Several transportation organizations in Ukraine and as well as some governmental organizations have suffered a cyberattack, resulting in some computers becoming encrypted, according to media reports.
Public sources have confirmed that computer systems in the Kiev Metro, Odessa airport, Ukrainian ministries of infrastructure and finance, and also a number of organizations in Russia are affected.
ESET discovered that in the case of the Kiev Metro, the malware used for the cyberattack was Diskcoder.D, — a new variant of ransomware known also as Petya. The previous variant of Diskcoder was used in a damaging cyberattack on a global scale in June, 2017.
The Diskcoder.D ransom note
ESET’s telemetry has detected hundreds of occurrences of Diskcoder.D. Most of the detections are in Russia and Ukraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected.
ESET security researchers are working on a comprehensive analysis of the Diskcoder.D malware. According to their preliminary findings, Diskcoder.D uses the Mimikatz tool to extract credentials from the affected systems. Apart from this, it has also a hardcoded list of credentials.
The analysis is ongoing and we will update this article as more details are revealed.
IoCs
afeee8b4acff87bc469a6f0364a81ae5d60a2add
de5c8d858e6e41da715dca1c019df0bfb92d32c0 (install_flash_player.exe)
hxxp://1dnscontrol.com/flash_install.php
Source:https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
