The dust of the WannaCry hasn’t completely settled, we again face another malicious attack in the form of ransomware. This time, it goes by various names, including Petya, NotPetya and Nyetya. It’s another fast-spreading attack that uses the same NSA exploit used in the WannaCry attack with a few modifications. It likely spreads by using two separate exploits. You don’t need to click on anything or take any action. This can spread into your system through the network.
How is Petya spreading?
Initially, Petya was delivered via a Ukrainian company’s (M.E.doc) update service for their finance application. Once a machine is infected, Petya spreads peer-to-peer across impacted network to other Windows computers and servers that are vulnerable to MS170-010. What’s scary about Petya is that it can also spread via PsExec to admin$ shares, even on patched computers.
Cisco’s Talos security group published an excellent blog post that provides a very clear account of how the initial ransomware infections started. It goes like this:
- The attacker modified the M.E.Doc accounting software to fetch commands from a hacked M.E.Doc update server.
- That software was distributed to clients.
- The hacked M.E.Doc NGINX server proxied those requests for commands to a hacked OVH server.
- Attacker sent commands back to the hacked NGINX server, which were forwarded to the compromised workstations running the M.E.Doc accounting package.
What happens after a PC is infected?
Once a PC is infected, the user loses access to the machine which displays a black screen with red text on it that reads as follows:
If you see this text, then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste our time. Nobody can recover your files without our decryption service.
There are also instructions regarding the payment of $300 in Bitcoins and a way to enter the decryption key and retrieve the files.
However, Petya doesn’t just encrypt data for a ransom but hijacks computers and renders them completely inaccessible by encrypting their Master Boot Record. Because of that, it’s impossible to entirely recover infected systems but individual files can still be recovered if you choose to pay the ransom.
Is there a kill switch
Unfortunately, it doesn’t have a remote kill switch like WannaCry but it does somewhat of a local kill switch.
If the file %windir%\perfc existed on any given computer Petya will not execute. You have a number of ways to deploy that file to all workstation in your environment if needed.
What to do?
First thing first, install the MS17-010 patch from Microsoft as soon as you can.
Then, disable SMBv1 while you patch.
Also, consider adding a rule on your router or firewall to block incoming SMB traffic on port 445. If that’s not possible, blocking ports 139 and 445 on workstation level. Further, you may also consider disabling remote WMI and file sharing the same time.
As of now, most of the anti-virus should be able to pick up the attack but moving forward,
How to fight with the ransomware in general?
Here are a few things to consider:
- Keep a good backup system with the 3-2-1 rule
- 3 backup copies of anything you want to keep.
- 2 different storage media.
- 1 offsite storage site.
- Patch your system in a very timely manner.
- Choose a good anti-ransomware system.
Lastly, upgrade to Windows 10 when possible as Windows 10 already has a pretty good defense built-in the system that can mitigate ransomware attacks like Petya. Windows 10 also introduced an interesting new feature called Controlled Folders Access to better protect your valuable data in the upcoming Windows 10 Fall Creators Update. Kudos to Microsoft for taking this ransomware business very seriously.
- Update on Petya malware attacks – Microsoft
- Petya-Inspired Ransomware Outbreak: What You Need To KnowPetya-Inspired Ransomware Outbreak: What You Need To Know – Varonis
- New ransomware, old techniques: Petya adds worm capabilities – Microsoft
- Petya Ransomware Outbreak – Sophos
- Petya Ransomware Affecting Critical Systems Globally: Here’s What to Do – Wordfence
- The MeDoc Connection – Cisco’s Talos Intelligence
- NGINX and PHP Malware Used in Petya/Nyetya Ransomware Attack – Wordfence
- M.E.Doc Software was backdoored 3 times – Bleeping Computer
After detecting another cyber-attacker coming from M.E.Doc’s infrastructure, Ukrainian police stormed in force on Tuesday and seized all M.E.Doc server equipment. The Ukraine National Police posted the video below, showing them raiding the M.E.Doc servers.