Aggregated notes on the Petya, Notpetya, Petwrap outbreak and defense

On June 27th around 15:00 CET, reports came in on ransomware attacks to European & Ukrainian targets, including banks, governments, enterprises, and transportation.

A quick summary aggregated from resources on the web, and our Cyber Defense Centers.

What is it?

Initially thought to be Petya, then “inspired” by Petya or called Petwrap, the malware “looks like” ransomware, and does the following:

  • Petya clears the Windows event log using Wevtutil
  • Encrypts the MFT (Master File Table) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
  • Generates a force reboot
  • Then it replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
Screenshot courtesy of Avast.

Screenshot courtesy of Avast.

What’s the impact?

Many more types of files are encrypted than usual, and Petya effectively renders the system unusable. It seems to think the purpose of this malware is destruction rather than money. Because they use multiple infection vectors including one that works on patches PC’s, Petya spreads very fast.

Should I pay?

Standard advice is to never pay. Petya shouldn’t be paid especially: the e-mail address wowsmith123456@posteo.net has been blocked. You will not retrieve your files back anyway.

How do I protect myself?

Petya has several infection methods: it uses:

  • MS17-010 vulnerability like Wannacry
  • Privilege escalation and psexec, using CVE-2017-0199
  • Ukrainian accounting software called MeDoc is thought to be (one of the) initial infection vectors.

An e-mail campaign infection vector is suggested (including by US cert)

Address patching the above and refrain from using MeDoc. We are compiling a list of 3rd party security software that protects against Petya too – please see below.

Is there a kill switch like with Wannacry?

There is not. However, sources mention if you create a file and block access, it might stop (part of) Petya operation.

Looks like if you block C:\Windows\perfc.dat from writing/executing (https://twitter.com/HackingDave/status/879779361364357121)

Another mention of a Local kill switch – create file “C:\Windows\perfc”

Who’s behind this?

These are early days. Ground zero seems to be in Ukraine through the MeDoc infrastructure. Some suspect Russia for this reason. Since the actual bitcoin ransom process was created so shoddily, many suspect ulterior motivations.

How much money did they make?

Like in Wannacry, they created a single bitcoin address that can be tracked. At this time, around 40 payments have been done for about 0.12 BTC (around 12.000 dollars). Track Petya earnings here.

3rd party software that will detect Petya

Reportedly these 3rd party solutions will stop Petya even if you’re vulnerable:

  • Cylance
  • Palo Alto Traps
  • Juniper Sky ATP

2017-06-28T20:53:56+00:00 June 28th, 2017|
SecureLink

SecureLink

X