What kind of virus attacked Rosneft. Virus Petya: the battlefield is Rosneft. Login

The ransomware virus attacked the computers of dozens of companies in Russia and Ukraine, paralyzing the work of government agencies, and began to spread around the world

In Russia, Bashneft and Rosneft became victims of the Petya virus, a clone of the WannaCry ransomware that hit computers around the world in May.

All computers in Bashneft are infected with the virus, a source in the company told Vedomosti. The virus encrypts the files and demands a ransom of $300 per bitcoin wallet.

"The virus first disabled access to the portal, to the internal Skype for business messenger, to MS Exchange, they thought it was just a network failure, then the computer rebooted with an error. The hard drive died, the next reboot already showed a red screen," the source said.

Almost simultaneously, Rosneft announced a "powerful hacker attack" on its servers. IT systems and production management have been transferred to standby capacities, the company is operating as usual, and "spreaders of false and panic messages will be held accountable together with the organizers of the hacker attack," company spokesman Mikhail Leontiev told TASS.

The websites of Rosneft and Bashneft do not work.

The attack was recorded around 14.00 Moscow time, among its victims at the moment there are 80 companies. In addition to the oil companies, the representative offices of Mars, Nivea and Mondelez International (Alpen Gold chocolate manufacturer) were affected, Group-IB, which is engaged in the prevention and investigation of cybercrime, said.

Also, the metallurgical company Evraz and the Home Credit Bank, which was forced to suspend the work of all its branches, reported an attack on their resources. According to RBC, at least 10 Russian banks turned to cybersecurity specialists on Tuesday in connection with the attack.

In Ukraine, the virus attacked government computers, Auchan stores, Privatbank, Kyivstar, LifeCell and Ukrtelecom telecom operators.

Boryspil Airport, Kiev Metro, Zaporizhzhyaoblenergo, Dneproenergo and Dnipro Electric Power System were under attack.

The Chernobyl nuclear power plant switched to manual radiation monitoring of the industrial site due to a cyber attack and a temporary shutdown of the Windows system, Interfax was told in the press service of the State Agency for the Management of the Exclusion Zone.

The ransomware virus has affected a large number of countries around the world, Costin Rayu, head of the international research division of Kaspersky Lab, said on his Twitter account.

According to him, the new version of the virus, which appeared on June 18 this year, has a fake Microsoft digital signature.

At 18.05 Moscow time, the Danish shipping company A.P. announced an attack on its servers. Moller Maersk. In addition to Russia and Ukraine, users in the UK, India and Spain were affected, Reuters reported, citing the Swiss government's Information Technology Agency.

InfoWatch CEO Natalia Kasperskaya explained to TASS that the encryption virus itself appeared more than a year ago. It is distributed mainly through phishing messages and is a modified version of a previously known malware. “It teamed up with some other Misha ransomware virus that had administrator rights. It was an improved version, a backup ransomware,” Kaspersky said.

According to her, it was possible to quickly overcome the May attack of the WannaCry ransomware because of the vulnerability in the virus. "If a virus does not contain such a vulnerability, then it is difficult to fight it," she added.

A large-scale cyberattack using the WannaCry ransomware virus that infected more than 200,000 computers in 150 countries occurred on May 12, 2017.

WannaCry encrypts the user's files and requires a payment in bitcoins equivalent to $300 to decrypt them.

In Russia, the computer systems of the Ministry of Internal Affairs, the Ministry of Health, the Investigative Committee, Russian Railways, banks and mobile operators were attacked, in particular.

North Korean hackers from the government-linked Lazarus group were behind the attack, according to the UK Cyber Security Center (NCSC), which is leading the international investigation into the May 12 attack.

The main target of the Petya virus attack, which recently infected thousands of computers around the world, was computer systems and. A number of foreign media came to this conclusion.

According to the publications, the hacker attack was aimed at destroying important evidence that is critical to the current trial of Rosneft and Bashneft with, which is owned by a Russian oligarch.

“Petya is not a ransomware virus, but a program that destroys data on infected computers. It seems that he should not be called Petya, but Petrovich - after the patronymic of the head of AFK Sistema, Vladimir Petrovich Yevtushenkov, ”writes Bostonmail.

The publication notes that a few hours after the attack, the authoritative American Fortune magazine, citing the conclusions of computer analysts, reported that the source of the cyber attack was located in Ukraine. The attack was launched by the Ukrainian company Intellect-Service, which develops MeDoc accounting software. Among the customers of Intellect-Service is one of the largest mobile operators in Ukraine - Vodafone. Until the fall of 2015, the company, now offering its services under the name Vodafone, was called MTS Ukraine. The owner of 100 percent of the company's shares is the Russian group MTS, which is the central asset of Sistema.

The cyber attack using Petya was launched at the moment when the Arbitration Court of Bashkortostan began hearings in the case of Rosneft against Sistema. According to the publication, such a combination of circumstances cannot be called a mere coincidence.

This was partly the reason that the businessman is in a state of shock, the publication believes. "Undoubtedly, he was ready to go all the way to save his reputation and fortune," according to the Bostonmail. Shortly before the cyber attack, the Arbitration Court of Bashkortostan received a motion stating that Rosneft was dropping its lawsuit against Sistema because the companies had reached a settlement. The document was signed by two vice-presidents of Rosneft. It was subsequently established that it was a fake, but it is still unclear who sent it to court.

A Rosneft spokesman shortly after the virus attack stated that the purpose of the cybercrime was to "kill" Bashneft's computers. The computers, he added, contained a large amount of information about Bashneft's operations during the period when it belonged to other owners.

The collateral damage suffered by Ukraine and other countries is not accidental: it was necessary in order to cover the real target of the attack, writes EU Repoter. By launching the attack specifically in Ukraine, the criminals ensured that even if the Ukrainian services could find out something, it was unlikely that they would share their findings with their Russian counterparts, since Ukraine does not trust the Russian authorities. “I think that the attack was aimed specifically at Rosneft. “There are no other explanations,” a Russian journalist told the publication.

In support of his theory that Yevtushenkov was the sponsor of the attack, he puts forward the fact that Sistema is Russia's largest telecommunications holding, employing the country's best IT professionals. They know how to handle viruses and hacks - and therefore how to organize them. Who else in the post-Soviet space can arrange such a powerful hacker attack?

At the end of June, the Petya virus computer systems in Ukraine, Russia, Italy, Israel, Serbia, the United States and other countries. The attackers blocked the computers of the victims and demanded a ransom for information on them in the amount of $300 in bitcoins. Later, experts found out that the hackers did not plan to restore access to encrypted data, but intended to destroy them.

ALL PHOTOS

The WannaCry ransomware virus was replaced by the same ransomware, but with a less intricate name -
. On the afternoon of June 27, "Petya" attacked about 80 organizations in Ukraine and Russia. Later reports of hacker attacks came from Europe and India. According to preliminary data, computer networks in the Netherlands, France and Spain were infected with a similar ransomware virus.

In Ukraine, the government network was hit, in Russia, the companies Rosneft, Mars, Nivea and others. The Kremlin said that they were not affected by the virus. Meanwhile, Kiev blamed the attack on the Russian intelligence services, calling what is happening an element of a hybrid war.

According to Group-IB, the Petya.A virus blocks computers and prevents them from starting the operating system. For the resumption of work and decryption of files, he demands a ransom of $ 300 in bitcoins. A large-scale attack on oil, telecommunications and financial companies in Russia and Ukraine was recorded around 14:00 Moscow time, TASS reports.

According to Kaspersky Lab, the ransomware uses a fake Microsoft electronic signature. Electronic code signing technology is used to show users that the program was developed by a trusted author and guarantees that it will not cause harm. Kaspersky Lab believes that the virus was created on June 18, 2017.

To stop the spread of the virus, Group-IB recommends immediately closing TCP ports 1024-1035, 135 and 445.

The Petya virus has spread around the world

Experts have already reported that the new Petya ransomware virus has spread beyond the CIS and hit computer networks around the world.

"Petya virus with contact address [email protected] is spreading all over the world, a huge number of countries are affected," he wrote on his page in Twitter Costin Rayu, head of the international research team at Kaspersky Lab.

He clarified that Petya uses a fake digital signature from Microsoft. Ransomware hackers have already received at least seven ransom payments to regain access to computers attacked by the virus, Raiu said.

Reuters journalists report that the hacker attack has spread to European countries. The ransomware virus penetrated, in particular, computer networks in the UK and Norway. In addition, traces of Petya have been found in India.

Deputy Prime Minister of Ukraine Pavlo Rozenko on his Facebook page announced that the network in the government secretariat had stopped working for an unknown reason. “Ta-dam! If anything, then our network has also “fallen”, like a campaign! All computers of the Cabinet of Ministers of Ukraine show such a picture,” he wrote.

The National Bank of Ukraine (NBU) has already warned banks and other participants in the financial sector about an external hacker attack by an unknown virus. The NBU also noted that in connection with cyber attacks in the financial sector of Ukraine, security measures and counteraction to hacker attacks were strengthened, according to a press release from the regulator.

Ukrtelecom said that the company continues to provide Internet access and telephony services, and the computer systems that accompany the call center and customer service centers do not work.

Boryspil airport, in turn, warned that "due to an emergency situation, flight delays are possible." Currently, the online flight schedule is not available to passengers on the official website of the airport.

The Kiev metro said that as a result of the attack, the function of paying with bank cards was blocked. "Contactless metro cards work as usual," the metropolitan metro said.

Ukrenergo reported that the company is already investigating the cyber attack.

In addition, the hacker attack led to the shutdown of the computer system for monitoring the radiation background at the Chernobyl nuclear power plant. Computers running Windows had to be temporarily turned off, radiation monitoring of the industrial site was switched to manual mode.

Currently, the Center for Monitoring and Response to Computer Attacks in the Credit and Financial Sphere of the Bank of Russia, together with credit institutions, is working to eliminate the consequences of identified computer attacks, the Central Bank emphasized.

All computers of the corporate server of the Moscow restaurants of the Tanuki-Ruff chain were also allegedly attacked by a hacker, TASS reports.

The press service of Rosenergoatom reported that all Russian nuclear power plants are operating normally. The absence of traces of hacker attacks was also confirmed by Inter RAO, Enel Russia, Rosseti and System Operator UES. Rosseti added that appropriate measures had already been taken to prevent possible hacker attacks.

Petya virus

A ransomware virus that blocks access to data and requires $300 in bitcoins to unlock it has been known in various modifications since 2016.

The malware is distributed via spam email. In particular, the first versions of Petya were disguised as resumes. When a user opened an infected email, a Windows program appeared on the screen that required administrator rights.

If an inattentive user agreed to grant the program the appropriate rights, then the virus overwrote the boot area of the hard disk and showed a "blue screen of death" suggesting an urgent restart of the computer.

Before Petya was WannaCry

The previous large-scale attack on organizations around the world, the weapon of which was the WannaCry virus, occurred on May 12th. The ransomware virus massively disabled computers and demanded a ransom for decrypting user files. It was reported that Russia was the most affected country by WannaCry. The cyberattack, in particular, affected the MegaFon company, the Ministry of Internal Affairs, Sberbank, and the Ministry of Health. The attempted infection was reported by Russian Railways and the Central Bank, where they stressed that the attack was unsuccessful.

Experts from the American company Flashpoint came to the conclusion that the creators of the WannaСry ransomware virus may be from South China, Hong Kong, Taiwan or Singapore. In Group-IB, hackers from the DPRK, who also tried to impersonate Russian.

The ransomware virus attacked the computers of dozens of companies in Russia and Ukraine, paralyzing the work of government agencies, and began to spread around the world

In Russia, Bashneft and Rosneft became victims of the Petya virus, a clone of the WannaCry ransomware that hit computers around the world in May.

All computers in Bashneft are infected with the virus, a source in the company told Vedomosti. The virus encrypts the files and demands a ransom of $300 per bitcoin wallet.

The websites of Rosneft and Bashneft do not work.

In Ukraine, the virus attacked government computers, Auchan stores, Privatbank, Kyivstar, LifeCell and Ukrtelecom telecom operators.

Boryspil Airport, Kiev Metro, Zaporizhzhyaoblenergo, Dneproenergo and Dnipro Electric Power System were under attack.

The ransomware virus has affected a large number of countries around the world, Costin Rayu, head of the international research division of Kaspersky Lab, said on his Twitter account.

According to him, the new version of the virus, which appeared on June 18 this year, has a fake Microsoft digital signature.

A large-scale cyberattack using the WannaCry ransomware virus that infected more than 200,000 computers in 150 countries occurred on May 12, 2017.

WannaCry encrypts the user's files and requires a payment in bitcoins equivalent to $300 to decrypt them.

In Russia, the computer systems of the Ministry of Internal Affairs, the Ministry of Health, the Investigative Committee, Russian Railways, banks and mobile operators were attacked, in particular.

Based on media materials

On June 27, the world suffered from another hacker attack: a virus with a mockingly frivolous name Petya blocked computers in many countries, demanding $ 300 for the return of access to company databases. Having collected about 8 thousand, "Petya" calmed down, leaving, however, a lot of questions.

The most burning, of course - who, where? According to Fortune magazine - a very authoritative publication - "Petya" came to us from Ukraine. The German cyber police tends to the same point of view, and, characteristically, the Ukrainian one too. "Petya" entered the big world from the bowels of the Ukrainian company "Intellect-Service" - a developer of a wide variety of software to order.

In particular, the largest customer of the company is the Ukrainian mobile operator Vodafone, better known as "MTS Ukraine" - that's how it was called until 2015. In general, MTS is a key asset of the AFK Sistema corporation, owned by the notorious Vladimir Yevtushenkov. Did the businessman have a hand in the development and launch of Petit?

According to "Version", this is more than likely. "Petya" set off on his "high road" just on the eve of the meeting of the Arbitration Court of Bashkiria, where Rosneft's claims against AFK Sistema, the former owner of Bashneft, which was taken over by the largest national oil company, were considered. According to Rosneft, Yevtushenkov and his top management inflicted 170 billion rubles in losses on Bashneft with their management, which they are demanding in court.

The court, by the way, is inclined to believe the new owner, because it has already seized 185 billion rubles belonging to the old one, including, by the way, 31.76% of MTS shares. As a result, Yevtushenkov's condition "has lost weight" by almost half, and the nerves of the businessman himself began to fail more and more often. What is the value of a false settlement agreement, which came to the court from nowhere - the plaintiff, as it turned out, did not see it in his eyes, let alone sign it.

If it didn’t work out with anonymous letters, then the next logical step is to hide evidence of the defendant’s dubious acts that are incriminated to him. And these proofs are stored in the computers of Bashneft, which, along with all the rest of its property, were transferred to Rosneft. So do not laugh at "Petya" - its creators did not want to "cut down money easily", but to clean up the ends.

And, in general, the calculation was not bad. And the Ukrainian company was not chosen by chance - where, if not in Ukraine, will all official requests get stuck, and the collection of evidence will come to a standstill? And the computer system of Rosneft was shaken under a hacker attack, but, thanks to the backup system, it still survived, which the former owner could not count on in any way - he probably expected that his opponent’s cyber defense system was full of holes, as it was in Bashneft of the times of AFK Sistema.

That is probably why the authors of the attack hurried to spread rumors that Rosneft had to suspend production. No, production did not stop, but these rumors once again indicate that the creators of "Petya" were very interested in this. And today, the discrediting of Rosneft is the first item on the agenda of Vladimir Yevtushenkov's structures.

in detail

Close-up

In the initiative of the Russian Guard to toughen punishment for illegal private security activities, the most interesting thing is not the proposed sanctions, but the object of application of force clearly defined by the youngest Russian special service. In fact, it is planned to declare a real war on the many-sided army of watchmen and administrators.

So now a new virus has appeared.

What is a virus and should we be afraid of it

This is how it looks on an infected computer

A virus called mbr locker 256 (which on the monitor calls itself Petya) attacked the servers of Russian and Ukrainian companies.

It locks files on the computer and encrypts them. The hackers demand $300 in bitcoins to unlock it.

MBR- this is the master boot record, the code required for the subsequent boot of the OS. It is located in the first sector of the device.

After turning on the power of the computer, a POST procedure takes place, testing the hardware, and after it, the BIOS loads the MBR into RAM at 0x7C00 and transfers control to it.

Thus, the virus enters the computer and infects the system. There are many modifications of the malware.

It runs under Windows, just like the previous malware.

Who has already suffered

Ukrainian and Russian companies. Here is part of the whole list:

"Zaporozhyeoblenergo"

DTEK

"Dnipro Electric Power System"

Kharkivgaz

Kyivenergo

"Kyivvodokanal"

"Antonov"

"Kyiv Metro"

"New Post"

Auchan

"Epicenter"

"PrivatBank"

OschadBank

"National Bank of Ukraine"

Nivea

three mobile operators: Kyivstar, LifeCell and UkrTeleCom

Borispol airport"

Rosneft

Many companies quickly repelled the attack, but not all of them were able to do it. Because of it, some of the servers do not work.

Banks cannot carry out a number of monetary transactions because of Petya. Airports are postponing or delaying flights. The Metropolitan of Ukraine did not accept contactless payments until 15:00.

As for office equipment, computers, they do not work. At the same time, there are no problems with the energy system, with energy supply. This affected only office computers (running on the Windows platform). We were given the command to turn off the computers. - Ukrenergo

Operators complain that they also suffered. But at the same time they try to work for subscribers in the regular mode.

How to protect yourself from Petya.A

To protect against it, you need to close TCP ports 1024-1035, 135 and 445 on the computer. This is quite simple to do:

Step 1. We open the firewall.

Step 2. On the left side of the screen, go to "Rules for incoming connections".

Step 3. Select "Create Rule" -> "For Port" -> "TCP Protocol" -> "Specific Local Ports".

Step 4. We write “1024-1035, 135, 445”, select all profiles, click “Block connection” and “Next” everywhere.

Step 5. Repeat the steps for outgoing connections.

Well, the second is to update the antivirus. Experts report that the necessary updates have already appeared in the anti-virus software databases.

The Rosneft company complained about a powerful hacker attack on its servers. The company announced this in its

Based on media materials

in detail

Political scientist Anton Bredikhin is convinced that Russia should make every effort to return our fellow citizens from Libya. We are talking about the sociologists of the Foundation for the Protection of National Values Maxim Shugalei and Samer Suifan, who were detained in Tripoli in May 2019. They are still in the unofficial Mitiga prison, no charges have been brought against them.