Ransomware attack

A MacOS user, I've been somewhat amused to read:
What is the Petya ransomware spreading across Europe? WIRED explains | WIRED UK

Security companies are confident the Petya ransomware uses the same software exploit in Microsoft products that WannaCry was able to exploit. Symantec says it has confirmed the ransomware is using the Eternal Blue vulnerability that is believed to have been developed by the NSA.

Both Symantec and F-Secure say that although Petya does encrypt systems it is slightly different to other types of ransomware. "Petya is a new ransomware with an evil twist: instead of encrypting files on disk, it will lock the entire disk, rendering it pretty much useless," F-Secure says. "Specifically, it will encrypt the filesystem’s master file table (MFT), which means the operating system is not able to locate files."

Beek adds that Petya has not been disguised with a lot of sophistication. "It is using a fake certificate that is derived from Microsoft's Sysinternal tools," he says. "It's not heavily obfuscated I would say, so it is easy to read through the functionality of the ransomware."​

EternalBlue - Wikipedia

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144[7][8] in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.[9]​

I'm a little confused by the term,". . . vulnerability that is believed to have been developed by the NSA." NSA did not define or write the SMB code in Windows. Writing a program to demonstrate the flaw is not what I would call "developed". I would have said ". . . vulnerability that is believed to have been demonstrated by the NSA."

One reason is when I was working as a network engineer, we got a 'hair on fire' notice of a problem, subsequently fixed, in Cisco IOS. So I wrote a program that verified the exploit if only to make sure we could test the fix when it came out. This was one of the old style, malformed packet overflow that crashed the Cisco IOS.

So I tend to think of "developed" as what some obscure MicroSoft coder did to create the vulnerability. Showing the exploit is more "demonstrate".

My understanding is this latest ransomware has no recovery. It demands payment but effectively wipes the disk. So even if the ransom is paid, there is no recovery.

Bob Wilson

 

Source: Nearly One in Four Windows Users Surveyed Plan to Switch to Mac Within Next Six Months - Mac Rumors



Perhaps there is a lesson here.

Bob Wilson