The results of the virus attack on Rosneft. Outsiders ZMI called "Rosneft" and "Bashneft" a method of attacking the Petya virus. Britain, the USA and Australia officially called Russia from the extended NotPetya

ALL PHOTOS

The virus-zdirnik WannaCry has been replaced by the same encryptor, but with a less cunning name -
. On day 27, the "Petya" worm attacked about 80 organizations in Ukraine and Russia. More information about hacker attacks came from Europe and India. In the past, a similar vimage virus infected computers in the Netherlands, France and Spain.

In Ukraine, the bula was hostile to the chain of command, in Russia - the companies "Rosneft", Mars, Nivea and others. The Kremlin said that their virus did not hit. Tim hour Kiev slammed for the attack on the Russian special services, naming those that are involved, an element of hybrid warfare.

Behind Group-IB, the Petya.A virus blocks the computer and prevents it from starting the operating system. For the renewal of the robot and the decryption of the files, you will have to pay 300 dollars from bitcoins. A large-scale attack on oil, telecommunications and financial companies in Russia and Ukraine was recorded around 14:00 Moscow time, TASS reports.

Behind the data of "Kaspersky Lab", the encryptor of victorious details of Microsoft's electronic signature. The technology of electronic signature to the code is victorious in order to show the koristuvachs that the program has been developed by a trusted author and that it guarantees that it won't hurt you. Kaspersky Lab is aware that the virus was created on March 18, 2017.

To spread the virus in Group-IB, it is recommended to close TCP ports 1024-1035, 135 and 445.

The Petya virus has spread throughout the world

Experts have already reported that the new Petya airborne virus has expanded beyond the borders of CIS and hit computers all over the world.

"Virus Petya with a contact address [email protected] expand in the earthly world, the majestic number of lands is chained, "- writing on his side Twitter Costin Rayu, a researcher of the international research team of Kaspersky Lab.

Vіn specifying that Petya won the digital signature of Microsoft. For Raju's tribute, the hackers-zdirniki already withdrew the least of these payments as a ransom for turning access to computers attacked by the virus.

Journalists from Reuters report that the attack of hackers has expanded to the outskirts of Europe. The virus-vimagach has penetrated, zokrema, from the computer networks of Great Britain and Norway. In addition, Petya was also shown in India.

Deputy Prime Minister of Ukraine Pavlo Rozenko, on his Facebook page, spoke about those who in the secretariat, due to an unspecified reason, ceased to practice merezha. "Ta-dam! Yakshcho, then we have tezh merezha" lay down ", let's go! Such a picture is shown by the computer of the Cabinet of Ministers of Ukraine," he wrote.

The National Bank of Ukraine (NBU) is already ahead of banks and other participants in the financial sector about calling a hacker attack with an unknown virus. The NBU also said that the link with cyberattacks in the financial sector of Ukraine was strong enough to come in security and against hacker attacks, according to the press release of the regulator.

Ukrtelecom stated that the company provides Internet access and telephony services, but the computer systems that support the call center and customer service centers do not work.

At the Boryspil airport, near their quarters, they were ahead, that "at the connection from the out-of-the-ordinary situation, flights could be blocked." During this hour, the online flight schedule is not available to passengers on the official website of the airport.

The Kyiv Metro was told that as a result of the attack, the function of paying with bank cards was blocked. "Contactless metro cards work in emergency mode," the city's metro station announced.

Ukrenergo was informed that the company is already conducting an investigation into the fact of a cyberattack.

In addition, the hacker's attack caused the computer system to monitor the radiation background at the Chornobyl nuclear power plant to be turned on. The computer under the supervision of Windows had a chance to turn off the clock, the radiation monitoring of the industrial maydanchik was switched to manual mode.

At the same time, the Center for Monitoring and Response to Computer Attacks in the Credit and Financial Sphere of the Bank of Russia jointly with credit organizations worked on the adoption of recent computer attacks, they voted on the Central Bank.

The hacker attack, imovirno, recognized the computers of the corporate server of the Moscow restaurants in the "Tanuki - Yersh" area, TARS reports.

The press service of Rosenergoatom informed that all nuclear power plants in Russia are operating in normal mode. The number of recent hacker attacks was also confirmed by Inter RAT, Enel Russia, Rosseti and System Operator EEC. At "Rosseti" they added that in order to intimidate the possibility of hacker attacks, there were already a lot of viable entries.

Virus Petya

Virus-vimagach, which blocks access to data and costs 300 dollars for bitcoins for unlocking, vіdomy for other modifications as of 2016.

Shkidliva program rozpovsyudzhuetsya through the spam list. The first versions of Petya were masked under the summary. If the infected list was opened, the Windows program appeared on the screen, which showed the rights of the administrator.

Like a disrespectful koristuvach, after giving the program permissions, the virus rewrote the occupied area of ​​the hard disk and showed the "blue screen of death", which it propagates in terminology to override the computer.

Until Petya bov WannaCry

In the past, a large-scale attack on organizations in the whole world, for example, having become the WannaCry virus, took place on May 12. Encryption virus encoder encoder encoder encoder encoder encoder encryptor encoder virus encryptor encoder virus encoder encoder encoder encoder virus encryptor encoder virus encoder encoder encoder virus encoder encoder virus encoder encryptor encoder virus encoder encoder virus encoder encoder virus encoder encoder encoder virus encoder virus encoder encryptor encoder virus encryptor encoder virus encoder encoder encoder virus encoder virus encoder encoder virus encoder encoder virus encoder encoder virus encoder encoder encoder virus encoder encoder virus encoder encoder virus enciphering encryptor encoder virus enciphering encryptor encoder virus enciphering encryptor for deciphering the files in the koristuvachiv. It was reported that Russia suffered the most from WannaCry. Cyberattack, zokrema, hit MegaFon, MVS, Sberbank, and the Ministry of Health. The Russian Railways and the Central Bank were informed about the test of infection, de voiced that the attack was unsuccessful.

Experts from the American company Flashpoint have announced that the creators of the WannaСry virus can be released from China, Hong Kong, Taiwan or Singapore. At Group-IB, hackers from the DPRK, before that, tried to look like Russians.

The computers of the Rosneft oil company have recognized a “hard-hitting hacker attack” similar to a modification of the WannaCry encryption virus. The company went back to law enforcement agencies, three investigations.

"Rosneft" stated that its servers had recognized the "hard-hitting hacker attack". The company wrote about it in their Twitter. The press secretary of Rosneft, Mikhailo Leontiev, told RBC that most of the servers in the company may be arrogant and singing that the company is aware of the consequences of a hacker attack on its system.

The materials that the editors have taken in order allow us to confirm that Rosneft's computers were infected with a cipher virus similar to Petya. Dzherelo in the law enforcement agencies reported to RBC that the same attack was recognized by the companies controlled by Rosneft and Bashneft.

Dzherela "Vidomosti" added that all computers in the refineries of "Bashneft", "Bashneft-Zdobich" and the management of "Bashneft" "one-time reset, after which the uninstalled security software was preempted and a splash screen for the Petya virus was put on the screen." It means that on the screen of the koristuvachs there was a notification about the proposition to transfer $ 300 from the bitcoin for the specified address, after which the koristuvachs will be sent a key to unlock the computers by e-mail. It is also confirmed that the virus has encrypted all the data on the computers of the koristuvach.

In this hour, the Arbitration Court of Bashkiria, having completed the meeting, looked at the poses of Rosnafta and controlled Bashnafta to AFK Sistema and Sistema-Invest about raising 170.6 billion rubles, yak, like a strong oil company, " Bashneft » recognized the reorganization in 2014 as having a significant impact on the reorganization in 2014. Rosneft spokesman Mikhailo Leontiev said on Twitter that it was possible that the attack was in no way related to the company's court summons.

UPD: Shkidliv program (new version of Ransom: Win32/Petya is a legacy of Microsoft) has started expanding on 27 worms in Europe. The first incidents were registered in Ukraine, 12.5 thousand computers were infected with the virus. Companies in 64 countries, including Belgium, Brazil, Germany, Russia, the United States, and many others, suffered from the new cipher suite.

The new ciphersuite Petya Volodya functions as a lace chroback, which allows it to be widened in a streak. For some reason, the exploit for the long-closed inconsistency in the SMB protocol CVE-2017-0144 (known as EternalBlue) was also exploited by a ransomware virus. Dodatkovo Petya vikoristovu another for the frivolity CVE-2017-0145 (like EternalRomance), also closed by Microsoft at the same bulletin).

Britain, the USA and Australia officially called Russia from the extended NotPetya

On February 15, 2018, the Ministry of Foreign Affairs of Great Britain issued an official statement calling Russia in organizing a cyberattack against the NotPetya encryption virus.

Due to the insistence of the British government, the attack showed further anger at the sovereignty of Ukraine, and as a result of these reckless actions, the work of the impersonal organization throughout Europe was destroyed, which led to a huge number of battles.

At the Ministry, it was appointed that the list about the relevance to the cyberattack of the Russian order of the Kremlin was broken up on the basis of the UK National Cyber ​​Security Center, which "practically will raise the blame for the Russians behind the NotPetya attack." The statement says that allies are not aware of sloppy cyber activity.

The Kremlin, which previously repeatedly recounted whether the Russian authorities were arrogant before the hacker attacks, calling the statement of the British MZS part of the “Russophobic campaign”

Monument "Here lie overcoming people 27/06/2017 Petya computer virus"

A monument to the computer virus Petya was erected at the birth of 2017 at the Skolkovo Technopark. A two-meter monument with the inscription: “Here lie people overcoming 06/27/2017 Petya computer virus”. vikonaniya at the sight of a bitten hard disk, the creations for the support of the INVITRO company, among other companies that suffered from the last massive cyberattack. A robot named after Nyu, who works at the Fiztekhparku (MTI), having specially arrived at the ceremony to see the urochist promov.

Attack on the order of Sevastopol

Fakhіvtsі Head Office of Informatization and Sevastopol zv'yazku successfully defeated the attack of the encrypting virus Petya on the server of the regional order. About 17 April 2017, the Head of the Informatization Department Denis Timofiev was called to the Apparatus Council of Sevastopol.

Vin stating that Petya's tricky program did not in any way infiltrate the taxes that are saved on computers at the state institutions of Sevastopol.

Orientation to the choice of free software is embedded in the concept of informatization of Sevastopol, approved in 2015. It is stated that when purchasing basic software, as well as software for information systems for automation, it is possible to analyze the possibility of using different products, which allows speeding up budgetary expenses and reducing the stock of workers and retailers.

Previously, for example, worms, as part of a large-scale attack on the medical company "Invitro", a branch of the family suffered, and was smashed in Sevastopol. Through an attack on the virus of the computer system, Timchasov's office cited the results of the analyzes to the conclusion of the reasons.

"Invitro" announced about the acceptance of analysis through a cyberattack

The medical company "Invitro" ordered the selection of biomaterial and the presentation of the results of the analysis of patients through a hacker attack on the 27th of September. Director of corporate communications of the company Anton Bulanov said about RBC's goal.

How to go to the next company, next hour "Invitro" will switch to the regular mode of work. The results of the follow-up, carried out for the whole hour, will be delivered to the patients after the technical failure. At the moment, the laboratory information system has been updated, where the process has been improved. “We are sorry about the force majeure situation that has developed, and we owe it to our clients for understanding,” they put it in Invitro.

For this reason, the attack of the computer virus was recognized by clinics in Russia, Belarus and Kazakhstan.

Attack on Gazprom and other oil and gas companies

On March 29, 2017, it became known about a global cyberattack on the computer system of Gazprom. In this manner, another Russian company suffered from the Petya virus.

As reported by the Reuters news agency, that person, who took part in the investigation, “Gazprom” suffered from the expansion of the Petya program, attacked computers with a fireball more than 60 times.

The spymasters did not give details about the scalings and systems that were infected at Gazprom, as well as the extent of the hackers. The company was informed about the comments on the request to Reuters.

Tim, a high-ranking dzherelo of RBC in Gazprom, has seen that the computers in the central office of the company worked without interruption, if a large-scale hacker attack began (on March 27, 2017), and will continue in two days. Two more RBC dzherels from Gazprom also sang that the company has “everything is calm” and there are no daily viruses.

In the oil and gas sector, Bashneft and Rosneft suffered from the Petya virus. The rest said 28 chern about those that the company works in normal mode, and “okremі problems” are promptly eliminated.

Banks and industry

It became known about the infection of computers in "Evraz", the Russian subsidiary of the Royal Canin company (preparing a form for the creatures) and the Russian subsidiary of the Mondelez company (Alpen Gold and Milka chocolate maker).

Zgіdno z povіdomlennyam Mіnіsіshnіh svіshі svіd Ukranіy, chilovіk іn іn file-sharing maidanchiks аnd social media publishing a video with a descriptive description of the process of launching the health software on computers. In the comments before the video, a person was sent to his side of the social network, having taken the program on a roll. Under an hour of searches at the apartment of the “hacker”, the law enforcement officers found out the computer equipment, which is used to win for the NotPetya rozpovsyudzhenny. Also, the police officers revealed the files of these shkіdlivim PZ, after analyzing them, they confirmed their similarity with the NotPetya zirnik. This is how the cyber police spies set up, the zdirnitska program, which was posted on the yak by a citizen of Nikopol, was fascinated by the social media corpsmen 400 times.

Among the law enforcement officers that NotPetya was lured, the companies revealed that they had infected their systems with a healthy software program for the purpose of capturing malice and indulgence in order to pay punitive sanctions to the state. Varto signify that the police will not show the activity of a person with hacker attacks on the 27th day of the night, so that the authors of NotPetya cannot be held accountable. The judges of the Yomu Dії succumb only to the processes that are similar to the linden of the flowing rock - after the whil of large-scale cyberattacks.

Narazі stosovno cholovіka wrecked by the criminal right for part 1 of Art. 361 (unauthorized delivery to the EOM robot) of the Criminal Code of Ukraine. Nikopol threatens up to 3 years of freedom.

The expansion of the world

An extension of the Petya health virus has been recorded in Spain, Germany, Lithuania, China and India. For example, through a program in India technology to manage the cargo flow of the container port named after Jawaharlal Nehru, the operator of which is A.P. Moller-Maersk, have ceased to recognize the validity of the interests.

The British advertising group WPP, the Spanish representative office of DLA Piper, one of the largest legal companies in the world, and the food giant Mondelez spoke about the cyberattack. Among the victims, there is also a French collection of emergency materials Cie. de Saint-Gobain and pharmaceutical company Merck & Co.

Merck

The American pharmaceutical giant Merck, which suffered greatly in the aftermath of a worm attack against the NotPetya encryption virus, cannot restore all systems and return to normal operation mode. Please contact the company's star for Form 8-K submitted to the US Securities and Exchange Commission (SEC) for example in 2017. Report.

Moller-Maersk and Rosneft

On April 3, 2017, it became known that the Danish shipping giant Moller-Maersk and Rosneft had infected their IT systems with the Petya vimage virus less than a day after the attack, which became 27 worms.

The shipping company Maersk, which often falls on a leather container that is being repaired in the world, also added that all 1,500 attachments that suffered as a result of a cyberattack, turn to regular operation by a maximum of April 9, 2017.

The IT systems of the company APM Terminals suffered greatly, which Maersk has to rely on, as it manages the work of dozens of advanced ports and container terminals in more than 40 countries. For dobu ponad 100 yew. vintage containers to pass through the ports of APM Terminals, their robot was completely paralyzed through the expansion of the virus. Terminal Maasvlakte II near Rotterdam, having completed the delivery of 3 lines.

16 serp 2017 roku A.P. Moller-Maersk has named a large sum of battling against a cyberattack for the help of the Petya virus, which was infected with yakim, as designated by a European company, passed through a Ukrainian program. According to the previous Maersk rozrahunki, financial spending on the Petya encryptor in another quarter of 2017 was 200 to 300 million dollars.

For an hour, it may be a week to update computer systems in the wake of a hacker attack, and Rosneft was also informed about 3 limes in the press service of the company, Interfax was informed.

Dekilkoma days earlier, Rosneft blabbed that for the time being it would not be taken to evaluate the consequences of a cyberattack, but it did not suffer.

Principle di Petya

True, victims of the virus cannot unlock their files after infection. On the right, in the fact that yoga creators did not transfer such a possibility to fire. Therefore, the encryption of the disk is a priori not subject to decryption. There is no information required for decryption in the identifier of the shkidly program.

A bunch of experts planted a virus that infected close to two thousand computers in Russia, Ukraine, Poland, Italy, Germany, France and other countries, up to the already known Petya family of zirniks. It turned out that there was a new family of shkidlivy PZ. Kaspersky Lab named the new encryptor ExPetr.

Yak wrestle

The fight against cyberthreats will help to unite the banks, IT-businesses and powers

Data recovery method Positive Technologies

On June 7, 2017, Positive Technologies expert Dmitro Sklyarov presented a method for recovering data encrypted with the NotPetya virus. According to the expert, the method is self-evident, as if the NotPetya virus has administrative privileges and encrypts the disk completely.

The possibility of data recovery is due to the pardons of the implementation of the Salsa20 encryption algorithm, which were allowed by the attackers themselves. The practicality of the method has been verified both on a test laptop and on one of the encrypted hard disks of a great company, which was tested among the victims of the epidemic.

Companies and independent retailers that specialize in data encryption can freely hack and automate the presentation of the decryption script.

The results of the investigation have already been confirmed by the Ukrainian police. The proofs of the "Juscutum" investigation are going to win as a key proof for the future against Intellect-Service.

Process matime hromadyansky character. Independent investigations to conduct law enforcement of Ukraine. Their representatives have previously stated about the possibility of damage against the Intellect-Service specialists.

The company M.E.Doc said about those that are being tested - a test of the company's raider hoarding. Virobnik of a single popular Ukrainian accounting PZ vvazhє, scho investigations, conduct by the cyberpolice of Ukraine, becoming part of the implementation of the plan.

Cob infection vector by Petya encoder

On May 17, M.E.Doc was updated to avoid the backdoor's backdoor module. Incidentally, we can explain the relatively small number of XData infections that the company has. Attackers did not check the output of the update on May 17th, they launched the encoder on January 18th, if more coristuvachs had already managed to install a safe update.

The backdoor allows you to steal and viconate in the infected system and even more small software - this is how the infection with Petya and XData encoders was done. In addition, the program selects the configuration of proxy servers and e-mail, including logins and passwords with the M.E.Doc program, as well as the code of the company EDRPOU (Unified State Register of Enterprises and Organizations of Ukraine), which allows identifying victims.

“We need to rely on low nutrition,” said Anton Cherepanov, senior virus analyst at Eset. - How long does a backdoor win? What commands and commands for small programs, around Petya and XData, were directed through this channel? How else has the infrastructure been compromised, and yet the cybergroup hasn’t won, who is behind this attack?”.

For the success of the sign that include infrastructure, shkidli _tools, schemes and number of attacks, Eset experts have established a link between the Diskcoder.C (Petya) epidemic and the Telebots cybergroup. It is reliable to identify who is behind the activity of this grouping, not yet far away.

The press service of the Group-IB company, which is engaged in investigating cyber-malware, told RBC that a hacker’s attack on a number of companies behind the help of the Petya encryption virus is “very similar” to the attack, which happened in the middle of the grass behind the help of the WannaCry program. Petya blocks computers and steals $300 from bitcoins.

The attack took place close to 14.00. Judging by the photos, the crypto locker is Petya. The method of rozpovsyudzhennya in a local area is similar to the WannaCry virus, ”the press service of Group-IB yells.

At the same time, one of the “daughters” of Rosneft, as they are engaged in offshore projects, seemed to be working on computers, screens with black text appeared, but not at all manufacturers. Prote in the company Zupinen's robot collapse. Spivrozmovniki also mean that in the office of "Bashnaft" in Ufa they completely turned off all the electricity.

As of 15:40 Moscow time, the official websites of Rosneft and Bashneft are unavailable. The fact that the status of the server is valid can be confirmed on the resources to recheck the status of the server. The site of the largest subsidiary of Rosneft, Yuganskneftegaz, is also not working.

The company later wrote on its Twitter that the hacker's attack could have led to "serious consequences." Regardless of the price, the production processes, vidobutok, preparation of naphtha were the start of the transition to a backup control system, the company explained.

In the present hour, the Arbitration Court of Bashkiria, having completed the meeting, looked at the positions of Rosnafta and controlled Bashnafta to AFK Sistema and Sistema-Invest about raising 170.6 billion rubles, Bashneft has noticed a significant increase in the results of the reorganization in 2014.

A representative of AFK Sistema, having asked the court to set the date for the meeting for a month, so that the parties could become aware of the mustache. The judge appointed the next meeting in two days - at 12 pm, indicating that the AFK had a lot of representatives and the stench ran into this term.

For ZMI materials

On the 27th of the world, having suffered from a black hacker attack: a virus from the significant-lightweight names of Petya, blocking computers in rich countries, demanding access to the databases of companies for 300 dollars for turning. Picking up close to 8 thousand, "Petya" got into the game, left out, vtim, impersonal power.

The most relevant, zvichayno - who, zvіdki? According to the version of the Fortune magazine - a sight even more authoritative - "Petya" came to us from Ukraine. Up to a glance, the German cyberpolice is shaking, and, characteristically, the Ukrainian tezh. "Petya" viyshov at the great world of over the Ukrainian company "Intelect-Service" - a retailer for the most advanced software security.

Zokrema, the company's largest successor, the Ukrainian operator of the Vodafone telephone call, which operates as "MTS Ukraine" - that's how it was called until 2015. And in the meantime, MTS is the key asset of the AFK Sistema corporation, Volodymyr Yevtushenkov. Didn't the businessman put his hand before the development and launch of "Petya"?

On the idea of ​​\u200b\u200b"Version", it is more possible. "Petya" having violated its "great road" just before the meeting of the Arbitration Court of Bashkiria, the claims of "Rosneft" to AFK "Sistema" were considered - to the big head of "Bashnaft", which passed into the hands of the largest national oil company. At the thought of Rosneft, their managers Yevtushenkov and yogo top management ordered Bashnafta to beat 170 billion rubles, which they sued.

The court, before the speech, will be able to believe the new vlasnik, moreover, having imposed an arrest for 185 billion rubles, like the old one, zokrema, and 31.76% of MTS shares. As a result, Yevtushenkov’s camp “lost weight” by half, and the nerves of the businessman himself began to hit more and more often. Why only the varta is a false pleasing to the world, how incomprehensibly the signs came before the court - yogo was positive, how it was, not in the eyes, not those who signed.

If it didn’t work with pidmіtnimi sheets, then the next logical cruc - to attach proof of sumnіvnyh dіyan vіdpovіdach, like you are accused. And qi proofs are stored in Bashneft's computers, which crossed the line to Rosneft at the same time. So, don’t laugh at “Petya” - yoga creators didn’t want to “grind a penny in an easy way”, but clean it up.

I, zagalom, rozrahunok buv indiscretions. The first Ukrainian company was not taken out of the blue - de, as if not in Ukraine, they would tie up an official drink, and collect evidence when they came to a deaf hut? The first computer system of "Rosneft" was stolen under a hacker attack, but, zavdyaki of the backup system, still stood, on which the big spy could not have been restored in an instant - wine, sing, ce bulo at Bashnafta hours of AFK Sistema.

To that, perhaps, the authors of the attack hurried to spread a few words about those that Rosnafta had a chance to instigate virobnitstvo. No, there was no more virobnitstvo, but a little bit in the meantime I could tell about those that the creators of "Peti" were in this zatsіkavleni. And today, the discrediting of Rosneft is the first point in the order of the day for the structures of Volodymyr Yevtushenkov.

Detail

Political scientist Anton Bredikhin perekonany, scho Russia can report all zusil, sob to turn our spіvgromadyan іz Lіvії. Find out about the sociologists of the Foundation for the Protection of National Values ​​Maxim Shugaley and Samer Sueyfan, who were caught near Tripoli in early 2019. The stench of the dossi is being rebuked at the unofficial "Mitiga" office, no call has been made to them.