected by the Petya worm. That’s because once it establishes itself on even one machine inside an enterprise network, Petya will spread by stealing Windows administrative passwords and using standard Windows network-administration tools to install itself on every Windows machine it can.

Will antivirus software stop the Petya worm?

It should. All good antivirus software products should block the Petya worm from installing. That may change if the worm’s code or behavior drastically changes.

Is Petya related to WannaCry?

Petya also uses the ETERNALBLUE exploit, also used by the otherwise unrelated WannaCry ransomware worm in mid-May, to spread among Windows machines in an enterprise network. If an enterprise server, or even any Windows computer, has specific network ports — in this case, ports 139 and 445 — open to the internet, then Petya could use that opening to infect the entire local network.

Who’s behind Petya?

It’s not clear who created and released Petya, but a lot of circumstantial evidence points to “patriotic” Russian hackers. Petya tried to render computers completely unusable, doesn’t make it easy to pay the ransom or contact the ransom collectors, and takes sophisticated steps to evade detection by antivirus software.

Because of this, some softwareresearchers think the Petya worm’s real aim is not to make money, but to disrupt the Ukrainian economy. Ukraine is fighting Russian-sponsored rebels in its eastern provinces, a few Ukrainian defense officials have been killed by car bombs in the past weeks, and the Petya worm shut down countless Ukrainian businesses on the day before a Ukrainian national holiday.

Why is it called Petya?

The ransomware component of this new worm bears at least superficial resemblance to the latest iterations of Petya, a ransomware strain first spotted in 2015. (Petya is Russian for “Pete.”) But some researchers think this worm is an entirely new piece of malware that’s just designed to look like the real Petya. The real Petya, for example, has a sophisticated ransom-collection and file-decrypting mechanism, and this new bug doesn’t.

Should I pay the Petya ransom?

If your computer is encrypted by Petya, there’s no point in paying the ransom. The email address that you have to contact to collect the decryption key,, has been shut down by the email host. Unless new strains of the ransomware provide a different contact email address, there’s no way to recover your files.

Is there a Petya “kill switch”?

No. However, there are a couple of ways that you might be able to prevent or stop the encryption process. First, if your computer randomly begins to shut down, abort the shutdown process and keep it running. The Petya worm has to reboot the machine in order encrypt the hard drive’s Master Boot Record, which is essential to the Windows startup process.

Second, you can try to “immunize” your machine by creating a read-only file called “perfc” and putting it in the Windows directory. In some instances, if the Petya worm sees that file, it won’t encrypt the machine — but it will continue to spread to other machines on the same network. However, we’ve seen reports that this method doesn’t work on Windows 7, and that new versions of the Petya code may not have this function.

Lawrence Abrams from Bleeping Computer has created a tool that will create the “perfc” file for you. You’ll need to have administrative permissions on the machine concerned, but once you do, just download the file and double-click it.

Petya more vicious than WannaCry, but Singapore impact still uncertain

The latest Petya ransomware has been described to be more vicious than its predecessor, but its impact in Singapore remains largely uncertain for now as there have been no reports of major disruptions.


Singapore Computer Emergency Response Team (SingCERT) issued an advisory Wednesday warning local businesses and users that Petya, though inspired by WannaCry, was “more dangerous and intrusive”.

“Its behaviour is to encrypt the Master File Tree (MFT) tables for NTFS partitions and overrides the Master Boot Record (MBR) with a custom boot-loader to display a ransom note and prevents victims from booting up,” SingCERT said.

In a nutshell, Petya not only encrypts targeted files, it also locks up the entire hard drive using some of the most advanced cryptographic algorithms to gain control of the master reboot sector, It stops the computer from loading the OS, rendering it inoperable. It is also called PetrWrap and is a variant of the Petya family.

Mike Sentonas, CrowdStrike’s vice president of technology strategy, explained that PetrWrap was “noteworthy” because it combined traditional ransomware behaviour with stealthy propagation techniques.

“PetrWrap has the ability to move laterally to encrypt other systems in the organisation by leveraging the same EternalBlue vulnerability that was popularised by WannaCry last month,” Sentonas said. “It then uses another propagation technique that starts by stealing credentials, then uses those legitimate credentials to infect other systems on the network via built-in Microsoft tools–WMI and PSEXEC–even if a machine has been patched.”

SingCERT added that the ransomware spread via email masquerading in Microsoft Office documents, which would run the Petya installer when opened and execute the SMB worm. It said various versions of Microsoft Windows were thought to be vulnerable included Windows 10, Windows 8.1, and Windows Server 2016.

SingCERT’s advisory echoed that of data protection and cybersecurity vendors, including Acronis which said banks, MNCs, and critical infrastructure owners in Singapore would be primary targets of the ransomware. When asked, however, it said it was unaware of any local organisation that had been affected by Petya.

Eugene Aseev, Acronis’ head of research and development in Singapore, explained: “The Petya ransomware is more dangerous than Wannacry primarily because it infects to patched-up systems, whereas WannaCry targeted un-patched systems.

“Petya also impacts the MBR, which means the computer is compromised even before Windows can be loaded. It also attempts to steal the user’s credentials from the infected machines and uses these credentials to further infect other machines that share similar credentials,” Aseev said.

He said companies affected by the ransomware would be able to restore their systems if they had an image-level backup, but would need to reinstall their OSes if they only had file-level backup to retrieve their files. And because they would lose their configuration and software settings, their recovery time would be longer, he added.

Sentonas said there currently was no mechanism to decrypt files that had been encrypted by the ransomware. “If an endpoint is encrypted, the only fix at the moment is to wipe and rebuild the machine and restore data on the device,” he said.

Aamir Lakhani, Fortinet’s senior security strategist, said it also would initiate a system reboot on a one-hour cycle, which added a denial-of-service (DoS) element to the attack. And while WannaCry was not particularly successful in generating a financial payoff for the hackers, partly due to the kill-switch created for it, Lakhani noted that Petya’s payload would be “more sophisticated”. He added, though, that it was still too premature to say if it would be more financially lucrative than WannaCry.

According to Ryan Flores, Trend Micro’s Asia-Pacific senior manager of forward-looking threat research, some US$7,500 had been paid into the Bitcoin address used by the attackers.

Flores urged those affected not to fork out the ransom, adding that several organisations in Europe and Asia had been affected by the ransomware.

Production at Cadbury’s famous chocolate factory in Tasmania, Australia, was forced to a stop late Tuesday after the company was hit by Petya. The site was owned by Spanish food operator, Mondelez, and produced some 50,000 tonnes of chocolate annually.

Global organisations reportedly affected by the ransomware included the National Bank of Ukraine, British advertising agency WPP, Danish transport company Maersk, and US pharmaceutical company Merck.

Naveen Bhat, Ixia’s Asia-Pacific managing director, noted that while it was not aware of any companies in Singapore hit by Petya, it would be “a safe assumption that machines have been affected in Singapore although none have been reported so far”. “Petya does not know national boundaries. Firms that have not upgraded the latest Windows patches are vulnerable,” Bhat said.

‘Petya’ ransomware attack strikes companies across Europe and US

Ukraine government, banks and electricity grid hit hardest, but companies in France, Denmark and Pittsburgh, Pennsylvania also attacked

Ukraine has blamed Russia for previous cyber-attacks, including one on its power grid at the end of 2015
Ukraine has blamed Russia for previous cyber-attacks, including one on its power grid at the end of 2015. Photograph: Ritchie B. Tongo/EPA

Victims of a major ransomware cyberattack that has spread through the US and Europe can no longer unlock their computers even if they pay the ransom.

The “Petya” ransomware has caused serious disruption at large firms including the advertising giant WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft.

Infected computers display a message demanding a Bitcoin ransom worth $300. Those who pay are asked to send confirmation of payment to an email address. However, that email address has been shut down by the email provider.

“We do not tolerate any misuse of our platform,” said the German email provider Posteo in a blog post.

This means that there is no longer any way for people who decide to pay the ransom to contact the attacker for a decryption key to unlock their computer.

“This is not an experienced ransomware operator,” said Ryan Kalember, senior vice-president of cybersecurity strategy at Proofpoint.

The attack was first reported in Ukraine, where the government, banks, state power utility and Kiev’s airport and metro system were all affected. The radiation monitoring system at Chernobyl was taken offline, forcing employees to use hand-held counters to measure levels at the former nuclear plant’s exclusion zone.

The food giant Mondelez, legal firm DLA Piper, Danish shipping and transport giant AP Moller-Maersk and Heritage Valley Health System, which runs hospitals and care facilities in Pittsburgh, also said their systems had been hit by the malware.

WPP said in a statement that the computer systems at several of its subsidiary companies had been affected, adding that it was “assessing the situation and taking appropriate measures”.

In an internal memo to staff, one WPP firm said it was the target of “a massive global malware attack, affecting all Windows servers, PCs and laptops”. It warned employes to turn off and disconnect all machines using Windows.

Some technology experts said the attack appeared consistent with an “updated variant” of a virus known as Petya or Petrwrap, a ransomware that locks computer files and forces users to pay a designated sum to regain access.

But analysts at cyber security firm Kaspersky Labs said they had traced the infections to “a new ransomware that has not been seen before”. The “NotPetya” attack had hit 2,000 users in Russia, Ukraine, Poland, France, Italy, the UK, Germany and the US, Kaspersky said.

Last month’s WannaCry or WannaCrypt ransomware attack affected more than 230,000 computers in over 150 countries, with the UK’s national health service, Spanish phone giant Telefónica and German state railways among those hardest hit.

Symantec cyber security experts said they had confirmed the ransomware in the current attack was using the same exploit – a program that takes advantage of a software vulnerability – as WannaCry.

The exploit – called EternalBlue – was leaked by the Shadow Brokers hacker group in April and is thought to have been developed by the US National Security Agency.

To spread within companies that installed the patch to protect themselves against WannaCry, the Petya ransomware appears to have two other ways of spreading rapidly within an organisation, by targeting the network’s administrator tools.

It’s not yet clear how computers became infected with the ransomware in the first place, but it doesn’t seem to be through email as happened with WannaCry, said Kalember.

Pictures circulating on social media on Tuesday of screens purportedly affected by the attack showed a message stating, “Your files are no longer accessible because they have been encrypted,” and demanding a $300 ransom in the Bitcoin digital currency.

The attack affected all business units at Maersk, including container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers, the company said, as well as seventeen container terminals.

“We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber-attack,” the Copenhagen-based firm said on Twitter. “We continue to assess the situation.”

The disruptions in Ukraine follow a rash of hacking attempts on state websites in late 2016 and a succession of attacks on the national electricity grid that prompted security chiefs to call for improved cyber defences.

The country’s prime minister, Volodymyr Groysman, said the attack was “unprecedented” but vital systems had not been affected. “Our IT experts are doing their job and protecting critical infrastructure,” he said. “The attack will be repelled and the perpetrators will be tracked down.”

In a bid to calm public fears about the attack, which temporarily shut down the country’s main airport and prevented travellers from using the Kiev metro, the authorities tweeted a GIF of a dog nonchalantly drinking tea in a room on fire.

The growing fight against cyber-attacks has seen protection spending surge around the world, with the global cyber security market estimated to be worth some £94bn ($120bn) this year – more than 30 times its size just over a decade ago.

Global businesses Black out from latest cyber attack

A major cyber attack, believed to have first struck Ukraine, caused havoc around the world on Wednesday, crippling computers or halting operations at port operator Maersk, a Cadbury chocolate plant in Australia and the property arm of French bank BNP Paribas.

Russia’s biggest oil company, Ukrainian banks and multinational firms were among those hit on Tuesday by the cyber extortion campaign, which has underscored growing concerns that businesses have failed to secure their networks from increasingly aggressive hackers.

The rapidly spreading computer worm appeared to be a variant of an existing ransomware family known as Petya which also has borrowed key features from last month’s ransomware attack, named “WannaCry”.

ESET, an anti-virus vendor based in Bratislava, said 80 percent of all infections from the new attack detected among its global customer base were in Ukraine, with Italy second hardest hit at around 10 percent. Several of the international firms hit had operations in Ukraine.

Customers queue in ‘Rost’ supermarket in Kharkiv, Ukraine June 27, 2017 in this picture obtained from social media. MIKHAIL GOLUB via REUTERS

Shipping giant A.P. Moller-Maersk (MAERSKb.CO), which handles one in seven containers shipped worldwide and has a logistics unit in Ukraine, is not able to process new orders after being hit by the attack on Tuesday, it told Reuters.

“Right now, at this hour, we’re not able to take new orders,” Maersk Line Chief Commercial Officer Vincent Clerc said in a telephone interview on Wednesday.

BNP Paribas Real Estate (BNPP.PA), which provides property and investment management services, confirmed it had been hit but declined to specify how widely it had affected its business. It employed nearly 3,500 staff in 16 countries as of last year.

“The international cyber attack hit our non-bank subsidiary, Real Estate. The necessary measures have been taken to rapidly contain the attack,” the bank told Reuters on Wednesday, after a person familiar with the matter had said that some staff computers were blocked on Tuesday due to the incident.

Production at the Cadbury (MDLZ.O) factory on the island state of Tasmania ground to a halt late on Tuesday after computer systems went down, said Australian Manufacturing and Workers Union state secretary John Short.


Russia’s Rosneft (ROSN.MM), one of the world’s biggest crude producers by volume, said on Tuesday its systems had suffered “serious consequences” but said oil production had not been affected because it switched over to backup systems.

The virus crippled computers running Microsoft Corp’s (MSFT.O) Windows by encrypting hard drives and overwriting files, then demanded $300 in bitcoin payments to restore access.

Several security experts questioned whether the effort to extort victims with computers hit by the virus was the main goal, or whether the unknown hackers behind the attack could have other motives.

WannaCry: Why it’s ransomware that just won’t die

Over a month on from the initial outbreak WannaCry is still very much capable of infecting whole networks.

Image: Cisco Talos

The WannaCry ransomware epidemic hit hard: the malware to infect over 300,000 victims around the globe causing chaos.

Factories, the UK’s National Health Service, the Russian postal service and even Chinese government agencies were amongst the victims of the indiscriminate WannaCry attackbefore the outbreak was brought under control – although not before costing billions in damages and lost productivity.

Microsoft issued patches and the initial scramble to secure systems the focus shifted towards working out who launched the attack, with both private cybersecurity firms and government agencies pointing towards North Korea as the culprit behind an incident.

But that wasn’t the end. Over a month on from the initial outbreak, WannaCry is still claiming victims. On Sunday 18 June, car manufacturer Honda was forced to shut down one of its production facilities because systems were infected with WannaCry.

The Japanese firm temporarily halted production at its Sayama plant after it was discovered that the malware worm had infected networks across Japan, North America, China and more.

Located North West of Tokyo, the Sayama plant was the only manufacturing facility to have production impacted by the outbreak after being shut down on Monday, halting production of around 1,000 cars – the daily output of the facility.

No other production facilities were impacted in this way and work at the plant resumed as normal on Tuesday, the company told ZDNet, adding it will “take every step to further strengthen the security of the systems”.

Just days later, WannaCry hit 55 speed cameras in Victoria, Australia, with the source of the infection thought to be as a result of human error when an infected USB was inserted by someone carrying out maintenance. Fortunately the offline nature of the devices means the ransomware couldn’t spread to other networks.So why is WannaCry still causing problems for organisations over a month on from the initial epidemic?

Much of it comes down to worm-like properties of the ransomware, which uses EternalBlue, a leaked NSA tool which leverages a version of Windows’ Server Message Block (SMB) networking protocol to spread itself.

And now the worm is out in the wild it is still attempting to find computers to infect – all while powered by some systems it infected in the first outbreak.

“This particular incarnation of WannaCry is a worm so it’s propagating at random around the internet. So any systems which were infected and hadn’t properly been cleaned still continued to propagate the worm,” says Rafe Pilling, Senior Security Researcher at SecureWorks Counter Threat Unit.

“That can potentially lead to new infections in networks and environments which haven’t applied the patch and let the worm in one way or the other”.

It isn’t even the first worm of this kind to remain a problem long after being first released; the Conficker worm – an SQL Slammer carried out distributed denial of service (DDoS) attacks – first appeared in 2003 and 14 years later it’s still carrying out attacks, to such an extent it that in December, it was the most common form of malware attack.

“WannaCry is still out there similar to how worms like Conficker are still able to spread on the internet. Without regular patching, organisations are susceptible to different types of cyber attacks, including those like WannaCry,” says Ronnie Tokazowski, Senior Malware Analyst at Flashpoint.

It’s this failure to patch which is enabling the likes of WannaCry – and Conficker – to continue to be a purely opportunist threat when, in many instances, it could easily be stopped.


“Conficker has been around for years and there’s absolutely no reason on this earth why we should still see this infection,” says Mark James, Security Specialist at ESET. ”

Another reason why WannaCry still survives is that many companies still rely on older machines and bespoke applications which either are no longer supported by patches- or just can’t be patched in the first place. This sort of technology could still be vulnerable to the worm.

“It’s quite common for those sort of systems to run older versions of operating systems which go unpatched, run old applications, used shared logins, that sort of stuff, all of which creates and environment which is more susceptible to this sort of thing,” says Pilling.

“The problem with these older systems – Windows 7 mainly with WannaCry – is there may be instances where the actual SMB service is legitimately being used,” says James.

And while organisations try to do all they can try to do all they can do protect systems with patches- it’s simply the matter that it’s hard to continually update old systems, especially when the manufacturers stop providing patches – but many organisations push on with this approach because the alternative involves spending large amounts of money on wholesale upgrades.

“The problem is if it’s embedded and part of your production line, who is going to be the person who’s going to say we need to discard this perfectly working £500,000 of machinery for another piece of system which has a new processor,” James says.

So what can be done to avoid falling victim to WannaCry now it’s out there and still looking for systems to infect?

“Network segregation plays a major role in defence,” says Pilling. “Ideally nobody should have the ports necessary for this worm to propagate accessible to the internet or with outbound access to the internet – it’s generally considered poor practice for the SMB port to be exposed to the internet, or to allow your systems to talk to that protocol”.

Even if WannaCry continues to propagate itself around the web, occasionally causing disruption to factories and other organisations, in a way we’re lucky that some of the code behind the ransomware was fairly amateur.

While prolific, as a ransomware attack, WannaCry can be deemed as unsuccessful as it failed to make much money from ransom payments, with just a tiny proportion of victims paying up, generating the attackers around $140,000 – and that figure is only that high due to a rise in the valuation of Bitcoin.

But there are lessons to be learned here, as the outbreak could’ve been much more disruptive if the ransomware was as advanced as the likes of Locky or Cerber, some of the ransomware variants most successful at exploiting payments from victims and helping the malware cost businesses over $1 billion during 2016.

Organisations which still find themselves at risk from worms using exploits to infect older operating systems must seriously consider the potential impact — and what could go wrong if something worse than WannaCry arrived — before it’s too late

Hackers attacked 4 Florida school districts, allegedly hoped to hack voting systems

We’ve heard a lot about Russians attackers attempting to hack the US election, but another hacking group also allegedly wanted to interfere with the election; they attempted to pivot from compromised school districts to state voting systems.

The Miami Herald reported that MoRo, a group of hackers based in Morocco, penetrated “at least four Florida school district networks” and purportedly searched for a way “to slip into other sensitive government systems, including state voting systems.”

According to United Data Technologies (UDT), the firm which investigated the breaches “incidents,” the hackers successfully phished people working in the school districts, tricking them into clicking on an image in email which allowed malware into the system. The article does note that the hackers also targeted an unnamed Florida city network with a similar attack.

After the school district systems were infected with malware, the hacking group “turned off the logs recording who accessed the systems.” UDT analysts had a hard time figuring out for sure what all the hackers had done. Turning off the logs was called a “sophisticated maneuver” that UDT “had never seen before.” (Silly me, I thought disabling logging was fairly common if a hacker doesn’t wanted busted immediately.)

Despite the lack of logs, UDT determined the hackers were in the system for three months, “mapping them out and testing their defenses. At one point, they even posted photos of someone dressed as an ISIS fighter on two school district websites.”

At first, the hackers had purportedly hoped to steal the personal information of “hundreds of thousands of students.” Miami-Dade, which is the largest school district in Florida, was the only one of the four compromised school districts which was named.

Yet it wasn’t just sensitive student information the hackers could have accessed. The article points out that Miami-Dade, which is the fourth largest school district in the US, also “handles the personal information, including Social Security numbers, of hundreds of thousands of current and former students, along with data on thousands of employees and parents.”

Before you get worked up, the article claims the hacking group failed to steal student information or access voting systems. In fact, the hacking is referred to as “attempted” seven different times. Yet, if the hackers remained inside the systems for at least three months, that seems to be more than an “attempted” hack. Attempted, perhaps, pertains to stealing the personal information of hundreds of thousands of students and then selling the Social Security numbers on the dark web.

Even though the hackers put “ISIS-inspired photos on a school district website,” Miami-Dade “didn’t find any evidence of malware or access to its computer systems.” Paul Smith, Miami-Dade’s school district director of data security, said, “I would say if anything it was an attempted hack. But it was raised up to law enforcement and we did go through all the systems.”

The article says the attack started in the fall. In November, “a photo of someone who appeared to be one of the hackers dressed as an ISIS fighter went up on a school district website. It stayed there for about 24 hours. The following month, the same photo flickered onto another school district’s website.” There are no details about the type of malware or even how it was ascertained that the photo might be of one of the hackers.

UDT claimed that the hackers wanted more than kids’ names and Social Security numbers; mapping the network revealed that the school district systems had some connections to “different county and city systems.” The Moroccan hackers were allegedly searching for a backdoor to other government systems.

Michael Kaiser, the executive director of the National Cyber Security Alliance, told the Miami Herald that is “very common” for a school district network to be “attached to other networks in the town or city or even the state, depending on how the network is set up.”

Attackers would love to steal the login for a system admin who has credentials to access other government networks, Kaiser explained, or to gain access to the admin’s email account and use it to phish government employees.

UDT claimed the hackers bragged about their exploits online, saying they were attempting “to get into voting systems hosted by Diebold voting platforms. They wanted to bring down what they thought were state voting systems.” This, however, happened in December – which is about a month too late to hack the vote.

Regarding the hack, or “attempted” hack as it is continually referred to by the Miami Herald, “UDT contacted the FBI and re-engineered the malware so it was no longer a threat. The analysts found no evidence that any data had been taken. The FBI declined to comment on the incidents or on cybercrimes in general.”

The point of the “hack attacks” article, it seems, was to raise awareness of how vulnerable Florida school districts are to cyber thugs. Raising overall security awareness for school districts seems like a wise thing, considering that another phishing scam in Florida resulted in compromising the financial information of more than 7,700 Manatee County School District employees. A school district employee received an email which appeared to be from the school superintendent and handed over the requested W2s of all the district’s employees.

OllyDbg – A 32-bit assembler level analysing debugger for Windows

OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg is a shareware, but you can download and use it for free. Special highlights are:

  • Intuitive user interface, no cryptical commands
  • Code analysis – traces registers, recognizes procedures, loops, API calls, switches, tables, constants and strings
  • Directly loads and debugs DLLs
  • Object file scanning – locates routines from object files and libraries
  • Allows for user-defined labels, comments and function descriptions
  • Understands debugging information in Borland® format
  • Saves patches between sessions, writes them back to executable file and updates fixups
  • Open architecture – many third-party plugins are available
  • No installation – no trash in registry or system directories
  • Debugs multithread applications
  • Attaches to running programs
  • Configurable disassembler, supports both MASM and IDEAL formats
  • MMX, 3DNow! and SSE data types and instructions, including Athlon extensions
  • Full UNICODE support
  • Dynamically recognizes ASCII and UNICODE strings – also in Delphi format!
  • Recognizes complex code constructs, like call to jump to procedure
  • Decodes calls to more than 1900 standard API and 400 C functions
  • Gives context-sensitive help on API functions from external help file
  • Sets conditional, logging, memory and hardware breakpoints
  • Traces program execution, logs arguments of known functions
  • Shows fixups
  • Dynamically traces stack frames
  • Searches for imprecise commands and masked binary sequences
  • Searches whole allocated memory
  • Finds references to constant or address range
  • Examines and modifies memory, sets breakpoints and pauses program on-the-fly
  • Assembles commands into the shortest binary form
  • Starts from the floppy disk

WannaCry ransomware code errors could give victims a chance to get files back

The code behind WannaCry, the ransomware which recently infected hundreds of thousands of victims around the globe, was full of mistakes and of very low quality, to such an extent that some victims may able to regain access to their original files even after they’ve been encrypted.

Analysis of WannaCry by researchers at security company Kaspersky Lab has found that most of the mistakes meant files could be restored with publicly available software tools or even simple commands.

“If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer”, the researchers at Kaspersky Lab said in a blog post. “The code quality is very low.”

In one instance, a mistake in the read-only file processing mechanism of WannaCry means it isn’t able to encrypt read-only files at all. Instead, the ransomware creates encrypted copies of the victims’ files, while the original files remain untouched but are set to ‘hidden’. That means its easy to get the files back by simply un-hiding them.

This isn’t the only example of poor coding within WannaCry. If the ransomware infiltrates a system and the files aren’t deemed important by the developers the files are moved to a temporary folder.

Within these files is the original data, which isn’t overwritten, but merely deleted from the disk, meaning it’s possible to get them back using data recovery software. Unfortunately, if the files are in an ‘important’ folder, like Documents or Desktop, WannaCry will overwrite the original file with random data and it remains impossible to restore it in this case.

Nonetheless, the many mistakes in the code offer hope to those who become infected as the amateurish nature of the ransomware leaves a lot of leeway for retrieving at least files.

“If you were infected with WannaCry ransomware there is a good chance that you will be able to restore a lot of the files on your affected computer. We advise private users and organizations to use the file recovery utilities on affected machines in their network” said Anton Ivanov, security researcher at Kaspersky Lab.

It isn’t the first time WannaCry has been described as something of an amateur form of ransomware – and the fact that only a tiny percentage of infected victims have paid a combined total of $120,000 in Bitcoin ransoms in the three weeks since the attack suggests that while it caused widespread disruption, it has failed to make money, which is the ultimate goal of ransomware.

And while WannaCry did infect many Windows XP systems, many failed attacks resulted in computers crashing and displaying the ‘blue-screen of death’, again suggesting that might not all be well with the code.

While the identity of those behind the WannaCry campaign remains unknown, police and cybersecurity firms continue to look for answers surrounding the origins of this ransomware.