Variant of Petya ransomware is spreading fast

Topic

New Reply

From http://www.cbsnews.com/news/cyberattack-ransomware-ukraine-websites-hackers-similar-wannacry-malware/:

‘A new and highly virulent outbreak of malicious data-scrambling software appears to be causing mass disruption across Europe, hitting Ukraine especially hard.

[…]

“There have been indications of late that Petya is in circulation again, exploiting the SMB (Server Message Block) vulnerability,” the Swiss Reporting and Analysis Center for Information Assurance (MELANI) told the Reuters news agency in an e-mail. Reuters said the Petya virus was behind a widespread attack in 2016.’

There is a claim that this ransomware also exploits CVE-2017-0199.

Note: the SMB vulnerability was fixed by Microsoft in March 2017, while CVE-2017-0199 was fixed in April 2017.

2 users thanked author for this post.

ch100, Elly

Reply | Quote

Replies

From https://twitter.com/dellcam/status/879743802675793921:

“Multiple researchers saying no evidence of #Petya leveraging CVE-2017-0199; likely confusion due to a simultaneous attack in Ukraine.”

From https://twitter.com/GossiTheDog/status/879746962509225985:

“I am on a train analysing Petya. I think this will be bigger than WannaCry. It’s much better designed. Has automated lateral movement.”

Reply | Quote

More info: A new ransomware outbreak similar to WCry is shutting down computers worldwide.

Reply | Quote

Was reading through the comment section there and it seems ALL windows OS’s are vulnerable even those that are fully patched. That means Windows 7, 8.1, 10 and everything in between. The patches Microsoft released for EternalBlue apparently don’t stop this one.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Any home users hit?

And is it still spreading?

Reply | Quote

From https://twitter.com/MalwareTechBlog/status/879824261459972096:

“Petya is basically normal malware with some lateral movement capabilities, it’s not like WannaCry at all.”

1 user thanked author for this post.

HiFlyer

Reply | Quote

There seems to be a total lack of what the layman needs to watch out for in all the hype being posted around the web. I presume this must be because most of the news is veiled advertising for anti-malware software.

Can we find out:

• Is it yet another case where you need to not run suspicious attachments?
• A malware payload packaged in popular downloads?
• Drive by infection from web page ActiveX or scripting?
• Infection through an exposed SMB1 protocol layer?
• Does it require Windows systems to be out of date patch-wise?
• Some combination or all of these?

If we can answer at least some of these the information that’s now merely disturbing news will be made a lot more useful.

-Noel

1 user thanked author for this post.

HiFlyer

Reply | Quote

From the grugq on medium.com:

The worm uses three different infection vectors:
ETERNALBLUE
Harvested password hashes
psexec

The code is well written, obfuscated to protect against AV detection using at least two techniques:
Fake Microsoft signature (apparently fools some AV)
XOR encrypted shellcode payload (to bypass signature checks)

Reply | Quote

My hypothesis is that this malware was intended to harm as many Ukrainian organizations as possible, using ransomware as a cover story. The initial infections seem to be from a malicious update to Ukrainian accounting software MeDoc. The malware seems to spread only within an infected company’s network.

Sources:

https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html
https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4
https://securelist.com/schroedingers-petya/78870/

Reply | Quote

MrBrian wrote:

My hypothesis is that this malware was intended to harm as many Ukrainian organizations as possible, using ransomware as a cover story. The initial infections seem to be from a malicious update to Ukrainian accounting software MeDoc. The malware seems to spread only within an infected company’s network.

Sources:

https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html
https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4
https://securelist.com/schroedingers-petya/78870/

While this is certainly possible, it is known that organisations outside of Ukraine have been hit. Would that mean that we are currently dealing with multiple types of infection?

Reply | Quote

Possibly, but some multinational businesses that do business in Ukraine might use MeDoc also.

1 user thanked author for this post.

ch100

Reply | Quote

From Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide:

“Analysis It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem.”

1 user thanked author for this post.

HiFlyer

Reply | Quote

From https://blog.kryptoslogic.com/malware/2017/06/28/petya.html:

“However, based on what we currently see, the current droppers or initial attack vectors are all but at a standstill.”

Reply | Quote

Calling the experts….. CT? ch100? Noel? anyone and all is wlecome to comment 🙂

Just curious….
can ransomeware/worm/virus affect the BIOS?
can it possibly wipe out the BIOS and render the hardware ‘useless’ (say if one dont pay up and the time run out)?
and if positive, is there any way to guard against it?

my understanding is prob over 10yrs old…
just curious whats the latest from the best of the best here 🙂

TIA
back to fishing for better dreams

Reply | Quote

Not according to what I know.
Your PC can be taken over from Windows in some conditions if the BIOS is not password protected or somehow the password is known to the attacker, but beyond that, once the hard-drive is reformatted and the control of the computer is taken back, normally the BIOS can be reset and start clean.
There is a possibility that an attacker installs a broken BIOS though…
We are moving in the realm of science-fiction now…
Fishing is easier than phishing 🙂

1 user thanked author for this post.

HiFlyer

Reply | Quote

Yes, yes, and yes, respectively.

Putting the spotlight on firmware malware

Can A Cyberattack Cause Physical Damage To Your Hardware?

Admin privileges are needed to alter BIOS, so setting User Account Control at max level (but see Method found that bypasses UAC even at maximum level for all versions of Windows) or using a standard account as your everyday account is one way to protect against this.

A program called Copernicus can be used to check for BIOS changes. If my memory is correct, Copernicus is not free anymore.

Reply | Quote

Homeland Security warns of ‘BrickerBot’ malware that destroys unsecured internet-connected devices

1 user thanked author for this post.

Elly

Reply | Quote

Hacking BIOS Chips Isn’t Just the NSA’s Domain Anymore

Reply | Quote

I just read a note at the end of the article, there is no more development of the program.

https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about

Reply | Quote

Multiple Petya Ransomware Infections Reported
https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported

Original release date: June 27, 2017

 
US-CERT has received multiple reports of Petya ransomware infections in many countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users’ access to the infected machine until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB). US-CERT encourages users and administrators to review the US-CERT article on the Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010 (link is external). For general advice on how to best protect against ransomware, review US-CERT Alert TA16-091A. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).

2 users thanked author for this post.

Elly, ch100

Reply | Quote

This Technet article reads like an ad for Windows Defender Advanced Threat Protection, but contains technical details and recommends disabling SMBv1 and to “consider adding a rule on your router or firewall to block incoming SMB traffic on port 445″:

New ransomware, old techniques: Petya adds worm capabilities
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
msft-mmpc | June 27, 2017

5 users thanked author for this post.

Elly, HiFlyer, MrBrian, ch100, Noel Carboni

Reply | Quote

It might be an ad, but it is good advice for most, although I am not in favour of disabling SMB1. Port 445 must be blocked for access from outside of the local network (except for corporate or individual VPNs which once established, become the local network).
I tried and found issues with disabling SMB1, however my setup may not be relevant for most end-users and their configurations. Most end-users would be able to disable the Server service completely without any negative side-effects.

2 users thanked author for this post.

Elly, HiFlyer

Reply | Quote

From Petya.2017 is a wiper not a ransomware:

“TL;DR: The ransonware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.”

1 user thanked author for this post.

Elly

Reply | Quote

From ExPetr/Petya/NotPetya is a Wiper, Not Ransomware:

“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made.

This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”

Reply | Quote

Chart “Top 20 countries based on numbers of affected organizations” is found at Petya ransomware outbreak: Here’s what you need to know.

1 user thanked author for this post.

SueW

Reply | Quote

From NotPetya ransomware: Attack analysis:

‘Avecto’s initial analysis shows that “patient zero”, the first user targeted, must be an admin user for the attack to succeed. Without admin rights, the malware is unable to overwrite the critical system areas, capture credentials or embed itself in the operating system. Much of the functionality, including clearing event logs and overwriting boot records, is reliant on admin privileges.

Once an infection has occurred, the attackers primary method of spreading is using LSADump a modified version of the Mimikatz tool used to perform Pass the Hash attacks by exploiting admin accounts and credentials stored in memory. This explains how organisations who believe they were patched with MS17-010 were still impacted. Removal of admin rights is key to preventing this type of credential theft and lateral movement, which is often used by malware and hackers.’

2 users thanked author for this post.

Elly, SueW

Reply | Quote

From Windows 10 platform resilience against the Petya ransomware attack:

“The attack started in Ukraine; when the dust settled, more than 70% of the machines that encountered Petya were in Ukraine.”

Update on Petya malware attacks.

 

Reply | Quote

US-CERT Alert (TA17-181A)
Petya Ransomware
https://www.us-cert.gov/ncas/alerts/TA17-181A

Original release date: July 01, 2017

 
Systems Affected
Microsoft Windows operating systems

Overview
On June 27, 2017, NCCIC was notified of Petya ransomware events occurring in multiple countries and affecting multiple sectors. Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable.

The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional IOCs in comma-separated-value form for information sharing purposes.

Available Files:

MIFR-10130295.pdf
TA-17-181A_IOCs.csv

The scope of this Alert’s analysis is limited to the newest “Petya” variant that surfaced June 27, 2017, and this malware is referred to as “Petya” throughout this Alert.
Description

Based on initial reporting, this Petya campaign involves multiple methods of initial infection and propagation, including exploiting vulnerabilities in Server Message Block (SMB). Microsoft released a security update for the MS17-010 (link is external) vulnerability on March 14, 2017. Background information on ransomware infections is provided in US-CERT Alert TA16-091A.
…
Recommended Steps for Prevention

Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5] (link is external)
Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
Test your backups to ensure they work correctly upon use.
Utilize host-based firewalls and block workstation-to-workstation communications.

Recommendations for Network Protection

Disable SMBv1 and
Block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

Note: disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users.

Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [6] and consider implementing the following best practices:

Segregate networks and functions.
Limit unnecessary lateral communications.
Harden network devices.
Secure access to infrastructure devices.
Perform out-of-band network management.
Validate integrity of hardware and software.

Recommended Steps for Remediation

Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.

General Advice for Defending Against Ransomware

Precautionary measures to mitigate ransomware threats include:

Ensure anti-virus software is up-to-date.
Implement a data backup and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
Scrutinize links contained in emails, and do not open attachments included in unsolicited emails.
Only download software—especially free software—from sites you know and trust.
Enable automated patches for your operating system and Web browser.

 
Use the link above to read the full release

2 users thanked author for this post.

woody, ch100

Reply | Quote

MrBrian wrote:

Possibly, but some multinational businesses that do business in Ukraine might use MeDoc also.

It looks like you were right. 🙂

2 users thanked author for this post.

woody, MrBrian

Reply | Quote

From https://apnews.com/8b02768224de485eb4e7b33ae55b02f2:

“The small Ukrainian tax software company that is accused of being the patient zero of a damaging global cyberepidemic is under investigation and will face charges, the head of Ukraine’s CyberPolice suggested Monday.

Col. Serhiy Demydiuk, the head of Ukraine’s national Cyberpolice unit, said in an interview with The Associated Press that Kiev-based M.E. Doc’s employees had blown off repeated warnings about the security of their information technology infrastructure.”

1 user thanked author for this post.

ch100

Reply | Quote

Family firm in Ukraine says it was not responsible for cyber attack
Cyber Risk | Mon Jul 3, 2017

Ukrainian company Intellect Service was not responsible for last week’s international cyber attack that brought down the computer systems of several major companies, the father and daughter team told Reuters on Monday.

Cyber security investigators are still trying to establish who was behind the attack.

 
Read the full article here

Reply | Quote

From The MeDoc Connection (July 5, 2017):

“The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.”

1 user thanked author for this post.

Elly

Reply | Quote

From Hackers Linked to NotPetya Ransomware Decrypted a File for Us:

“Hackers linked to the crippling NotPetya ransomware attack, which encrypts files on infected machines, have proved to Motherboard they have the ability to decrypt some locked files.”

2 users thanked author for this post.

Elly, Kirsty

Reply | Quote

From Recovering data from a disk encrypted by #NotPetya with Salsa20:

“However, certain peculiarities of how the Salsa20 algorithm was applied allow recovering data, no key necessary.”

Reply | Quote