Recommendation and information Petya ransomware
Aggregated notes on the Petya, Notpetya, Petwrap outbreak and defense
On June 27th and around 15:00 CET, reports came in on ransomware attacks to European & Ukrainian targets, including banks, governments, enterprises, and transportation.
A quick summary aggregated from resources on the web, and our Cyber Defense Centers.
What is it?
Initially thought to be Petya, then “inspired” by Petya or called Petwrap, the malware “looks like” ransomware, and does the following:
- Petya clears the Windows event log using Wevtutil
- Encrypts the MFT (Master File Table) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing inforation about file names, sizes, and location on the physical disk.
- Generates a force reboot
- Then it replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
What’s the impact?
Many more types of files are encrypted than usual, and Petya effectively renders the system unusable. It seems to be the purpose of this malware is destruction rather than money. Because they use multiple infection vectors including one that works on patched PC’s, Petya spread very fast.
Should I pay?
Common advice is to never pay. Petya shouldn’t be paid especially: the e-mail address [email protected] has been blocked. You will not get your files back anyway.
How do I protect myself?
Petya has several infection methods: it uses:
- MS17-010 vulnerability like Wannacry;
- Privilege escalation and psexec, using CVE-2017-0199;
- Ukrainian accounting software called MeDoc is thought to be (one of the) initial infection vectors.
An e-mail campaign infection vector is suggested (including by US cert)
Address patching the above and refrain from using MeDoc. We are compiling a list of 3rd party security software that protects against Petya too; please see below.
Is there a kill switch like with Wannacry?
There’s not one like in Wannacry, however sources mention if you create a file and block access, it might stop (part of) Petya operation.
Looks like if you block C:\Windows\perfc.dat from writing/executing (https://twitter.com/HackingDave/status/879779361364357121)
Another mention of a Local kill switch – create file “C:\Windows\perfc”
Who’s behind this?
This is early days. Ground zero seems to be in Ukraine through the MeDoc infrastructure. Some suspect Russia for this reason. Since the actual bitcoin ransom process was created so shoddily, many suspect ulterior motivations.
How much money did they make?
Like in Wannacry, they created a single bitcoin address that can be tracked. At this time, around 40 payments have been done for around 0.12 BTC. (round 12.000 dollars). Track Petya earnings here
3rd party software that will detect Petya
Reportedly these 3rd party solutions will stop Petya even if you’re vulnerable:
Aanmelden security breach nieuwsbrief
Wilt u op de hoogte worden gehouden van security breaches?