The author of the original Petya ransomware going by the name of Janus Cybercrime Solutions, has released the master decryption key of all past Petya versions.
This key can decrypt all ransomware families part of the Petya family except NotPetya, which isn’t the work of Janus.
Janus released the master key on Wednesday in a tweet that linked to an encrypted and password-protected file uploaded on Mega.nz.
Malwarebytes security researcher Hasherezade cracked the file yesterday and shared its content:
Here is our secp192k1 privkey: 38dd46801ce61883433048d6d8c6ab8be18654a2695b4723
We used ECIES (with AES-256-ECB) Scheme to encrypt the decryption password into the “Personal Code” which is BASE58 encoded.
The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a Standard User Account for day-to-day operations.
Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.
Ensure you have the latest updates installed for your anti-virus software.
Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share
Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.
Operate a least privileged access model with employees. Restrict who has local administration access.
Petya does not encrypt files. it encrypts the Master File Table, which is the index of where all the files are stored on a hard disk drive.
“Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.”
Mikko Hypponen confirms, Chief Research Officer at F-Secure.
PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.
For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. UEFI is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
Introduction to UEFI
BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
1 MB address space
Poor performance on ROM initialization
MBR maximum bootable disk size of 2.2 TB
As the replacement to BIOS, UEFI has many features that Windows can and will use.
With UEFI, you can benefit from:
Support for large disks. UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
Faster boot time. UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
Multicast deployment. UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
Compatibility with earlier BIOS. Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
CPU-independent architecture. Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
CPU-independent drivers. On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
Flexible pre-operating system environment. UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
Secure boot. Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.
UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
Hardware support for UEFI
In regard to UEFI, hardware is divided into four device classes:
Class 0 devices. This is the UEFI definition for a BIOS, or non-UEFI, device.
Class 1 devices. These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
Class 2 devices. These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
Class 3 devices. These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.
Windows support for UEFI
Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.
With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.
How UEFI is changing operating system deployment
There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).
If you ever had to recover a Synology nas box in recovery-mode, pre DiskStation installation or after a failed DiskStation install….. Then you would need the “secret” telnet password for admin (or in some cases root)
In case you don’t want to contact Synology here is how it’s generated
1st character = month in hexadecimal, lower case (1=Jan, … , a=Oct, b=Nov, c=Dec)
2-3 = month in decimal, zero padded and starting in 1 (01, 02, 03, …, 11, 12)
4 = dash
5-6 = day of the month in hex (01, 02 .., 0A, .., 1F)
To make your next Windows experience even better – We have just released the next version of Access Director. Using Access Director you will be able to secure your desktop, simple and easy!
– Run your desktop in a non-elevated user context
– Elevate only needed applications with a single click
– Elevate in your current user-context without affecting other unsecured applications like IE or Office
What’s in Access Director 3.0 ?
– Updates to support the next Windows experience (10)
– Support for integration modules
– Minor bug fixes
A recent survey conducted by BeyondTrust (www.beyondtrust.com), a developer and marketer of least privilege management software, reveals that 92% of critical vulnerabilities reported by Microsoft could have been prevented simply by removing administrator rights from Windows users. Also, the survey points out, removing administrator rights helps companies protect themselves and their computers against 94% of Microsoft Office, 89% of Microsoft Internet Explorer, and 53% of Windows vulnerabilities. Given the prevalence of Microsoft software in today’s corporate environment, these numbers should give any administrator pause.
Get a head start removing Admin Rights – by using Access Director from Curago – its FREE
In the video we are logged on a workstation with the TestUser
TestUser is not member of the Local Administrators group
TestUser is member of the custom created local group AdminAccess
When requesting local administrators access using the tray icon, it will verify that we are a know user that is a member of the local group AdminAccess. If we are member of the local group we will be elevated for a predefined number of minutes (2 minutes in the example)
When elevated, we can click on any application and RunAs Administrator – we will as always be prompted for our logged on credentials, but this time the application is running with local administration privileges.
When the timer hits 2 minutes, our administration privileges are expired.
This will make it possbile ONLY to elevated, when needed and not having to load the full profile with administrative privileges
The tray icon does not require addtional rights to run
A local system service will handle all requests
All options are configurable through gpo and/or registry