A new strain of the Petya ransomware is spreading rapidly over the last 24 hours. The new variant attacked critical infrastructure, airports, pharmaceutical companies, and public transit companies throughout Europe, Asia, and North America. This post will provide a brief overview of the old and new tactics used by the new Petya, and a comprehensive list of recommendations.
[this post was updated on 6/29/2017 with new tips and IOCs]
While the propagation method was used by WannaCry, Petya is a much more violent form of ransomware. Unlike WannaCry which encrypts the user’s hard drive, Petya attacks the MBR – the low-level Master Boot Record and creates its own boot loader.
Petya implements new killer features for lateral movement:
- Using the remote administration tool “psexec”, which executes it on the remote host:
psexec –accepteula -s -d c:\windows\system32\rundll32.exe “C:\Windows\<filename>\,#1″
- Using the Windows Management Instrumentation (WMI) Command-line tool:
c:\windows\system32\wbem\wmic.exe /node:”<node>” /user:”<user>” /password:”<password>” process call create “C:\Windows\System32\rundll32.exe “C:\Windows\<file>\” #1
Another notable difference between Petya and WannaCry is that it initially infects via a malicious Word document. The document is sent as an attachment to a phishing email and exploits a known Office vulnerability: CVE-2017-0199 which enables remote code execution. Once the attachment is opened the malware is downloaded through an embedded link.
Cyberbit EDR and Petya
Customers using Cyberbit Endpoint Detection and Response are protected against Petya. The attack is detected immediately during infection by the EDR’s behavioral analysis, as well as during encryption and propagation. According to VirusTotal only 13 vendors identify the new Petya Ransomware strain. It is therefore essential to complement antivirus with an endpoint detection and response solution, which uses behavioral analysis in addition to signature lists and detects attacks which are not identified by antivirus systems.
What you should do
- Patch Microsoft Office to prevent infection via Microsoft Word attachments – install the CVE-2017-0199 update to patch Microsoft Office/WordPad Remote Code Execution Vulnerability.
- Patch Windows Workstations: if you have not done that after the WannaCry attack install the SMBv1 patch now in order to prevent the attack from spreading.
- Disable shutdown via command line: disable the option to use cmd /k shutdown -a. This command is used by the malware to initially shut down the computer, after which the computer will boot from the new malware boot loader.
- Don’t pay: we do not advise paying the ransom as files are unlikely to be decrypted after you pay
- Shut Down: when you suspect that you have been infected, shut down your computer immediately, DO NOT REBOOT, and ask an IT expert for help
- Remove admin rights for standard users
- Vaccinate: use this vaccination script, however, use it with caution as vaccines may be detected by security software and blocked.
Search for these IOCs:
- email@example.com // by WhiteWolfCyber
- firstname.lastname@example.org // by WhiteWolfCyber
- email@example.com // by WhiteWolfCyber
Who Was Infected:
As of today, these organizations are known to be infected:
- The Ukrainian Government: https://twitter.com/RozenkoPavlo/status/879677026256510976
- Russian oil giant Rosneft: https://twitter.com/RosneftRu/status/879665160012673024
- Rotterdam Port: https://twitter.com/OpiniePaultje/status/879680984219779072
- Targets in spain: http://www.elconfidencial.com/tecnologia/2017-06-27/ataque-ransomware-dla-piper-wannacry_1405839/
- Maersk: https://twitter.com/campuscodi/status/879712143133872132
- Retailer in Kharkov, Ukraine: https://twitter.com/golub/status/879707965179088896
- Ukraine ATM: https://twitter.com/mikko/status/879735944907296768
- WPP: https://twitter.com/WPP/status/879706256612761600
- Pharma giant Merck: https://twitter.com/JackPosobiec/status/879734999196602369
- Kiev Metro Station: https://ain.ua/2017/06/27/kievenergo-i-ukrainskie-banki-podverglis-xakerskoj-atake
- Saint-Gobain: https://twitter.com/AnimalDubz/status/879684389860454402
- Mars, Nivea, and Auchan offices in the Ukraine: https://www.buro247.ru/technology/news/27-jun-2017-petya-wannacry.html
- Chernobyl’s Nuclear Plan Radiation Monitoring: http://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html
For more information on how to remain protected contact firstname.lastname@example.org