<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Security Alert
Jonathan Crowe
Jun 2017

The Petya Ransomware Outbreak: What You Need to Know Now (Updated)

A new ransomware outbreak wreaking havoc across the globe is reportedly using the same SMB exploit WannaCry used — with a few added twists.

Key Details

  • Global outbreak originated in Ukraine and Russia: Tuesday morning another wave of ransomware infections were reported, purportedly originating via a hijacked update for Ukrainian accounting software M.E.Doc and quickly spreading across Europe and hitting the US. The extent and nature of the outbreak has instantly generated comparisons to the WannaCry ransomware attacks in May.
  • WannaCry all over again? The attack is utilizing EternalBlue, the same exploit WannaCry used that targets SMB vulnerability CVE-2017-0144. Microsoft issued patches for the vulnerability in March.
  • But wait... there's more than one way it's spreading: Researchers have also indicated the attack may be spreading via the EternalRomance exploit (targeting Windows XP to 2008 systems over TCP port 445) and within internal networks by abusing WMI and legitimate command line utility PsExec, meaning even patched machines can be at risk.
  • Petya is different from other ransomware: The ransomware being deployed in this outbreak is a variant of Petya, a strain that attempts to encrypt the hard drive's Master File Table (MFT). As a result, it not only locks victims out of their files, but out of their entire system.
  • The email account for accepting ransom payments was shut down: There is currently no way to unlock encrypted systems or recover encrypted files, not even for victims considering paying the attacker. That's because the email provider that was hosting the inbox the attacker was using to field decryption requests shut down the account. As a result, paying will not get victims their data back.
  • Possible temporary fix found: According to researchers, blocking C:\Windows\perfc.dat from writing/executing may stop Petya.
  • Patching and other precautions still advised: If you haven't already, apply critical Microsoft update MS17-010, which renders the exploit ineffective. Microsoft has also released an update for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003. Limiting and securing the use of PsExec is also advised, as is restricting user permissions to limit the extent of infections and the damage they can do.
  • Barkly blocks attacks that leverage exploits: Barkly's runtime malware defense blocks the EternalBlue exploit, preventing the spread of Petya just as it blocked the spread of WannaCry.

Barkly blocks the exploits that make these attacks possible. Find out how you can get protected now.
Learn more

Updated details on the attack

A second global ransomware outbreak is making headlines, just over a month after WannaCry infected an estimated 300,000 devices in more than 150 countries worldwide. Speculation and conflicting reports have been rampant. Here's what we know to be confirmed so far.

Ukraine hit hardest, attack spreading fast

schroedinger_petya_02.png

Countries hit by the Petya ransomware outbreak. Source:Kasperksy

While early victims of the attacks included Ukraine's central bank, state telecom, municipal metro, utility providers, and Kiev's Boryspil Airport, infections have been reported in countries across Europe, as well as in India and the US.

According to Reuters, shipping giant Maersk — responsible for one out of every seven containers shipped globally — is suffering major outages due to the attack. The outbreak has even affected operations at the Chernobyl, causing the nuclear power plant to switch to manual radiation monitoring. 

How the infection is spreading (it's not just EternalBlue)

Early reports confirmed the attacks are utilizing EternalBlue, the same exploit WannaCry used in May to target SMB vulnerability CVE-2017-0144 (Microsoft issued patches for the vulnerability in March).

But in addition, researchers have confirmed there are two additional ways the attack appears to be spreading:

  1. Via the EternalRomance exploit, a remote code execution exploit targeting Windows XP to 2008 systems over TCP port 445 (also patched by Microsoft)
  2. Via abusing otherwise legitimate command line tools PsExec and WMIC (Windows Management Instrumentation Command-line).

The second technique is one we recently wrote about being used by Sorebrect ransomware. See more details here.

What makes this ransomware different

It doesn't just encrypt files, it encrypts hard drives.

While there have been conflicting reports around whether or not the ransomware involved in the attacks is Petya or #NotPetya, the fact is it does share similarities with that family. 

Petya originally gained attention in summer 2016. It stood out from other ransomware variants because rather than simply encrypting victim files, it encrypts the hard drive's Master File Table (MFT). As a result, it not only locks victims out of their files, but out of their entire system.

According to researchers at Kaspersky, this ransomware takes a similar approach. Once a machine is infected, it waits 10-60 minutes then reboots the system, encrypts the MFT, and overwrites the Master Boot Record (MBR) with a customized loader with a ransom note. 

petya_ransom_screen.png

The ransom note reads:

Ooops, your important files are encrypted.

If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service.

We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key.

Please follow the instructions:

1. Send $300 worth of Bitcoin to following address:
XXXXXXX

2. Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net. Your personal installation key:
XXXXXXX

If you already purchased your key, please enter it below.
Key: __

No way to connect with attacker for the decryption keys

The criminals behind the account are demanding $300 in Bitcoin in exchange for the decryption key. Unfortunately, even if victims did want to pay, there is now no longer any way to communicate with the attackers. That's because Posteo, the email provider hosting the attacker's inbox, has shut down the account

As of this writing, the attack had generated 32 transactions for a total of just over $8,000

Researchers had been able to create decryption tools for previous versions of Petya, but unfortunately those tools do not appear to work for this updated variant. 

Spreading through local networks

Once on a compromised machine, this variant of Petya scans the network and attempts to spread over open TCP ports 445 and 139. If found, machines with these open ports are attacked with the ETERNALROMANCE exploit. 

It also attempts to spread via PsExec or WMI, which allow the attack to execute the ransomware on any remote machines on the network it can get credentials for. 

Note: All it takes is one infected device on your network running with domain or admin credentials for the ransomware to spread throughout your network (even if machines are patched). 

As outlined in our breakdown of Sorebrect ransomware, attackers can easily extract credentials from the lsaas.exe process using tools like Mimikatz. 

Find out if your endpoints are vulnerable to credential theft with our free simulation tool: stackhackr 

It simulates credential extraction via the lsaas.exe process.

How to protect your company from this new Petya ransomware outbreak 

  • Make sure your endpoint security provides exploit protection. Barkly blocks exploits like ETERNALBLUE that make attacks like these possible. Find out how.
  • If you haven't already, apply critical Microsoft update MS17-010 as soon as possible. If immediate patching isn't possible, here are two recommended stop-gaps that may be able to help reduce your risk:
  • Limit and secure the use of PsExec, and make sure users don't have admin credentials.
  • According to researchers, blocking C:\Windows\perfc.dat from writing/executing may stop Petya. 
Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks.svg

Close the gaps in your security

See how Barkly’s Runtime Malware Defense blocks attacks like this one.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.