NYU Wordpress Theme

New Ransomware Alert “Petya”

NYU IT has been notified by Homeland Security about an emerging ransomware email threat (a new strand of Petya) occurring in many countries around the world, and NYU’s Office of Information Security is actively monitoring for any impact at NYU.  Ransomware is a type of malicious software that infects a computer and restricts users’ access to the infected machine, including any attached storage until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cyber security threats, such as ransomware.

Phishing Alert: We advise you to treat unknown senders of email with vigilance and to not click on URLs in emails, without checking the actual URL (hover over the URL and check if it is going to the correct location).

Patching Alert: Please keep all systems up to date, with the latest security and software patches.

Anti-Virus Alert: Please update your Anti-Virus software to the latest version.

The following websites provide additional information:

https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported

https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/

If you require assistance or for urgent IT issues and security escalations, contact the IT Service Desk (24×7) at 212-998-3333 or email AskIT@nyu.edu.

This information will be available on the NYU IT Security News blog at: https://wp.nyu.edu/itsecurity/

For NYU IT Security information, see: https://www.nyu.edu/it/security

 

Additional Information:
This ransomware has been reportedly spreading globally via a malicious email attachment.  Petya is spreading using the same propagation method (a hacking tool called “EternalBlue”) as the WannaCry ransomware attack last month.  For more information on WannaCry, please click here and here. Petya does not encrypt individual files, rather it targets a computer’s master boot record and is aimed at a computer’s entire file system. Data is being held hostage pending receipt of a Bitcoin payment of $300. Please be reminded that payment of a ransom does not guarantee receipt of the decryption key or the successful restoration of data.

The following is the message that displays on the screens of MicroSoft Windows devices which have been infected with Petya:

Screenshot showing the ransomware message that appears once a user's files have been encrypteded. The message begins with the text "Oops, your important files are encrypted" and provides instructions for a payment of $380 worth of bitcoin.

(Image courtesy of KrebsonSecurity)

Researchers report that this ransomware is using a modified version of EternalBlue to get inside the network (once the ransomware has been activated), and the PSExec command line tool to spread the ransomware from machine to machine. It is not yet clear if Petya mimics the worm capability of WannaCry and can spread between computers without user interaction.

For system administrators, it is recommended that the latest Microsoft patches be applied especially patch MS17-010.

Please be reminded that if you suspect a ransomware attack:

  1. Disconnect from the network and any file shares.
  2. Contact the IT Service Desk (24×7) at 212-998-3333 or email AskIT@nyu.edu.
  3. Wipe your device.
  4. Recover files from a backup or synch performed prior to the encryption.
  5. Disconnect backups by disconnecting backup devices or disconnecting from file sharing services.

For more information, please see:
https://arstechnica.com/security/2017/06/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide/

https://researchcenter.paloaltonetworks.com/2017/06/unit42-threat-brief-petya-ransomware/

Mobile Phishing Attacks via SMS Text Messaging

There has been a recent uptick noted in the delivery of phishing via SMS text messages (a/k/a “SMiShing”) in the form “URL padding” or the front loading of a web address of a malicious site with a legitimate domain name. The goal of these attacks is credential stealing as users are prompted to enter their credentials in phishing pages to which they are directed.

Specifically, the true site domains are concealed, as the subdomain addresses are padded with enough hyphens to push the true link destinations out of view.  Another reason these attacks have been successful is with SMS messages, it is not possible to confirm the legitimacy of a site before clicking it, and upon arrival at the site, the URL padding masks the true site address.

Please see the following examples of URL padding:

Screenshot showing examples of URL padding using hypens to mask the domain/destination URL

(Image courtesy of Ars Technica)

The phishing pages are hosted on sites with legitimate domain names that have been compromised.

It is recommended that whenever possible you avoid clicking links that have been transmitted by SMS messages, and that you do not click links with hyphens (URL padding or front loading) as shown above.  If you visit a web page in which the URL appears to be front loaded, it’s likely a phishing page, and we recommend that you close the browser tab containing the page or exit the browser as it’s important to avoid clicking any elements on a possibly malicious web page or pop-up.