Thursday 29 June 2017

Petya ransomware



The Petya ransomware attack that crippled computers in 64 countries worldwide was spread by accounting software, according to Microsoft, highlighting the dangers posed by compromised third-party apps.
The outbreak started in Ukraine, where more than 12,500 machines were infected, and there is now evidence this new Petya malware variant was initially spread via an updater for the tax accounting software MEDoc.

 A large number of organizations were infected, many in Ukraine, including Danish transport company Maersk, Russian oil firm Rosneft, the Kiev metro system, National Bank of Ukraine, the law firm DLA Piper, US pharmaceutical company Merck and many others.

petya-ransom-note.png

How to protect yourself

Once the ransomware infects a machine, it then attempts to spread itself to other PCs on the network. To propagate itself, it will try to steal credentials to gain local admin privileges, attempt to use file-shares to transfer the malicious file between PCs, and then remotely execute the file. The ransomware encrypts entire hard drives and demands a Bitcoin payment of $300 to release them.
The malware can also spread itself using the EternalBlue exploit for an SMB vulnerability, which was used by WannaCry to spread between machines. The vulnerability was patched by Microsoft in March this year.
Microsoft recommends applying this security update, but for those who aren't able to, it suggests firms "disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547" and "consider adding a rule on your router or firewall to block incoming SMB traffic on port 445".
Another workaround for blocking infection by Petya is to create an extensionless, read-only file called perfc in the C:\Windows folder, using the steps outlined here.
Microsoft also provides a detailed a breakdown of commands and network activity that indicate a Petya infection.


Other reports say that the provider of the email address shown to receive the ransom closed it down, deactivated it so there's no way to pay or ask decryption of your data from the attacker.

While steps were taken to be able to block the attack in your pc, so far there's no 'kill switch' to stop the virus from spreading.

Ofcourse the known story still comes up: "keep you windows machine" updated with security updates and also have a good antivirus solution to protect yourself like the one we offer.

Source: Techrepublic

Saturday 10 June 2017

installing Ubuntu 17.04 with encrypted home makes boot delays

the problem is when installing Ubuntu with encrypted home, 17.04 creates a swapfile instead of a swap partition like previous versions, then the installer writes a faulty config file.

In particular, ecryptfs-setup-swap puts in /etc/crypttab a line like this:

cryptswap1 UID=XXXXXXXX /dev/urandom swap,offset=1024,cipher=aes-xts-plain64


(like there were a swap partition with UID=XXXXXXXX) while with a swapfile it should put the following line:
 
cryptswap1 /swapfile /dev/urandom swap,offset=1024,cipher=aes-xts-plain64

If you manually change that line and reboot, you get rid of the problem - before rebooting, check also that your /etc/fstab file ends with:
 
/swapfile               none  swap  sw  0  0
/dev/mapper/cryptswap1  none  swap  sw  0  0
 


Because of this error Ubuntu spends a long time waiting for the swap.