 Alright, so let's talk about ransomware and the latest one called Petia ransomware now This is essentially a stack or a variation on the want to cry one that we had only a few weeks ago now Want to cry was thwarted fairly quickly Because they found a kill switch in it and you're kind of probably wondering why is there a kill switch inside of ransomware? So let's go back to a little bit of explanation how all that works. What happened was Eternal blue was an exploit by government agency that they were using Undotably for a tax. I believe it was NSA now with the eternal blue exploit it got out in a wild and when this gets out in a wild The problem is it gets used for bad purposes not that I'm gonna Completely condone everything that the NSA does as good purposes, but there are spy agencies So when they find a hole in a product they use it for their own gain and not just close it Responsibly so the home so the vulnerability can be closed so they're not in disclosure and use of the tool and then Subsequent losing of the tool now the other side of that is even if they didn't lose a tool There's other people plugging away, and if they find it well, we have what we have here So the security exploit of eternal blue Allows them to worm this and what warming it means is once it infects one machine It can affect the neighboring machines even though they can click on anything And that's essentially how the eternal blue absolute works It's a sharing vulnerability So other computers on the shared network are able to spread and of course misconfigured computers It shouldn't have sharing enabled to the outside world do and it's spread that way as well Now what stopped want to cry with the kill switch was Viruses don't like to be analyzed part of the protection mechanism to stop them from being analyzed is when you were at the refer To a sandbox or put them in their own little world so you can watch what they do They reach out to the internet and there's ideal way to do it not that I'm trying to advise some hackers But they know this the ideal way to do it is you take a randomly generated website and a long string of Gibberish and you go does this website exist well no it doesn't exist So okay, I'm not in a sandbox But if you have things in a sandbox because it's technically disconnector on the internet and you're analyzing everything You kind of have the sandbox answer. Yes that exists whatever you're asking for exists What are you gonna send there and that's how you kind of do post analysis? So you you would say yes to whatever Website a request and then you look at the analysis of it But if you say no you may miss an opportunity to see what it tries to do well This was by someone going out and registering this website because instead of generating a random one They had a static website. They looked for each time so by simply registering the website it stopped want to crypt and You know we went from a threat level red and everyone crying about it to Not a big deal. Well, here comes the pet ya ran somewhere And that's a little bit different. They took the same eternal blue exploit so it's eternal blue part 2 and this is something that we know about and we have a patch for but people don't load patches people have old systems and For a litany of reasons just have not upgraded or swap things around to you know Properly secure this and because they weren't hit the first time and didn't get encrypted They're ready for round two of not being patched or updated. So this ransomware has a couple other attack factors in it So it does offer the eternal blue as one of them it also stacked in there a tool called LSA dump and what it can do is it moves laterally through your network and what that means is Let's say you get the email and that email is often the source point of this and one computer in your office gets it You're like, oh no that one computer is fine Well, LSA dump looks for networks computers and dumps administrator passwords And if it gets the administrative password from your computer it then gets administrative password to your domain of computers and it uses a series of Simple passwords it tries I believe it's got a bunch of tables built in so it looks at what they refer to as the password Hashes and then can spread throughout the entire network So it one computer even though the other computers are all patched that one computer that wasn't Was the edge and once they get in there it laterally moved through your entire network Infecting all the other machines on your network. So you're like, but these other machines were patched. Yep It used a completely different attack matter of fact the attack it used wasn't really an attack It dumped the password had the password So even a patch system can get it because this is a lot of points of confusion of people going what my system was patched Yeah, it was but there was a piece of your network that was not and that was the edge point by which it came in and this edge point could be you know a Employees laptop that you don't have as much controlling your domain and over so there's a lot of different things to think about when you're talking about computer security and It gets messy really really quick now this spread pretty fast They've kind of got it their own kill switch, but it requires adding a file It looks like if you add a file something called perf. I think it's perf see dad dad. There's some instructions I'll leave links below in in this if that helps With you stopping it if you can also look for the hashtag stop Petya and Twitter and you'll find a list of people who have different ways of kind of mitigating this the best way to mitigate it is have a fully patched system a Lockdown secure firewall good strong admin passwords and a good backup in case none of that works And a good backup is one that's tested by the way So you don't just have a backup have a backup that you've tested. That's how you know. It's a real backup so I'm gonna cover a couple little details real quick here to talk about them so here is and on GitHub an entire, you know, pet a ransomware This is a breakdown a lot of details if you care about the real technical details There's also fire. I have some analysis on it So talking about how it spreads some of the other details in it and a lot of this is reverse engineering of taking the virus apart Microsoft has provided a guide for securing window systems against the eternal blue exploit in the context I want to cry and because we're using exactly the same exploit the same rules work So the want to cry patch your system and it's fixed they have a fix for us Microsoft even took the time to Roll out a fix for older windows XP machines that are no longer truly supported. So That being said, I'll leave links for some of these other places here If you just want to go into all kinds of little details about it But the one detail I did jump into and we'll check this now so maybe refresh the page Yep, it more it was at 43 so now we're at 3.9 bitcoins Given to these people now one of the things they did was shut down the email address that the ransomware Is going to and it's kind of a controversial decision because by shutting it down None of these people who get their files encrypted can get them back that being said it also means that if they Were to keep the email working you're supporting ransomware because you're giving these guys reward for their things Now they have so far received and of course it wants payment in bitcoin Which is pretty common and at 3.9 bitcoins is what that's been paid. So let's figure out what 3.9 bitcoins works They've made about $10,000 off of this so far Downside is and it's sad to say but with them shutting down the email address They're not going to get their decryption keys back. So even though they paid the ransom to get the keys back They're made $10,000 and they didn't the hackers don't even have to do the work for it But by shutting it down I'm guessing they didn't make as much as they thought but still $10,000 to spread out a virus and send it out and you know Maybe they got a few people decrypted either way They got $10,000 and then real side note if you're wondering about how bitcoin works And why this doesn't give us direct access to who these people are That's bitcoin is a is a cryptocurrency with a ledger system You can take anyone's bitcoin ID and see how much value is in that bitcoin ID You can track the transactions in that bitcoin ID But you can't Know who these people are because bitcoin IDs are generated So we know this is the bitcoin ID They want it sent to the only way to trace someone would be to figure out How they got the money out of the bitcoin and if we could trace that then we would know who the people Were that took the money out So just a side note on that just in case you're wondering But either way they were able to get $10,000 out of people and uh That's sad because these people i'm 99% sure are not going to get any of their Uh money back so or getting their files back despite paying the ransom So hopefully this was a kind of a quick summary of what the petia Viruses how to mitigate against it is simply patched the same answer it was for want to cry And be careful of having lateral movement within your network Because a lot of people don't think to put good admin passwords together But you should have a good admin password just because you're like, oh, no external access to my systems Well, if you have one person on your network who had a compromised machine You in up infected the rest of your network because you had some internal weak passwords And this is what the virtuous threat stacking You're only going to see more of it because you're take the want to cry tool They they post analyze everything that was wrong with it and they make a better version And now we found, you know flaws and stuff if you look for like I said the hashtag stop pet yet There's a lot of people explaining how to stop it Once again Who all these things are going into the next person's mind or maybe the same person's doing it And they're simply going to make a better version again, and uh, it won't have the shortcomings. So Be prepared have your backups ready the best I can do, you know for advice here, uh, it's a It's a very real threat and everyone thinks it won't happen to me It's very likely if you're not doing everything you can Um, you're you're really at risk. Make sure, you know, we trust our systems really well here I still have backups of our backups because just in case i'm wrong, you know Just in case always have extra backups everything that way in worst case scenarios You can go to a full restore. So if you like the content here like and subscribe Just want to cover this real quick. It's a hot topic and I've had some people asking me I'm sending this out some of our customers as well to try and explain it to them because they are asking Which the good news is we are anyone on our managed services We've kept fully patched fully up to date and we are watching this. I mean we weathered the Want to cry we're weathering this we really encourage if we have a managed client. We have everything Secure passwords more complicated. It's really important. We preach this to people I'm hoping to get some of the clients that I know that are break fixed that just have really poor security practices They're the most get risk for saying this out to them as well Hopefully hopefully I can I can get some attention on this and Hopefully get them before it turns into a real problem. Thanks again