• Variant of Petya ransomware is spreading fast

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Variant of Petya ransomware is spreading fast


    From http://www.cbsnews.com/news/cyberattack-ransomware-ukraine-websites-hackers-similar-wannacry-malware/:

    ‘A new and highly virulent outbreak of malicious data-scrambling software appears to be causing mass disruption across Europe, hitting Ukraine especially hard.


    “There have been indications of late that Petya is in circulation again, exploiting the SMB (Server Message Block) vulnerability,” the Swiss Reporting and Analysis Center for Information Assurance (MELANI) told the Reuters news agency in an e-mail. Reuters said the Petya virus was behind a widespread attack in 2016.’

    There is a claim that this ransomware also exploits CVE-2017-0199.

    Note: the SMB vulnerability was fixed by Microsoft in March 2017, while CVE-2017-0199 was fixed in April 2017.

    2 users thanked author for this post.
    Viewing 21 reply threads
    • #122285

      From https://twitter.com/dellcam/status/879743802675793921:

      “Multiple researchers saying no evidence of #Petya leveraging CVE-2017-0199; likely confusion due to a simultaneous attack in Ukraine.”

      From https://twitter.com/GossiTheDog/status/879746962509225985:

      “I am on a train analysing Petya. I think this will be bigger than WannaCry. It’s much better designed. Has automated lateral movement.”

    • #122290
      • #122294

        Was reading through the comment section there and it seems ALL windows OS’s are vulnerable even those that are fully patched. That means Windows 7, 8.1, 10 and everything in between. The patches Microsoft released for EternalBlue apparently don’t stop this one.

        1 user thanked author for this post.
    • #122334

      Any home users hit?

      And is it still spreading?

    • #122352

      From https://twitter.com/MalwareTechBlog/status/879824261459972096:

      “Petya is basically normal malware with some lateral movement capabilities, it’s not like WannaCry at all.”

      1 user thanked author for this post.
    • #122355

      There seems to be a total lack of what the layman needs to watch out for in all the hype being posted around the web. I presume this must be because most of the news is veiled advertising for anti-malware software.

      Can we find out:

      • Is it yet another case where you need to not run suspicious attachments?
      • A malware payload packaged in popular downloads?
      • Drive by infection from web page ActiveX or scripting?
      • Infection through an exposed SMB1 protocol layer?
      • Does it require Windows systems to be out of date patch-wise?
      • Some combination or all of these?

      If we can answer at least some of these the information that’s now merely disturbing news will be made a lot more useful.


      1 user thanked author for this post.
      • #122388

        From the grugq on medium.com:

        The worm uses three different infection vectors:
        Harvested password hashes

        The code is well written, obfuscated to protect against AV detection using at least two techniques:
        Fake Microsoft signature (apparently fools some AV)
        XOR encrypted shellcode payload (to bypass signature checks)

    • #122367

      My hypothesis is that this malware was intended to harm as many Ukrainian organizations as possible, using ransomware as a cover story. The initial infections seem to be from a malicious update to Ukrainian accounting software MeDoc. The malware seems to spread only within an infected company’s network.



    • #122386

      From Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide:

      “Analysis It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem.”

      1 user thanked author for this post.
    • #122394

      From https://blog.kryptoslogic.com/malware/2017/06/28/petya.html:

      “However, based on what we currently see, the current droppers or initial attack vectors are all but at a standstill.”

    • #122407

      Calling the experts….. CT? ch100? Noel? anyone and all is wlecome to comment 🙂

      Just curious….
      can ransomeware/worm/virus affect the BIOS?
      can it possibly wipe out the BIOS and render the hardware ‘useless’ (say if one dont pay up and the time run out)?
      and if positive, is there any way to guard against it?

      my understanding is prob over 10yrs old…
      just curious whats the latest from the best of the best here 🙂

      back to fishing for better dreams

    • #122410

      Multiple Petya Ransomware Infections Reported

      Original release date: June 27, 2017

      US-CERT has received multiple reports of Petya ransomware infections in many countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users’ access to the infected machine until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

      Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB). US-CERT encourages users and administrators to review the US-CERT article on the Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010 (link is external). For general advice on how to best protect against ransomware, review US-CERT Alert TA16-091A. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).

      2 users thanked author for this post.
    • #122413

      This Technet article reads like an ad for Windows Defender Advanced Threat Protection, but contains technical details and recommends disabling SMBv1 and to “consider adding a rule on your router or firewall to block incoming SMB traffic on port 445″:

      New ransomware, old techniques: Petya adds worm capabilities

      msft-mmpc | June 27, 2017

      5 users thanked author for this post.
      • #122433

        It might be an ad, but it is good advice for most, although I am not in favour of disabling SMB1. Port 445 must be blocked for access from outside of the local network (except for corporate or individual VPNs which once established, become the local network).
        I tried and found issues with disabling SMB1, however my setup may not be relevant for most end-users and their configurations. Most end-users would be able to disable the Server service completely without any negative side-effects.

        2 users thanked author for this post.
    • #122473

      From Petya.2017 is a wiper not a ransomware:

      “TL;DR: The ransonware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.”

      1 user thanked author for this post.
    • #122562

      From ExPetr/Petya/NotPetya is a Wiper, Not Ransomware:

      “After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made.

      This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”

    • #122623

      Chart “Top 20 countries based on numbers of affected organizations” is found at Petya ransomware outbreak: Here’s what you need to know.

      1 user thanked author for this post.
    • #122625

      From NotPetya ransomware: Attack analysis:

      ‘Avecto’s initial analysis shows that “patient zero”, the first user targeted, must be an admin user for the attack to succeed. Without admin rights, the malware is unable to overwrite the critical system areas, capture credentials or embed itself in the operating system. Much of the functionality, including clearing event logs and overwriting boot records, is reliant on admin privileges.

      Once an infection has occurred, the attackers primary method of spreading is using LSADump a modified version of the Mimikatz tool used to perform Pass the Hash attacks by exploiting admin accounts and credentials stored in memory. This explains how organisations who believe they were patched with MS17-010 were still impacted. Removal of admin rights is key to preventing this type of credential theft and lateral movement, which is often used by malware and hackers.’

      2 users thanked author for this post.
    • #122768

      From Windows 10 platform resilience against the Petya ransomware attack:

      “The attack started in Ukraine; when the dust settled, more than 70% of the machines that encountered Petya were in Ukraine.”

      Update on Petya malware attacks.


    • #122854

      US-CERT Alert (TA17-181A)
      Petya Ransomware


      Original release date: July 01, 2017

      Systems Affected
      Microsoft Windows operating systems

      On June 27, 2017, NCCIC was notified of Petya ransomware events occurring in multiple countries and affecting multiple sectors. Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable.

      The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional IOCs in comma-separated-value form for information sharing purposes.

      Available Files:


      The scope of this Alert’s analysis is limited to the newest “Petya” variant that surfaced June 27, 2017, and this malware is referred to as “Petya” throughout this Alert.

      Based on initial reporting, this Petya campaign involves multiple methods of initial infection and propagation, including exploiting vulnerabilities in Server Message Block (SMB). Microsoft released a security update for the MS17-010 (link is external) vulnerability on March 14, 2017. Background information on ransomware infections is provided in US-CERT Alert TA16-091A.

      Recommended Steps for Prevention

      Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5] (link is external)
      Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
      Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
      Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
      Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
      Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
      Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
      Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
      Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
      Test your backups to ensure they work correctly upon use.
      Utilize host-based firewalls and block workstation-to-workstation communications.

      Recommendations for Network Protection

      Disable SMBv1 and
      Block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

      Note: disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users.

      Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [6] and consider implementing the following best practices:

      Segregate networks and functions.
      Limit unnecessary lateral communications.
      Harden network devices.
      Secure access to infrastructure devices.
      Perform out-of-band network management.
      Validate integrity of hardware and software.

      Recommended Steps for Remediation

      Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
      Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.

      General Advice for Defending Against Ransomware

      Precautionary measures to mitigate ransomware threats include:

      Ensure anti-virus software is up-to-date.
      Implement a data backup and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
      Scrutinize links contained in emails, and do not open attachments included in unsolicited emails.
      Only download software—especially free software—from sites you know and trust.
      Enable automated patches for your operating system and Web browser.

      Use the link above to read the full release

      2 users thanked author for this post.
    • #123257

      From https://apnews.com/8b02768224de485eb4e7b33ae55b02f2:

      “The small Ukrainian tax software company that is accused of being the patient zero of a damaging global cyberepidemic is under investigation and will face charges, the head of Ukraine’s CyberPolice suggested Monday.

      Col. Serhiy Demydiuk, the head of Ukraine’s national Cyberpolice unit, said in an interview with The Associated Press that Kiev-based M.E. Doc’s employees had blown off repeated warnings about the security of their information technology infrastructure.”

      1 user thanked author for this post.
    • #123334

      Family firm in Ukraine says it was not responsible for cyber attack
      Cyber Risk | Mon Jul 3, 2017

      Ukrainian company Intellect Service was not responsible for last week’s international cyber attack that brought down the computer systems of several major companies, the father and daughter team told Reuters on Monday.

      Cyber security investigators are still trying to establish who was behind the attack.

      Read the full article here

    • #123582

      From The MeDoc Connection (July 5, 2017):

      “The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.”

      1 user thanked author for this post.
    • #123584

      From Hackers Linked to NotPetya Ransomware Decrypted a File for Us:

      “Hackers linked to the crippling NotPetya ransomware attack, which encrypts files on infected machines, have proved to Motherboard they have the ability to decrypt some locked files.”

      2 users thanked author for this post.
    • #123941

      From Recovering data from a disk encrypted by #NotPetya with Salsa20:

      “However, certain peculiarities of how the Salsa20 algorithm was applied allow recovering data, no key necessary.”

    Viewing 21 reply threads
    Reply To: Variant of Petya ransomware is spreading fast

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: