Malware News Petya Ransomware Attack – What’s Known

[silversurfer]

The jury is still out on whether the malware is Petya or something that just looks like it (it messes with the Master Boot Record in a way which is very similar to Petya and not commonly used in other ransomware).

Hasherzade who is a researcher well known for her great work with the original Petya ransomware, among other things, tweeted a bindiff showing the current strain has very high similarity to the original.

…but internally, not much has changed (comparison with version 3 – Green): pic.twitter.com/c1eZqBySOr

— hasherezade (@hasherezade) June 27, 2017

Infection Propagation
Although people are calling this WannaCry v2 (or v3 depending on how much misinformation they read) there are some significant differences. WannaCry was spread entirely using the SMBv1 exploit nicknamed EternalBlue, which meant that infected systems would in turn scan and infect other systems which caused it to spread rapidly and exponentially. Had the WannaCry “kill switch” not been activated or not existed at all, the attack would continue to spread indefinitely across the entire internet. The Current Petya attack is different in the sense that the exploits it uses are only used to spread across a local network rather than the internet (i.e. you are extremely unlikely to be infected if you’re not on the same network as someone who was already infected). Due to the fact networks are of limited size and fairly quick to scan, the malware would cease spreading once it has finished scanning the local network and therefore is not anywhere near as infectious as WannaCry, which still continues to spread (though is prevented from activating via the “kill switch”).

The main reason people are saying Petya is bigger than WannaCry is due to the initial infection vector (how the malware started spreading). WannaCry would have likely been started by first infecting a few hundred computers which then scan an infect other computers, creating a snowball effect; however, current data suggests that Petya was deployed onto possibly millions or even 10s of millions of computers by hacking popular Ukrainian Accounting software “MeDoc”then using the automatic update feature to download the malware onto all computers using the software. All though MeDoc being the initial infection vector is unconfirmed (and even denied by the company itself), current evidence points to them (source1, source2, source3, source4).

The important difference between WannaCry and Petya is WannaCry was likely deployed onto a small number of computers and then spread rapidly, whereas Petya seem to have been deployed onto a large number of computers and spread via local network; therefore, in this instance there is low risk of new infections more than 1h after the attack (the malware shuts down the computer to encrypt it 1h after execution, by which time it will already have completed its local network scan).

As well as the use of EternalBlue, Petya also steals local credentials and then uses them to attempt to log in to other machines on the network via the Windows Management Instrumentation Commandline and deploy the ransomware, source: New Variant of Petya Ransomware Spreading Like Wildfire | McAfee Blogs

Again, it’s important to note that spreading appears to be limited to only devices on the local network...

 

[ForgottenSeer 58943]

Fortinet has opened a CTH on this threat. You can view up to the minute threat status and other information here; (VERY informative)

Petya Central

 

[ForgottenSeer 58943]

Fortinet response within 60 minutes of the attack; In addition Fortisandbox blocked it automatically if an organization has it deployed.


Fortinet protections
AV Signature:
W32/Petya.EOB!tr

W32/Agent.YXH!tr

Other signatures are being investigated.

IPS Signature:
MS.Office.RTF.File.OLE.autolink.Code.Execution
MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution

In addition, Fortinet’s WannaCry IPS rules appear to protect against exploits targeting these vulnerabilities. Fortinet teams are verifying this claim.

Sandbox Detection:
Fortinet Sandbox (FSA) detects this attack.

TOR Communications:
Block TOR Outbound traffic via AppControl signatures.

 

[Arequire]

All though MeDoc being the initial infection vector is unconfirmed (and even denied by the company itself), current evidence points to them.

If I'm remembering correctly, wasn't MeDoc used as the infection vector for XData too?

 

[509322]

If I'm remembering correctly, wasn't MeDoc used as the infection vector for XData too?

Yes

Unless a person's systems are using MeDoc or all SMB'd up, then worrying about this attack is pointless.

 

[HarborFront]

Something to read

Scotland The Feart: Petya outbreak - June 27th

 

[Fel Grossi]

COMODO post in their FB.

We protect against the new WannaCry ransomware #Goldeneye#Petya.

Here is the video: CIS-NO-INFECTION_compressed.avi

The malicious document is detected by our fileless malware containment technology.

No Petya....No wannacry.....No Ransomware....
Zero Infection on over 85 Million Endpoints...
All Comodo customers were protected from Petya, Wannacry and ransomware..Not a single infection...

 

[ForgottenSeer 58943]

We got lucky with the 30K+ systems we manage. No infections.

Trend Micro didn't stop it, and didn't even have patches until late yesterday/today. Even with their machine learning.. <sigh> But Fortinet had pre-infection protection via Fortisandbox and released IPS and AV updates within 60 minutes of the outbreak. That's what saved us.

 

[ForgottenSeer 58943]

Heimdal blocks it.

https://heimdalsecurity.com/blog/ne...ion&utm_medium=windows&utm_campaign=inapplink

 

[Exterminator]

‘Little Hope’ to Recover Data Lost to Petya Ransomware

 

[omidomi]

New global encoder attack described by Doctor Web
Doctor Web specialists have examined Trojan.Encoder.12544, the new ransomware Trojan that is also known as Petya, Petya.A, ExPetya, and WannaCry-2 in some media sources. Based on its preliminary analysis of this malicious program, Doctor Web is offering recommendations on how to avoid infection and what to do if infection has already occurred. It is also providing technical details on this attack.

Trojan.Encoder.12544 poses a serious threat to Windows-running computers. Various sources call it a modification of the Trojan known as Petya (Trojan.Ransom.369); however, Trojan.Encoder.12544 only slightly resembles that Trojan. This malicious program has infected the information systems of government institutions, banks, and commercial organizations. It has also infected user computers in several countries.

At the moment, it is known that the Trojan has infected computers by exploiting the same vulnerabilities exploited by cybercriminals during the WannaCry attack. The spread of Trojan.Encoder.12544 started on the morning of June 27. Once launched on an attacked computer, the Trojan employs several methods to search for available computers in the local network. Then, the Trojan starts scanning ports 445 and 139. Once machines with open ports are found, Trojan.Encoder.12544 attempts to infect them via a widely known SMB protocol vulnerability (MS17-10).

In its body, the Trojan contains four compressed resources. Two of these resources are 32-bit and 64-bit versions of the Mimikatz tool, which is designed to intercept passwords of open Windows sessions. Depending on an operating system’s capacity, the Trojan unpacks the necessary version of the Mimikatz tool, saves it to a temporary folder, and runs the Mimikatz tool. Using Mimikatz and some other methods, Trojan.Encoder.12544 obtains the list of local and domain users authorized on the infected computer. The Trojan then looks for network folders available for writing, attempts to open them using the received data, and saves its copy in these folders. To infect the computers to which it has received access, Trojan.Encoder.12544 uses the PsExec tool, which is designed for remote computer management, or a standard console tool to call the Wmic.exe objects.

The encoder checks its second launch using a file it saved to the C:\Windows\ folder. The file name matches the Trojan’s name, without the extension. Since the worm sample spreading at the moment is named perfc.dat, the file preventing its launch is C:\Windows\perfc. However, if cybercriminals change the original Trojan’s name, creating the file C:\Windows\perfc (as many anti-virus developers advise) will not save a computer from infection. In addition, the Trojan checks the existence of the file only if it has enough privileges to do so.

Once launched, the Trojan sets its privileges, loads its copy to the memory, and grants the copy control. Then, the encoder overwrites its own file with the trash data and removes the file. First, Trojan.Encoder.12544 damages the VBR (Volume Boot Record) of the C drive, and the first drive sector is filled with the trash data. Then, the encoder copies the original Windows boot record encrypted with the XOR algorithm to another part of the drive and overwrites the original record with its own boot record. Then it creates a task to reboot the computer and starts encrypting all the files with the following extensions: .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, and .zip.

The Trojan encrypts files only on the fixed drives. The data on each drive is encrypted in a separate thread. The files are encrypted using the AES-128-CBC algorithm; a separate key is created for each drive (a characteristic feature of the Trojan that has not been noted by other specialists). This key is encrypted with the RSA-2048 algorithm (other researchers say that an 800-bit key is used) and is saved to the file named README.TXT to the root folder of the system drive. An additional extension is not added to the encrypted files.

After the computer is rebooted according to the created task, control is granted to the Trojan boot record. On the screen of the infected computer, it displays a text similar to the CHDISK standard tool’s text.



Meanwhile, Trojan.Encoder.12544 encrypts the MFT (Master File Table). Once Trojan.Encoder.12544 completes the encryption, it displays a ransom demand on the screen.



Power down your computer immediately if you see the CHDISK text at system startup. In this case, the boot records will be damaged, but they can be repaired using the Windows recovery tool or Recovery Console if you boot the computer using the distribution disk. Normally, recovery of the boot record is possible in Windows 7 and later operating systems if the hidden portion containing the critical data backup copy is present on the drive. You can also use Dr.Web LiveDisk; create a boot disk or a boot USB, start the operating system from this boot removable media, run the Dr.Web scanner, check the infected drive, and choose the Neutralize action for the detected threats.

According to some sources, the only email address used by the cybercriminals behind Trojan.Encoder.12544 is blocked. That’s why the cybercriminals cannot communicate with their victims (to offer to decrypt files, for example).

To avoid infection by Trojan.Encoder.12544, Doctor Web recommends that you create backup copies of all of your critical data on independent, removable media and use the Data Loss Prevention feature of Dr.Web Security Space. In addition, it is recommended that you install all the security updates for your operating system. Meanwhile, Doctor Web specialists will continue examining Trojan.Encoder.12544.

Link : New global encoder attack described by Doctor Web