Recommendation and information on Petya ransomware
Wommelgem 27/06/2017 UPDATE
- Do not pay ransom, you will not get your files back due to blocking of the email address.
- Security experts have been trying to test creating files to block the damaging processes, mileage might vary, and we’re watching this space.
- An initial infection vector of accounting software MeDoc is suspected, there’s no definitive evidence of this.
We are currently observing an ongoing ransomware campaign that is spreading quickly. The ransomware is reportedly spreading via 2 vulnerabilities including through the EternalBlue exploit just like WannaCry ransomware did. The other Leverages PsExec to spread. PsExec is dropped as dllhost.dat
What we have seen the sample (a new variant of Petya ransomware, also known as Petwrap) do:
- Clears the windows event log using Wevtutil
- Encrypts the MFT (Master File Table) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
- Generates a force reboot
- Then it replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
Because the malware is using a known vulnerability in Windows we recommend checking whether the MS17-010 patch is installed. If not, you should do this immediately. If you have internal segmentation within your network you should temporarily block TCP port 445 where possible.
We have tested detection using several technologies, there’s no guarantees however.
We have verified that:
- SecurePrevent Endpoint and Cylance are blocking this threat in online and offline mode
- Palo Alto Networks is stating that WildFire is updated on the known hash
- For Palo Alto Traps customers we advise to temporary add a rule to block “child processes” on rundll32
If you are already a victim then the advice is to:
- Isolate the infected devices from the network as soon as possible
- Restore backups and make sure that you installed the Microsoft patch before you connect the system again to the network
External information can be found here:
Monitor our website for more information.
If you have any questions about this Security Alert, do not hesitate to contact our SecureLink Support Desk via [email protected].
If you are a SecureProtect Customer, we will contact you with follow up actions if necessary.
Example note: If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
1. Send $300 worth of Bitcoin to following address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
2. Send your Bitcoin wallet ID and personal installation key to e-mail [email protected].