Petya Ransomware: Outbreak, detection and prevention

Systems affected

Microsoft Windows OS platform.

Summary

European Government, financial, utilities, transportation and energy sectors have been hit by a large-scale ransomware campaign which is a new strain built from the previously discovered “Petya” ransomware bolstered by the eternal blue exploit. It has vastly impacted Russia and Ukraine, however, the attack has significantly spread in the wild across Europe and Asia in countries such as UK, Germany, France, Italy, the Netherlands, Spain, Denmark, Poland, India as well as the US. Petya ransomware is a malicious software created to shut down computer systems, encrypt system files and request a $300 Bitcoin ransom to a Bitcoin wallet, and then enforce victims to send a unique identifier to the email address [wowsmith123456@posteo.net] to confirm the payment and get the decryption key.

Technical Details

As this is a new strain borrowing credible code from the “Petya” ransomware, it leverages the well known “EternalBlue” exploit targeting Windows SMBv1; a file-sharing service. The same exploit used by “WannaCry” ransomware to spread the infection in May 2017. Petya encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.

Detection

E-mail address:
wowsmith123456@posteo.net

IP addresses:
95.141.115.108
185.165.29.78
84.200.16.242
111.90.139.247

Domains:
hxxp://mischapuk6hyrn72.onion/
hxxp://petya3jxfp2f7g3i.onion/
hxxp://petya3sen7dyko2n.onion/
hxxp://mischa5xyix2mrhd.onion/MZ2MMJ
hxxp://mischapuk6hyrn72.onion/MZ2MMJ
hxxp://petya3jxfp2f7g3i.onion/MZ2MMJ
hxxp://petya3sen7dyko2n.onion/MZ2MMJ
hxxp://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
COFFEINOFFICE.XYZ
hxxp://french-cooking.com/

Hash (SHA1)
a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d

Malicious files:
myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

Alternate Solution

Researchers the worldover made a run to find a killswitch or loophole similar to the case of WannaCry however, a researcher from Cybereason discovered the vaccine/cure to the itch. It is to simply create a file called perfc in the C:\Windows folder and make it read only. For further reading refer this article- https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s