Vin Ransomware Blog02


A Quick Overview on NOT PETYA2FPETYA Ransomware

 

Just when the world was beginning to recover from the recent WannaCry Ransomware attack (May 12, 2017), cyber criminals launched another version of a devastating ransomware which causes the same scale of damage if not more than the WannaCry Ransomware. 

The Ransomware is known as NotPetya / Petya ransomware, this ransomware uses the same exploits which was used in WannaCry Ransomware but researchers claim that Petya ransomware is much more robust and capable compared to WannaCry, primarily because of its propagation mechanism in the network.

The countries that got a massive hit are Ukraine, Europe, and the US.

The basic distribution of Petya ransomware is yet to be confirmed, though some researchers say that it could be through phishing mail like other ransomware and few claims that the distribution of this ransomware is done through a software update mechanism built into an accounting program which is mostly used by the Ukrainian government and the organizations working under the Ukrainian government (Source: Ukrainian cyber police). This might be one of the reasons why Ukraine was affected the most. The motive behind the attack is yet to be revealed.

Petya Ransomware uses 

Eternal Blue Exploit, a Windows exploit whose Patch has already been released. It also spreads in the internal network with WMIC and PSEXEC. This is one of the reasons that even the patched systems can be affected by this ransomware.

The Russian security group claims that this ransomware packs along with it a tool known as LSA Dump that can gather the credential data and the windows password from the Domain controller on the network and the Windows computer.


Ransom Demanded – $300

The victims are instructed to contact the cyber criminals through the provided Email ID once the ransom is paid, but the victims are advised not to pay the ransom since the Email ID of the attacker is blocked/terminated/Shutdown by the email provider.

The encryption process of this ransomware is not the same as other ransomwares, this malware does not encrypt the files on the victim's system by particularly targeting subsequent files or the extensions. Instead, it waits one hour and once the victim reboots/Restarts the device, the ransomware starts encrypting the hard drive’s master file table which is MFT and then renders the boot record not usable. This ransomware replaces the victim’s MBR with the special code of its own that displays the ransom note on the victim’s screen, making the device unusable. This restricts the access to the victim’s device completely.

The destruction intended by the ransomware is set at an expert level but if one considers the ransom and the payment process, it seems amateur compared to the malwares working stats.

Certain points to be noted are:

The payments Bitcoin address for all the victims are same, whereas in other ransomware the attackers create custom bitcoin address for a group or a certain number of victims but in the case of Petya ransomware, the email address remains the same for all the infected victims.

The victims are instructed to communicate to the attacker with the provided email address but the Email Provider has blocked the Email ID of the attacker. Which means even if the ransom is paid there is no way to communicate with the attacker, so the files cannot be decrypted at any cost. So, the victims are advised not to pay the ransom.

 

Affected Vulnerability

  • CVE-2017-0144 - Microsoft CVE-2017-0144: Windows SMB Remote Code Execution Vulnerability
  • CVE-2017-0199- Microsoft CVE-2017-0199: Microsoft Office OLE Arbitrary Code Execution Vulnerability

 Targeted File Extensions

.3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, ctl,.dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip

 

Afraid of being a Victim follow these general guidelines and don’t fall prey anymore:

Actions to be taken:

1. Block source E-mail address:

This email address is being protected from spambots. You need JavaScript enabled to view it.

2. Block domains:

http://mischapuk6hyrn72.onion/
http://petya3jxfp2f7g3i.onion/
http://petya3sen7dyko2n.onion/
http://mischa5xyix2mrhd.onion/MZ2MMJ
http://mischapuk6hyrn72.onion/MZ2MMJ
http://petya3jxfp2f7g3i.onion/MZ2MMJ
http://petya3sen7dyko2n.onion/MZ2MMJ
http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
COFFEINOFFICE.XYZ
http://french-cooking.com/

3. Block IPs:

95.141.115.108
185.165.29.78
84.200.16.242
111.90.139.247

4. Apply patches:

Refer(in Russian): https://habrahabr.ru/post/331762/

5. Disable SMBv1

Read our Blog: How to Disable SMB on Windows Machines 

6. Update Anti-Virus hashes

ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
ab5fefc760c08889d7aca80639f180048a8de5884712118f68c96f9a4a7fec0e
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5
7f081859ae2b9b59f014669233473921f1cac755f6c6bbd5dcdd3fafbe710000
3e896599851231d11c06ee3f5f9677436850d3e7d745530f0a46f712e37ce082
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206

7.If the MS17-010 patch is not installed, install the patch immediately.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

8. It is recommended to install patches for CVE-2017-0199

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

9. Update antivirus immediately and scan the devices thoroughly.

10. If an unpatched device is used and cannot be patcheddue to restrictions, consider shutting down the machine, if feasible and leave the machine off and disconnected from the network until a solution is found.

11. Researchers have found a method to vaccinate yourself from this ransomware.
Create a file in C:\Windows\perfc and mark it read only

 

The following batch file courtesy of BleepingComputer will do the job for you:

https://download.bleepingcomputer.com/bats/nopetyavac.bat

 


Popular posts like this: