Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Petya Ransomware

 

Systems Affected


Windows Operating Systems

Threat Level


High


Overview


A new Ransomware variant with worm like capabilities has infected many companies in Europe and a couple in the United States. The media is calling it "Petya" but it is not similar to the Petya variants seen before. The malware is distributed via phishing e-mails. The ransomware propagates through two main vectors: - MS17-10 Vulnerability (Eternal Blue). - After infection of a MS17-10 vulnerable machine, user credentials are taken from memory and used to access other computers on the local network and infect them via remote access to WMI(Windows Management Instrumentation).


Description


The malware clears system logs using the following command: "wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:" to make further analysis more difficult. It also writes its code to Hard Drive MBR, initiates system reload and adds reload commands to Windows planner ("schtasks" and "at" commands). After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive (File allocation table is encrypted, we are currently investigation what else is being encrypted). If the computer is shut down before the reload, MBR can be reestablished with "bootrec /FixMbr" command. (in Vista+, for Windows XP "fixmbr" can be used). In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted: 3ds,7z,accdb,ai,asp,aspx,avhd,back,bak,c,cfg,conf,cpp,cs,ctl,dbf,disk, djvu,doc,docx,dwg,eml,fdb,gz,h,hdd,kdbx,mail,mdb,msg,nrg,ora,ost,ova, ovf,pdf,php,pmf,ppt,pptx,pst,pvi,py,pyc,rar,rtf,sln,sql,tar,vbox,vbs, vcb,vdi,vfd,vmc,vmdk,vmsd,vmx,vsdx,vsv,work,xls,xlsx,xvd,zip."


Impact



Solution/ Workarounds


  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.


References


https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.