What about Rosneft computers. Rosneft reported a powerful hacker attack on its servers
The ransomware virus attacked the computers of dozens of companies in Russia and Ukraine, paralyzing the work of government agencies, and began to spread around the world
In Russia, the victims Petya virus- a clone of the WannaCry ransomware that hit computers around the world in May - became Bashneft and Rosneft.
All computers in Bashneft are infected with the virus, a source in the company told Vedomosti. The virus encrypts the files and demands a ransom of $300 per bitcoin wallet.
"The virus first disabled access to the portal, to the internal Skype messenger for business, to MS Exchange, they thought it was just a network failure, then the computer rebooted with an error. "Died" HDD, the next reboot already showed a red screen," the source said.
Almost simultaneously about the "powerful hacker attack"Rosneft said on its servers. IT systems and production management have been transferred to reserve capacities, the company is operating as usual, and "distributors of false and panic messages will be held accountable together with the organizers of the hacker attack," Mikhail, spokesman for the company, told TASS Leontiev.
The websites of Rosneft and Bashneft do not work.
The attack was recorded around 14.00 Moscow time, among its victims on this moment 80 companies. In addition to the oil companies, offices of Mars, Nivea and Mondelez International (Alpen Gold chocolate manufacturer) were affected, Group-IB, which deals with the prevention and investigation of cybercrime, said.
Also, the metallurgical company Evraz and the Home Credit Bank, which was forced to suspend the work of all its branches, reported an attack on their resources. According to RBC, at least 10 Russian banks turned to cybersecurity specialists on Tuesday in connection with the attack.
In Ukraine, the virus attacked government computers, Auchan stores, Privatbank, Kyivstar, LifeCell and Ukrtelecom telecom operators.
Boryspil Airport, Kyiv Metro, Zaporizhzhyaoblenergo, Dneproenergo and Dnipro Electric Power System were under attack.
Chernobyl NPP switched to radiation monitoring of the industrial site in manual mode due to cyber attack and temporary shutdown Windows systems, Interfax was told by the press service of the State Agency for the Management of the Exclusion Zone.
The ransomware virus affected a large number of countries around the world, said Kostin Rayu, head of the international research division of Kaspersky Lab, on his Twitter account.
According to him, in new version virus, which appeared on June 18 this year, has a fake Microsoft digital signature.
At 18.05 Moscow time, the Danish shipping company A.P. announced an attack on its servers. Moller Maersk. In addition to Russia and Ukraine, users in the UK, India and Spain were affected, Reuters reported citing the Agency. information technologies government of Switzerland.
InfoWatch CEO Natalia Kasperskaya explained to TASS that the encryption virus itself appeared more than a year ago. It is distributed mainly through phishing messages and is a modified version of the previously known malware. "It teamed up with some other Misha ransomware virus that had administrator rights. It was an improved version, a backup ransomware," Kaspersky said.
According to her, quickly overcome the May attack WannaCry ransomware succeeded due to a vulnerability in the virus. "If a virus does not contain such a vulnerability, then it is difficult to fight it," she added.
A large-scale cyberattack using the WannaCry ransomware virus that infected more than 200,000 computers in 150 countries occurred on May 12, 2017.
WannaCry encrypts the user's files and requires a payment in bitcoins equivalent to $300 to decrypt them.
In Russia, the computer systems of the Ministry of Internal Affairs, the Ministry of Health, the Investigative Committee, Russian Railways, banks and mobile operators were attacked, in particular.
North Korean hackers from the government-linked group Lazarus were behind the attack, according to the British Cyber Security Center (NCSC), which is leading the international investigation into the May 12 attack.
The press service of Group-IB, which investigates cybercrime, told RBC that a hacker attack on a number of companies using the Petya encryption virus is “very similar” to the attack that occurred in mid-May using the WannaCry malware. Petya blocks computers and demands $300 in bitcoins in return.
“The attack took place around 2:00 pm. Judging by the photos, this is a Petya cryptolocker. Distribution method in local network similar to the WannaCry virus,” follows from the press service of Group-IB.
At the same time, an employee of one of the "daughters" of Rosneft, which is engaged in offshore projects, says that computers were not turned off, screens with red text appeared, but not for all employees. Nevertheless, the company collapsed, work was stopped. The interlocutors also note that all electricity was completely turned off at the Bashneft office in Ufa.
As of 15:40 Moscow time, the official websites of Rosneft and Bashneft are unavailable. The fact of the absence of a response can be confirmed on the resources of checking the status of the server. The site of the largest subsidiary of Rosneft, Yuganskneftegaz, is also not working.
The company later wrote on its Twitter that the hacker attack could have led to "serious consequences." Despite this, production processes, production, oil treatment were not stopped due to the transition to backup system management, the company explained.
Currently, the Arbitration Court of Bashkiria has completed a meeting at which it considered the claim of Rosneft and Bashneft controlled by it against AFK Sistema and Sistema-Invest for the recovery of 170.6 billion rubles, which, according to the oil company, " Bashneft suffered losses as a result of reorganization in 2014.
The representative of AFK Sistema asked the court to postpone the next meeting for a month so that the parties could familiarize themselves with all the petitions. The judge appointed the next meeting in two weeks - on July 12, noting that the AFC has many representatives and they will cope within this period.
The ransomware virus attacked the computers of dozens of companies in Russia and Ukraine, paralyzing the work of government agencies, and began to spread around the world
In Russia, Bashneft and Rosneft became victims of the Petya virus, a clone of the WannaCry ransomware that hit computers around the world in May.
All computers in Bashneft are infected with the virus, a source in the company told Vedomosti. The virus encrypts the files and demands a ransom of $300 per bitcoin wallet.
“At first, the virus disabled access to the portal, to the internal Skype for business messenger, to MS Exchange, they thought it was just a network failure, then the computer rebooted with an error. The hard drive died, the next reboot already showed a red screen,” the source said.
Almost simultaneously, Rosneft announced a "powerful hacker attack" on its servers. IT systems and production management have been transferred to reserve capacities, the company is operating as usual, and "distributors of false and panic messages will be held accountable together with the organizers of the hacker attack," company spokesman Mikhail Leontiev told TASS.
The websites of Rosneft and Bashneft do not work.
The attack was recorded around 14.00 Moscow time, among its victims at the moment there are 80 companies. In addition to the oil companies, offices of Mars, Nivea and Mondelez International (Alpen Gold chocolate manufacturer) were affected, Group-IB, which deals with the prevention and investigation of cybercrime, said.
Also, the metallurgical company Evraz and the Home Credit Bank, which was forced to suspend the work of all its branches, reported an attack on their resources. According to RBC, at least 10 Russian banks turned to cybersecurity specialists on Tuesday in connection with the attack.
In Ukraine, the virus attacked government computers, Auchan stores, Privatbank, Kyivstar, LifeCell and Ukrtelecom telecom operators.
Boryspil Airport, Kyiv Metro, Zaporizhzhyaoblenergo, Dneproenergo and Dnipro Electric Power System were under attack.
The Chernobyl nuclear power plant switched to manual radiation monitoring of the industrial site due to a cyber attack and a temporary shutdown of the Windows system, Interfax was told in the press service of the State Agency for the Management of the Exclusion Zone.
The ransomware virus has affected a large number of countries around the world, Costin Rayu, head of the international research division of Kaspersky Lab, said on his Twitter account.
According to him, the new version of the virus, which appeared on June 18 this year, has a fake Microsoft digital signature.
At 18.05 Moscow time, the Danish shipping company A.P. announced an attack on its servers. Moller Maersk. In addition to Russia and Ukraine, users in the UK, India and Spain were affected, Reuters reported, citing the Swiss government's Information Technology Agency.
InfoWatch CEO Natalia Kasperskaya explained to TASS that the encryption virus itself appeared more than a year ago. It is distributed mainly through phishing messages and is a modified version of a previously known malware. "It teamed up with some other Misha ransomware virus that had administrator rights. It was an improved version, a backup ransomware," Kaspersky said.
According to her, it was possible to quickly overcome the May attack of the WannaCry ransomware because of the vulnerability in the virus. "If a virus does not contain such a vulnerability, then it is difficult to fight it," she added.
A large-scale cyberattack using the WannaCry ransomware virus that infected more than 200,000 computers in 150 countries occurred on May 12, 2017.
WannaCry encrypts the user's files and requires a payment in bitcoins equivalent to $300 to decrypt them.
In Russia, the computer systems of the Ministry of Internal Affairs, the Ministry of Health, the Investigative Committee, Russian Railways, banks and mobile operators were attacked, in particular.
North Korean hackers from the government-linked group Lazarus were behind the attack, according to the British Cyber Security Center (NCSC), which is leading the international investigation into the May 12 attack.
Based on media materials
On June 27, the world suffered from another hacker attack: a virus with a mockingly frivolous name Petya blocked computers in many countries, demanding $ 300 for the return of access to company databases. Having collected about 8 thousand, "Petya" calmed down, leaving, however, a lot of questions.
The most burning, of course - who, where? According to Fortune magazine - a very authoritative publication - "Petya" came to us from Ukraine. The German cyber police tends to the same point of view, and, characteristically, the Ukrainian one too. "Petya" entered the big world from the bowels of the Ukrainian company "Intellect-Service" - a developer of a wide variety of software to order.
In particular, the largest customer of the company is the Ukrainian operator cellular communication Vodafone, better known as "MTS Ukraine" - that's what it was called until 2015. In general, MTS is a key asset of the AFK Sistema corporation, owned by the notorious Vladimir Yevtushenkov. Did the businessman have a hand in the development and launch of Petit?
According to "Version", this is more than likely. "Petya" set off on his "high road" just on the eve of the meeting of the Arbitration Court of Bashkiria, where Rosneft's claims against AFK Sistema, the former owner of Bashneft, which was taken over by the largest national oil company, were considered. According to Rosneft, Yevtushenkov and his top management inflicted 170 billion rubles in losses on Bashneft with their management, which they are demanding in court.
The court, by the way, is inclined to believe the new owner, because it has already seized 185 billion rubles belonging to the old one, including, by the way, 31.76% of MTS shares. As a result, Yevtushenkov's condition "has lost weight" by almost half, and the nerves of the businessman himself began to fail more and more often. What is the value of a false settlement agreement, which came to the court from nowhere - the plaintiff, as it turned out, did not see it in his eyes, let alone sign it.
If it didn’t work out with anonymous letters, then the next logical step is to hide evidence of the defendant’s dubious acts that are incriminated to him. And these proofs are stored in the computers of Bashneft, which, along with all the rest of its property, were transferred to Rosneft. So do not laugh at "Petya" - its creators did not want to "cut down money easily", but to clean up the ends.
And, in general, the calculation was not bad. And the Ukrainian company was not chosen by chance - where, if not in Ukraine, will all official requests get stuck, and the collection of evidence will come to a standstill? And the Rosneft computer system staggered under a hacker attack, but, thanks to the system Reserve copy, nevertheless survived, which the former owner could not count on in any way - he probably expected that his opponent’s cyber defense system was full of holes, as was the case with Bashneft during the times of AFK Sistema.
That is probably why the authors of the attack hurried to spread rumors that Rosneft had to suspend production. No, production did not stop, but these rumors once again indicate that the creators of "Petya" were very interested in this. And today, the discrediting of Rosneft is the first item on the agenda of Vladimir Yevtushenkov's structures.
in detail
Close-up
In the initiative of the Russian Guard to toughen punishment for illegal private security activities, the most interesting thing is not the proposed sanctions, but the object of application of force clearly defined by the youngest Russian special service. In fact, it is planned to declare a real war on the many-sided army of watchmen and administrators.
So now a new virus has appeared.
What is a virus and should we be afraid of it
This is how it looks on an infected computer
A virus called mbr locker 256 (which on the monitor calls itself Petya) attacked the servers of Russian and Ukrainian companies.
It locks files on the computer and encrypts them. The hackers demand $300 in bitcoins to unlock it.
MBR- this is the main boot record, the code needed to boot the OS later. It is located in the first sector of the device.
After the computer is powered on, it goes through a POST procedure that tests Hardware, and after it, the BIOS loads the MBR into RAM at address 0x7C00 and transfers control to it.
Thus, the virus enters the computer and infects the system. There are many modifications of the malware.
He works under Windows control, like the previous malware.
Who has already suffered
Ukrainian and Russian companies. Here is part of the whole list:
Many companies quickly repelled the attack, but not all of them were able to do it. Because of it, some of the servers do not work.
Banks cannot carry out a number of monetary transactions because of Petya. Airports are postponing or delaying flights. The Metropolitan of Ukraine did not accept contactless payments until 15:00.
Concerning office equipment, computers, they don't work. At the same time, there are no problems with the energy system, with energy supply. This affected only office computers (work on Windows platform). We were given the command to turn off the computers. - Ukrenergo
Operators complain that they also suffered. But at the same time they try to work for subscribers in the regular mode.
How to protect yourself from Petya.A
To protect against it, you need to close TCP ports 1024-1035, 135 and 445 on the computer. This is quite simple to do:
Step 1. We open the firewall.
Step 2. On the left side of the screen, go to "Rules for incoming connections".
Step 3. Select "Create Rule" -> "For Port" -> "TCP Protocol" -> "Specific Local Ports".
Step 4. We write “1024-1035, 135, 445”, select all profiles, click “Block connection” and “Next” everywhere.
Step 5. Repeat the steps for outgoing connections.
Well, the second is to update the antivirus. Experts report that the necessary updates have already appeared in the anti-virus software databases.
The Rosneft company complained about a powerful hacker attack on its servers. The company announced this in its
On the afternoon of June 27, Rosneft reported a hacker attack on its servers. At the same time, information appeared about a similar attack on the computers of Bashneft, Ukrenergo, Kievenergo and a number of other companies and enterprises.
The virus blocks computers and extorts money from users, it looks like.
A powerful hacker attack was carried out on the Company's servers. We hope this has nothing to do with the current legal proceedings.
Upon the fact of the cyber attack, the Company applied to law enforcement agencies.
— Rosneft Oil Company PJSC (@RosneftRu) June 27, 2017
A source close to one of the company's structures notes that all computers in the Bashneft refinery, Bashneft-dobycha and Bashneft management "rebooted at once, after which they downloaded an uninstalled software and displayed the splash screen of the WannaCry virus". On the screen, users were asked to transfer $300 in bitcoins to the specified address, after which users would be sent a key to unlock computers by e-mail. The virus, judging by the description, encrypted all data on user computers."Vedomosti"
"The National Bank of Ukraine has warned banks and other participants in the financial sector about an external hacker attack by an unknown virus on several Ukrainian banks, as well as on some enterprises in the commercial and public sectors, which is happening today.As a result of such cyberattacks, these banks face difficulties in customer service and banking operations."
National Bank of Ukraine
The computer systems of Kyivenergo, the capital's energy company, have been hacked, the company told Interfax-Ukraine."We were attacked by a hacker. Two hours ago, we were forced to turn off all computers, we are waiting for permission to turn on from the security service," Kyivenergo said.
In turn, NPC Ukrenergo told Interfax-Ukraine that the company also encountered problems in the operation of computer systems, but they are not critical.
"There were some problems with the operation of computers. But in general, everything is stable and controlled. Conclusions on the incident can be drawn based on the results of an internal investigation," the company said.
"Interfax-Ukraine"
The networks of Ukrenergo and DTEK, Ukraine's largest energy companies, have been infected with a new form of encryption virus resembling WannaCry. TJ was told about this by a source inside one of the companies who directly encountered the attack of the virus.According to the source, on the afternoon of June 27, his computer at work rebooted, after which the system allegedly began checking hard drive. After that, he saw that the same thing was happening on all computers in the office: “I realized that there was an attack, I turned off my computer, and when I turned it on, there was already a red inscription about bitcoin and money.”
Computers on the network of logistics solutions company Damco are also affected. Both in European and Russian divisions. The scope of infection is very wide. It is known that in Tyumen, for example, everything is fucked up too.But back to the topic of Ukraine: almost all computers of Zaporizhzhyaoblenergo, Dneproenergo and the Dnieper Electric Power System were also blocked by the virus attack.
To clarify, this is not WannaCry, but a malware similar in its behavior.
Rosneft Ryazan Refinery - disconnected the network. Also an attack. In addition to Rosneft/Bashneft, other large companies were also attacked. Problems are reported at Mondelēz International, Oschadbank, Mars, Nova Poshta, Nivea, TESA and others.
The virus has been identified - it's Petya.A. Petya.A eats hard drives. It encrypts the master file table (MFT) and extorts money for decryption.
The Kyiv metro was also subjected to a hacker attack. attacked government computers Ukraine, Auchan stores, Ukrainian operators (Kyivstar, LifeCell, UkrTeleCom), PrivatBank. There are reports of a similar attack on KharkivGas. According to system administrator, the machines were running Windows 7 with latest updates. Pavel Valerievich Rozenko, Deputy Prime Minister of Ukraine, was also attacked. Boryspil Airport is also believed to have been hacked.
Telegram channel "Sibersecurity and Co.
June 27, 16:27 At least 80 Russian and Ukrainian companies were affected by the Petya.A virus, said Valery Baulin, a representative of Group-IB, which specializes in the early detection of cyber threats.
"According to our data, over 80 companies in Russia and Ukraine were affected by the Petya.A ransomware attack," he said. Baulin emphasized that the attack was not related to WannaCry.To stop the spread of the virus, you must immediately close TCP ports 1024-1035, 135 and 445, stressed in Group-IB<...>
"Among the victims of the cyber attack were the networks of Bashneft, Rosneft, the Ukrainian companies Zaporozhyeoblenergo, Dneproenergo and the Dnipro Electric Power System, Mondelēz International, Oschadbank, Mars, Novaya Pochta, Nivea, TESA and others were also blocked by the virus attack. The Kyiv metro was also hacked. Ukrainian government computers, Auchan stores, Ukrainian operators (Kyivstar, LifeCell, UkrTeleCom), Privat Bank were attacked. Boryspil Airport was also allegedly hacked," Group-IB points out.
Group-IB experts also found that the Petya.A ransomware was recently used by the Cobalt group to hide traces of a targeted attack on financial institutions.
RNS
The Rosneft company complained about a powerful hacker attack on its servers. The company announced this in its Twitter. “A powerful hacker attack was carried out on the company's servers. We hope that this has nothing to do with the current judicial procedures,” the message says.
“In fact of the cyber attack, the company turned to law enforcement agencies,” says in the message. The company emphasized that a hacker attack could lead to serious consequences, however, "due to the fact that the company switched to a backup process control system, neither production nor oil preparation was stopped." An interlocutor of the Vedomosti newspaper, close to one of the company's structures, indicates that all computers at the Bashneft refinery, Bashneft-Dobycha and the Bashneft management "rebooted at once, after which they downloaded uninstalled software and displayed the virus splash screen WannaCry.
On the screen, users were asked to transfer $300 in bitcoins to the specified address, after which users would supposedly be sent a key to unlock computers by e-mail. The virus, judging by the description, encrypted all data on user computers.
Group-IB, which focuses on preventing and investigating cybercrime and fraud, has identified a virus that hit an oil company, the company told Forbes. We are talking about the Petya encryption virus, which attacked not only Rosneft. Group-IB specialists. found out that about 80 companies in Russia and Ukraine were attacked: the networks of Bashneft, Rosneft, the Ukrainian companies Zaporozhyeoblenergo, Dneproenergo and the Dnieper Electric Power System, Mondelēz International, Oschadbank, Mars, New Post, Nivea, TESA and others. The Kyiv metro was also subjected to a hacker attack. Ukrainian government computers, Auchan stores, Ukrainian operators (Kyivstar, LifeCell, UkrTeleCom), PrivatBank were attacked. Boryspil Airport is also believed to have been hacked.
The virus spreads either as WannaCry or through a mailing list - company employees opened malicious attachments in emails Email. As a result, the victim's computer was blocked and the MFT (NTFS file table) was securely encrypted, a Group-IB representative explains. At the same time, the name of the encryptor program is not indicated on the lock screen, which complicates the process of responding to the situation. It is also worth noting that Petya uses a strong encryption algorithm and there is no way to create a decryption tool. The ransomware demands $300 in bitcoins. The victims have already begun to transfer money to the purse of the attackers.
Group-IB experts have determined that a recently modified version of the Petya ransomware, PetrWrap, was used by the Cobalt group to hide traces of a targeted attack on financial institutions. The criminal group Cobalt is known for having successfully attacked banks around the world - Russia, Great Britain, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan and Malaysia. This structure specializes in contactless (logical) attacks on ATMs. In addition to ATM management systems, cybercriminals are trying to gain access to interbank transfer systems (SWIFT), payment gateways and card processing.
