[Update #5] Sin of neglect - ransomware (non)Peta attacks public infrastructure of EU countries

Various media reports, technical and informative, about the attack on the public infrastructure of Ukraine, Great Britain, Spain, the Netherlands, Sweden ... And several other countries, including many companies from Poland.

Worm (no)Petya (according to Kaspersky Lab and not only) is most likely spreading by the same method, which WannaCry ransomware - through a vulnerability in the SMBv1 protocol due to published exploits developed by the NSA and in the publicly available on github. However, it is possible that another exploit has been used to intrusion Windows client systems. Some people write about the vulnerability CVE-2017-0199 (regarding MS Office packages), which is used by malware downloaded as a malicious attachment or as a result of a botnet, of which an infected computer is a part. Either way, the Lokibot dropper is responsible for spreading ransomware Kora based on the Petya code, but contrary to media reports it is not) - after encryption, it infects other computers via PsExec and Windows Management Instrumentation Command-line (WMIC).

Ransomware, which very reminds Petya , encrypts - the same as WannaCry - everything what is exposed "outside" (computers, terminals, ticket machines ...):

Computers in the store.

WannaCry itself was loud quite recently - thankfully developed dekryptor

. In the event of a Petya-like threat, the matter is more complicated.

Attacks are already commenting on Kaspersky Lab:

Preliminary results of the study indicate that attacks against Petya are not behind attacks, as reported by the media, and new ransomware, which analysts did not have before.

At the moment, Kaspersky Lab telemetry data indicate about 2,000 attacked users. Most attacks were recorded in Russia and Ukraine, but there were also attempts to infect in Poland, Italy, Germany and several other countries. The attack vector at the moment is not known.

Researchers from Kaspersky Lab recommend that all companies update their Windows systems immediately, check that the antivirus software is up-to-date and works properly, and back up critical data in the event of a ransomware infection.

We, for our part, recommend applying the same tips, what about WannaCry

, ie patching your systems and protecting them against possible infection with reputable anti-virus software.

It just so happens that we have carried out t est to protect against encryption viruses , in which we used several different ransomware variants, including Petya, which encrypts not only files, but also overwrites the master boot record of the Master Boot Record (MBR) by pretending to be a CHKDSK tool and overwrite the boot loader.

Until now, 20 transactions for the ransom note have been made. This number will grow, in addition, other addresses of BTC portfolios may appear.

The sin of neglect makes itself felt. Once again.

[update #2], 28.06.2017

Somehow to stop the ransomware "NiePetya "(the malware uses the Petya ransomware but it is not) to create files named" perfc "," perfc.dat "and" perfc.dll "in the location" C: \ Windows \ "and setting their attributes" only for reading ". You can follow this executable file , which will do it for you (you need to run with administrator privileges).

The following files are required to start the encryption procedure - they contain the necessary instructions. If their code is unreadable for the virus (and will not be overwritten: therefore we set it as "read only"), encryption will not occur.

C:\Windows\perfc

C:\Windows\perfc.dat

C:\Windows\perfc.dll

The number of paid rans increased from 20 to 40 .

[Update #3], 28.06.2017

ESET researchers report sparks that start auto-ignition. This is M.E.Doc accounting software used by Ukrainian companies and entities cooperating with them, including financial institutions. This program downloaded its update together with the Trojan. This enabled the attackers to auto-launch a massive campaign involving ransomware, which spread to many EU countries. Probable scenarios take into account the phase before the start of the ransomware spread, thus hacking the server storing the updates.

The Ukrainian company M.E.Doc published a statement yesterday evening, which has already been removed . It looks like the company is questioning earlier announcements that their servers were spreading malware.

[AUpdate #4], 28.06.2017

If anyone of you is willing to pay a ransom, do not do it. The account " [email protected]

" has been blocked, which results in the inability to obtain a decryption key. In addition, the first technical analyzes already appear. A great job was done by CERT Polska . Here are the most important details:

  • Propagation occurs on computers with the current Windows system in domain environments.
  • File creation in C: \ Windows \ perfc blocks the attack vector via WMIC.
  • If after restarting the computer, the false CHKDSK tool appears on the screen, it is worth to shut down the computer immediately - files are encrypted at this moment.
  • Ransomware targeted only local hard drives - network shares and removable drives were not the target of the attack (or at least the analyzed sample by CERT Polska did not disclose such shares).
  • Ransomware encrypted files with extensions:
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
  • In the MBR MBR override mechanism, there were no significant changes from last year's campaign. After the infection, the system logs (Setup, System, Security, Application) are cleared.
  • A command to restart the computer one hour after infection is added in the Task Scheduler.
  • Prime Minister Beata Szydło appointed the Government Emergency Management Team. For now, they are debating without computers:

[Update #5], 29.06.2017

The meeting of the Government Crisis Management Team did not result in anything greater. We only learned what was already known:

Recommendations may seem obvious, but we are talking about extremely important issues. The issue of making copies of security, the issue of system updates, the issue of cooperation with CERTs, the issue of employee training - said Mariusz Blaszczak, head of the Ministry of Interior and Administration.

On the second day after the ransomware attack using the Petya code, we know much more about this malware:

  • As mentioned and contrary to various media reports, the malware that the whole world writes about, it's not Petya , but its successful modification is called NotPetya, or ExPetr.
  • The basic purpose of this cyber attack was not money. This is indicated by circumstantial evidence:
    • Construction of Not Petya ransom betrayed to researchers that it does not have an identifier that is unique to an infected Windows station. In other words, the purpose of NotPetya ransom was to destroy, not to enforce the ransom (which could not be successful anyway, because the attacker's email account was blocked by the BTC exchange).
    • Some sources indicate that there was something more to NotPetya, something that required blurring of traces.
    • In most ransomware attacks, their authors assume at least several BTC addresses, in the event of blocking one and making it easier for victims to make deposits. NotPetya ransomware made it difficult.
The generated unique installation ID in the original version of Petya ransomware contains key information about the key decryptor. After sending this information to the attacker, it is possible to extract the decryption key by means of a private key.
NotPetya generates an ID using the CryptGenRandom function. The data is encoded in the BASE58 format, but if we compare the randomly generated data for both versions of the ransomware, they should be the same. Unfortunately they are not. NotPetya displays only random, normal strings. This means that an attacker can not extract any information needed to decrypt from a randomly generated string of characters on the victim machine, resulting in the victim not being able to decrypt any of the encrypted files using the installation ID.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.