What is a Petya Ransomware?

Though the name is similar to ransomware that first appeared in 2016, this is a completely new strain. Hence, researchers have named it NotPetya while others are classifying it as close to “GoldenEye” malware (Petya + Mischa). This ransomware spreads through a combined client-side attack (CVE-2017-0199) and network based threat (MS17-010). It spread rapidly using ETERNALBLUE (MS17-010), while it harvested password hashes and psexec as infection vectors from each infected machine.

Infection Process

1. Arrived via an update to an accounting system in Ukraine (ME Doc)
2. Spread like a worm from an infected machine
3. Exploited Windows SMB vulnerability (aka EternalBlue), fix by Microsoft was released (MS17-010)
4. Spreads into the local network using Eternal Blue, psexec , WMIC
5. Encrypts MFT (Master File Tree) tables for NTFS partitions
6. Overwrites the MBR (Master Boot Record) with a custom bootloader
7. Shows a ransom note demanding USD 300, same bitcoin wallet
8. Prevents victims from booting their computer.
9. Hard coded local kill switch

There is no guarantee of recovery of files as the email (wowsmith123456@posteo.net) is no longer valid. This is actually most likely NOT ransomware but instead it is most probably destructive wiper malware disguised as ransomware. Close reading of the code
shows there is no way for data to be recovered – only destroyed.

This is a sample template to send to your organization to keep them inform:

Dear Colleagues,

In last few days, a massive cyber attack has infected machines around the world and is demanding ransom to release files. This attack, called “NotPetya,” has so far has impacted critical infrastructure sectors like energy, banking, transportation, telecom and other businesses in many countries by infecting a large number of computers.

In this heightened situation, we request you stay vigilant while using your computers. While dealing with any emails from external unknown email addresses, do not click any link or execute any unknown attachments.

We request you to follow best practices while performing your daily operations as outlined below.

Phishing & Attachments:

• Do not open attachments in unsolicited e-mails, even if they come from people in your contact list.
• Do not click on a URL contained in an unsolicited e-mail.
• Use a browser to type URLs or navigate through a URL domain.
• Report any suspicious emails/attachments to the IT or IS team.

House Keeping:

• Adhere to the company computer usage policy.
• Do not download software, videos, MP3s, etc.
• Ensure your anti-virus is updated and running on your machine.
• Backup your critical data periodically.
• Set aside time for updating, patching, and anti-virus updates.
• Use the account with the lowest level of user privileges to complete each task and avoid using accounts with admin. Privileges unless necessary.

If Infected, immediately disconnect your machine from the network by pulling the LAN cable and call the information security team. Do not tamper with the machine or data. Do not try to restore your data on your own.

EM @QUE, Chief Information Security Officer (CISO)

Disclaimer:

This briefing is for informational purposes only and should not be utilized as a solution to the NOTPETYA attack. If you believe you have been affected or have questions on how to remediate, reach out to a security consulting company.

Source: EC-Council.org I received this information because I am an active Certified Ethical Hacker (CEH).