On June 27th, a Ransomware campaign affected organizations in several countries: Russia, Ukraine, India, Spain, France, United Kingdom, among other European countries. This new Petya variation demands $300 in bitcoins for the recovery of the information.
The main attack vector seems to be through phishing campaigns of emails with Word and Excel documents attached. The CVE-2017-0199 vulnerability is then used for the installation of malware infected macros. The malware itself is a “.dll” file which is executed through rundll32.exe. This malware can infect publicly exposed systems, as well as internal systems, by exploiting the CVE-2017-0143 and CVE-2017-0144 (ETERNALBLUE) vulnerabilities. After its execution, Petya uses the ETERNALBLUE exploits, as well as Windows Management Instrumentation Command-line (WMIC) and PsExec to move around laterally and affect internal systems.
This variant seems to operate differently when compared to other Ransomwares, since it does not encrypt the files of the affected systems but the Master Boot Record (MBR), thus restricting the access to the system and the files. The MBR is replaced by the malware’s own code which prevents the computer from starting and displays an information recovery message on the screen. Apparently, the encryption phase only starts after the reboot.
Recommendations:
- Disable WMIC and SMBv1 protocol
- Apply security patches: MS17-010 and CVE-2017-0199
- Filter ports 445 and 139 for all untrusted networks.
- Update the anti-virus software and apply signatures to your network protection systems.
Links that provide relevant information in relation to the recent occurrence:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
https://www.blocktrail.com/BTC/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX/transactions
https://virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/
https://virustotal.com/fr/ip-address/185.165.29.78/information/
https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/
https://twitter.com/PayloadSecurity/status/879701663040319493 https://www.infosecurity-magazine.com/news/ukraine-businesses-petya-ransomware/
http://thehackernews.com/2017/06/petya-ransomware-attack.html
If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6
— Hacker Fantastic (@hackerfantastic) June 27, 2017
In case you have encrypted data, regularly visit www.nomoreransom.org so you can check the latest tools and solutions available for data recovery.
Paulo Rosa
Security & Public Safety Business Unit Manager
![[Communication] Covid-19 – Business Continuity Plan](https://warpcom.com/wp-content/uploads/2020/03/Warpcom_SocialMedia_CoronaVirus_1500x400-400x250.png)
![[Communication] Covid-19 – Business Continuity Plan](https://warpcom.com/wp-content/uploads/2020/03/Warpcom_SocialMedia_CoronaVirus_1500x400.png)
