On June 27th, a new ransomware, a variant of Petya malware, started spreading rapidly through organizations in Russia, Ukraine, other parts of Europe, and the United States. The Petya ransomware has already been linked to over 2,000 attacks, mostly concentrated through Russia and Ukraine. Companies known to have been compromised include Russia oil and gas giant Rosneft, Danish shipping firm Maersk, US-based pharmaceutical firm Merck, the Chernobyl radiation monitoring system, and many more.
Here is what we know:
UPDATE: The virus that began spreading through computers yesterday informed users that they could unlock their machines by paying a $300 ransom. However, it looks like the bug’s creators had no intention of restoring the machines at all. A new analysis reveals they couldn’t; the bug was designed to wipe computers outright.. A cybersecurity firm writes today that after analyzing the virus, they determined it was a wiper, not ransomware.
The virus going around is a modified variant of Petya that was true ransomware. The main difference is that the code had been specifically modified to change it from a virus that encrypts a disk and demands ransom into a virus that simply destroys the disk.
Like WannaCry, this variant of Petya ransomware affects Microsoft Windows computers and is technically a “compute worm”, meaning that it replicates itself to spread to other computers. In addition, the ransomware does not rely on a user clicking on an attachment to infect the host, nor is it known to communicate with a Command and Control server to get instructions. Alike WannaCry, Petya used a similar attack method where the ETERNALBLUE exploit kit is used to attack the Microsoft Windows vulnerability. However, this campaign uses the PsExec service and WMI services to spread across the network making it more vulnerable to a laterally moving Petya attack.
Once your machine is compromised the attack follows the below steps:
- Writes a message to the raw disk partition
- Clears the Windows log using Wevtutil
- Restarts the machine
- Encrypts files matching a list of file extensions (including .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf .ppt, .pptx, .pst, .pvi, .py .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, and .zip)
- Leverages WMI or PsExec to spread
- Presents a message on the screen asking for $300 as a ransom, that looks like:
To date, there’s been an understanding that roughly $3,000 dollars have been paid in ransom. It has also been noted that once ransom has been paid, your data will not be released because the associated email account has been shut down.
As stated before, the ETERNALBLUE exploit toolkit (which was released by the Shadow Brokers in April) is suspected to be a huge component of this campaign. Microsoft released a software patch (MS17-010) back in March that will take care of this vulnerability. However, there are likely millions of computers that have not been updated with even the latest patch. It is still unclear who is behind this cyber attack and the extent of it’s impact is still be gauged. The initial infection has been linked to a software update for a Ukrainian tax accounting package. The assault started as an attack on the Ukrainian government and business computer systems and has since spread rapidly from there.
This outbreak was the latest and most sophisticated series of attacks that have used tools that were stolen from the National Security Agency in April and leaked online by a group called the Shadow Brokers.
Protecting Against Petya Ransomware:
NetServe365’s current security services clients (Patch Management, Anti-Virus Protection, Unified Security Management, Cisco FirePOWER, and Vulnerability Scanning) are safe because we have patched against MS17-010 back in March. If you are not a current customer, you need to patch MS17-010 immediately to protect yourself from current and future threats.
If you do not have these products and are unable to patch MS17-010, you MUST disable SMB and close port TCP/445 on affected systems.
Please note that the Petya ransomware threat is still under active investigation and the situation may change as more information is learned. NetServe365 will actively monitor and analyze this situation for new developments and respond accordingly.
The WannaCry cyberattack that surfaced a little over ten days ago has opened the eyes of millions to the danger of ransomware. Many large organizations, including Nissan, UK’s National Health Service, and Fedex were locked out and facing payment demands from hackers. Ransomware is nothing new to cyber threat scene, but hackers are learning new … Continue reading “5 Services That Help Protect Businesses From Ransomware”
NOTICE: Users of Windows need to be notified ASAP of a new ransomware strain, WannaCry, and take immediate measures to patch their systems. For more details on the ransomware infection and patch update, check out the Microsoft Security Bulletin, Click here. On Friday May 12th, 2017, a new strain of the Ransomware, known as “WannaCry”, … Continue reading “The WannaCry Ransomware Attack”
Scenario: Your system locks up, your files are suddenly encrypted and inaccessible, and a message pops up that demands a ransom payment for decryption. A ransomware nightmare has happened and you have become the target. Unfortunately, this isn’t a nightmare that you can wake up from. The ransomware attack is in full force and it … Continue reading “What is the Financial Impact of a Ransomware Attack?”