Hello! My name is Matt Suiche. I am an independent researcher, advisor, and investor. I previously served as the Head of Detection Engineering at Magnet Forensics. Our organization was passionately dedicated to justice and protecting the innocent, a mission we embarked on more intensely after the 2022 acquisition of my cybersecurity start-up, Comae Technologies.
My life-long fascination with learning and understanding complex systems first led me to cybersecurity. My teenage years were spent immersed in reverse engineering, which ignited a profound curiosity about technology that continues to this day. I’ve since explored various fields including operating systems architecture, programming languages, virtualization, modern web application development, and generative art. Furthermore, I’ve delved into numerous domains such as privacy, surveillance, forensics, blockchain, and community development among others.
What we know so far about Byata. 🔗Summary 🔗Yes, this is bad — real bad — this is another ransom-ware leveraging SMB network kernel vulnerabilities to spread on the local network. The exploit used is based on ETERNALBLUE NSA’s exploit leaked by TheShadowBrokers in April, 2017. Similar to WannaCry. No kill-switch this time. (& stop hoping for one)
Update: The initial infection vector seem to have been a rogue update pushed by the attackers via the Ukranian accounting software Me-Doc.
This week during the SSTIC2017 annual cyber security conference, a French conference running consecutively since 2004, the National Cybersecurity Agency of France (ANSSI) gave a presentation detailing their 2015 audit of their investigation and remediation of the intrusion which affected TV5Monde television network channel. This intrusion was allegedly conducted by the Fancy Bear/APT28 actor, and resulted into broadcasting and social media sabotage.
Although, this happened two years ago — hats off to both ANSSI and TV5Monde for sharing their experience, what they have learned and their methodology during the investigation.
Working Windows XP & 7 demos. #FRENCHMAFIA 🔗Read More: Part 1 — Part 2 — Part 3 — Part 4 — @msuiche (Twitter)
In Short 🔗DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!
*ASAP because prime numbers may be over written in memory after a while.
Frequently Asked Questions 🔗Here.
Usage 🔗You just need to download the tool and run it on the infected machine. Default settings should work.
