Petya Ransomware Attack

The #Wannacry attacks caused major losses in crucial sectors like health, finance, and energy in numerous countries.

As predicted in our prior post titled “New Risks in Corporate Firms towards WannaCry Attacks,” the information saved in the original wave may be irreversibly deleted if the self-renewed subsequent version attacks are not taken seriously and the appropriate precautions are not done.

A new pandemic malicious virus known as Petya ransomware was released on June 27, 2017, threatening many institutions and causing significant damage to businesses across Europe and the United States. Even if businesses pay the ransom, victims will no longer be able to access their machines.

Petya ransomware is more dangerous and more professional than WannaCry. Analysts are continuing to seek solutions and protect against attacks, especially attacks that are effective in Russia and Ukraine.

1. What is Petya (# petrWrap)? How Does It damage Systems?

In April, the hacking group “TheShadowBrokers” published the National Security Agency (NSA) exploit kit FUZZBUNCH. This leaking kit contained numerous exploits. When the EternalBlue exploit from the relevant exploits is combined with the DOUBLEPULSAR payload in the exploit kit, it is possible to execute commands with administrator privileges in Windows operating systems by exploiting a vulnerability in the SMB service.

This vulnerability, named MS17-010 (CVE- 2017-0144), has been used by a ransom software called Petya(Win32 / Diskcoder.Petya.C) on June 27, 2017.

This ransomware also scans systems that use the same username and password information in the infected network without requiring any user interaction and affects the systems.

2. How did #Petya Ransomware Spread?

The Petya worm is transmitted primarily over the Windows SMB (v1) protocol. When the NSA’s exploit for infiltrating systems with this vulnerability surfaced, it began to run on the Internet. Based on the papers and information revealed, ransomware exploiting this vulnerability has been built and distributed over the internet.

Many security experts’ analyses have also indicated that this malicious software can be propagated via local networks utilizing Windows login and password credentials.

It has been also revealed by the analysis of many security experts that this malicious software can be spread over local networks using windows username and password information.

If you are using a SIEM solution supported by Cyber Threat Intelligence, you can check back in the past to see if you have access to the following IP addresses.

IP addresses are known to be used by Petya Ransomware

185.165.29.78

84.200.16.242

111.90.139.247

95.141.115.108

If you use an intrusion detection and prevention system such as Snort or Suricata, or an intrusion detection and prevention system that supports their rule set (IDS / IPS), you can download Positive Tech signatures to your system.

Whether your system has not yet been affected by Petya Ransomware, you can scan your internet IP addresses (against SMBv1) to see if there is a vulnerability. You may need to isolate and check the required systems from the network if you are using MEDOC software.

3. What Should We Do, If We Detect Some Systems Are Contaminated by Petya Ransomware?

The network connection of an infected system should be immediately deactivated and isolated from the network. In this way, it can be prevented to spread to other systems.

You can restore the machine to its original, uninfected state using backups. Passwords for local admin and privileged accounts at the system’s highest level must be reset.

Computer users should be approved using the concept of least authority. Tools that can propagate to other systems, such as psexec and we over GPOs, should be prohibited.

Additionally, the establishment of the directory “C: Windows ideal” on uninfected systems limit the scope of this malware.

4. Is it possible to retrieve the files in case the ransom is paid?

Ransom payments are collected via bitcoin using an email account at wowsmith123456@posteo.net. Poster, the provider of hacking e-mail, announced that the crook’s e-mail account spreading Petya ransomware has been closed: wowsmith123456@posteo.net

It has been recommended not to pay the ransom, as all means of communication are closed. Also, It would be beneficial to take alternative solutions from security consulting companies.

5. What should a Corporate Employee do and how can they take action?

It is necessary to check the updates of the Microsoft Windows operating systems and make sure that the MS17-010 code patch released on March 14, 2017, is loaded.

If the 445 / TCP ports are open from the systems serving the Internet, they should be turned off. Strengthen your anti spam service against phishing attacks, and check SPF, DMARC, and DKIM. Keep track of user authority and make sure they follow the idea of least authority. Instead of using a single account, create one for each system.

Check file-sharing access and edit rights on business networks, and don’t let users write files if they simply need to read them. Implement a training program to increase employee understanding of cyber threats. Make sure to perform penetration testing to uncover security flaws in your network and take precautions as soon as possible. Remember to keep regular backups.

Ensure that the network’s local admin passwords are unique to each system. If you’re utilizing MEDOC software, make sure associated systems are isolated and examined away from the network. Updated enterprise software should be checked one by one, and system access to the internet should be disclosed in control with expert advice on dubious scenarios.

6. Which Operating Systems Are Affected by Petya Ransomware?

All active Microsoft Windows operating systems are affected by Petya ransomware.

Windows XP

Microsoft Windows Vista SP2

Windows 7

Windows 8.1

Windows RT 8.1

Windows 10

Windows Server 2008 SP2 and R2 SP1

Windows Server 2012 and R2

Windows Server 2016

7. How Can We Test Systems Against Email-Related Threats?

Cyber attacks using e-mail take advantage of the e-mail server’s missing/incorrect settings and users’ lack of information security knowledge.

Keepnet Labs offers a free ETS service that may be used to test whether your email server has been compromised by malware or hosted mail and to correct any errors. The ETS service is an efficient service that reports the state of your email service as well as enhancements against current cyber assaults.

8. What should we do to stay informed about Petya Ransomware, Wannacry, and other harmful malware and to protect ourselves in the long run?

One can be aware of cyber threats that can target any organization by using software that provides open source or corporate cyber threat intelligence.

Increase awareness of your users by regularly doing social engineering experiments. Using NormShield Threat Intel’s free service, one can be aware of and block Wannacry, Petya, or similar cyber threats that may be directed to systems.

References

[1] Keepnet Labs, (May 2017), New Risks in Corporate Firms towards WannaCry Attacks. Available at https://keepnetlabs.com/

[2] This cyber attack first “started circulating in 2016, the current attack now appears to be a Petya offshoot, with added refinements such as stronger encryption”. For more details look at https://www.wired.com/story/petya-ransomware-wannacry-mistakes/

[3] The Guardian, (June 2017), ‘Petya’ ransomware attack strikes companies across Europe and US, Available at http://bit.ly/2uec6t0

[4] Those who want to examine the malware can find sample files at the following address.https://yadi.sk/d/QT0l_AYg3KXCqc. Note: The password of the files is “virus”.

[5] https://reputation.normshield.com