Epidemic of the Petya blackmailer virus: what you need to know
Following the massive WannaCry attacks last month, a major incident with a blackmailer program, called NotPetya, is currently developing. In the morning, researchers assumed that this program was a variant of the Petya blackmailer virus, but Kaspersky Labs and other companies reported that despite their similarity, in fact it was #NotPetya. Regardless of his name, that's what you should know.
This malicious program not only encrypts data for the ransom demand, but also seizes computers and completely blocks access to them by encrypting the master boot record.
Petya uses another fast-moving attack that, similarly to WannaCry, exploits the vulnerability of the ENTERNALBLUE NSA classification. Unlike WannaCry, the Petya virus can also spread through Windows Management Instrumentation (WMI) and PsExec (more on this below). Some frightening facts about this new malware:
Several well-known organizations and companies have already been seriously affected, including the Ukrainian government, which has shown a healthy sense of humor.
')
Infections were reported around the world: metro systems, national utilities, banks and international corporations were attacked: the scope is still unknown, but reports of infected computers and blocked IT systems in various industries around the world continue to be reported.
At first, it was considered that the Petya virus should use a clue in corporate networks received via e-mail messages with an infected attachment in the form of a Word document, which uses the CVE-2017-0199 vulnerability. (If you installed patches for Microsoft Office, you must be protected from this attack.)
Although phishing is often used for attacks, in this case MeDoc, a financial software firm based in Ukraine, has become one of the main sources. The MeDoc software update feature was hacked, and the attackers used it to distribute the Petya blackmailer (source). This explains why Ukraine suffered the most.
After infecting one computer, the Petya virus spreads through a peer-to-peer network to other computers and servers running Windows with an unclosed MS17-010 vulnerability (this is an SMB vulnerability that was recommended for everyone to be eliminated during the WannaCry attack). It can also be distributed through the PsExec mechanism to admin $ resources even on computers with patches installed. We recently wrote a detailed tutorial about PsExec and about disabling PowerShell. Here it will be useful.
The positive point, at least in this state of affairs, is that the peer-to-peer network infection does not seem to go beyond the local network. The Petya virus can effectively move across the entire local network, it can hardly move to other networks. According to @MalwareTechBlog, a pizza-loving Internet user who became famous for finding the WannaCry safety switch:
Petya's current attack is different in that its exploitation tools are used only for distribution on the local network and not on the Internet (that is, it is very unlikely to become infected if your computer is not on the same network as the infected computer). Assuming that the size of the networks is limited and they can be checked quickly enough, the spread of malicious software will stop after checking the local network. Therefore, there is no danger here, as in the case of the WannaCry virus, which still continues to spread (although I have already prevented its activation with the help of an “emergency switch”).
PsExec Detection Order with DatAlert
If you have DatAlert version 6.3.150 or later, you can detect the PsExec.exe file on Windows file servers as follows:
1. Select Tools -> DatAlert -> DatAlert
2. Search for the system admin string.
3. For each of the selected rules (expand the groups to view), click Edit Rule and check the box Enabled
If PsExec is detected, DatAlert will create alerts for system administrator tools in the Reconnaissance alert category, for example, the System administration tool created or modified or the operation failed in the tool that failed. usually used by system administrators).
This should help detect if the Petya virus uses the PsExec mechanism for distribution to file servers. Continue to read this article, because there are not all actions that will help prevent initial infection and stop the spread of Petya virus to your endpoints.
After the appearance of the NotPetya virus on the computer, it waits for an hour and a half before the start of the attack, most likely, this time is allocated for infecting other machines and making it difficult to find the entry point.
At the end of the waiting time, the following occurs.
1. It encrypts the main table of files on local NTFS media.
2. It copies itself to the master boot record of the infected workstation or server.
3. Forces the computer to reboot to block users.
4. Displays a lock screen with a ransom demand at boot (shown below).
All computers in the office are not working. Global attack #Ransomware. I heard that several other companies were also attacked. Make backups and take care of yourself. pic.twitter.com/YNctmvdW2I
- Migir (Mihir, @mihirmodi) June 27, 2017
By encrypting the main file table, the computer is disconnected from the network until the required amount is paid. This could potentially harm the organization much more than encrypting some files on the server. In most cases, IT staff must work individually with each computer; The standard response to the blackmailers “We will just restore these files from a backup copy” was ineffective.
If there are no processes for remote boot or image creation, and it is impossible to recover infected computers, then you may need to manually restore the workstations to correct the situation. Although in most cases this is possible, for companies with many remote installations it will be very difficult and time consuming. For transport companies that have 600 or more cargo ships on board at any one time, this is almost impossible.
As noted by Microsoft: “Only if there are maximum rights (for example, when the SeDebugPrivilege parameter is enabled) the virus tries to overwrite the master boot record code” - if the infected user does not have administrator rights on the computer, the virus will try to encrypt user data with the following permissions.
It does not add a unique extension to encrypted files (for example, .locky) - it encrypts the contents and preserves the original file name and extension.
Prevention of Petya virus infection is very similar to the actions that could have been taken earlier in relation to the WannaCry attack:
There is also some semblance of a local safety switch. If the% WINDIR% \ perfc file (without the extension) exists on this computer, the blackmailer will not be executed. You can be resourceful in deploying this file to all workstations in your environment.
In addition, you can see which antivirus products for endpoints can detect the Petya virus in the VirusTotal scan results.
A sample of the Petya virus, obtained by the researchers, was compiled on June 18th.
The blackmailer program message indicated a Posteo account (email service provider). The Complaints and Security department of Posteo posted the following update .
They did the following.
1. Blocked this account.
2. Confirmed that no decryption keys were sent from the account.
3. Appealed to the authorities with the offer of assistance by all available means.
All this leads us to the conclusion that you should not pay the required amount, since you will not receive the necessary decryption keys.
The story continues to evolve, and we will update this note as new information becomes available.
This malicious program not only encrypts data for the ransom demand, but also seizes computers and completely blocks access to them by encrypting the master boot record.
Petya uses another fast-moving attack that, similarly to WannaCry, exploits the vulnerability of the ENTERNALBLUE NSA classification. Unlike WannaCry, the Petya virus can also spread through Windows Management Instrumentation (WMI) and PsExec (more on this below). Some frightening facts about this new malware:
- it does not have a remote emergency switch, as in WannaCry;
- it is much more complicated and has a variety of automatic distribution methods;
- it makes computers completely unusable.
Several well-known organizations and companies have already been seriously affected, including the Ukrainian government, which has shown a healthy sense of humor.
')
Infections were reported around the world: metro systems, national utilities, banks and international corporations were attacked: the scope is still unknown, but reports of infected computers and blocked IT systems in various industries around the world continue to be reported.
How does the Petya virus spread?
At first, it was considered that the Petya virus should use a clue in corporate networks received via e-mail messages with an infected attachment in the form of a Word document, which uses the CVE-2017-0199 vulnerability. (If you installed patches for Microsoft Office, you must be protected from this attack.)
Although phishing is often used for attacks, in this case MeDoc, a financial software firm based in Ukraine, has become one of the main sources. The MeDoc software update feature was hacked, and the attackers used it to distribute the Petya blackmailer (source). This explains why Ukraine suffered the most.
After infecting one computer, the Petya virus spreads through a peer-to-peer network to other computers and servers running Windows with an unclosed MS17-010 vulnerability (this is an SMB vulnerability that was recommended for everyone to be eliminated during the WannaCry attack). It can also be distributed through the PsExec mechanism to admin $ resources even on computers with patches installed. We recently wrote a detailed tutorial about PsExec and about disabling PowerShell. Here it will be useful.
The positive point, at least in this state of affairs, is that the peer-to-peer network infection does not seem to go beyond the local network. The Petya virus can effectively move across the entire local network, it can hardly move to other networks. According to @MalwareTechBlog, a pizza-loving Internet user who became famous for finding the WannaCry safety switch:
Petya's current attack is different in that its exploitation tools are used only for distribution on the local network and not on the Internet (that is, it is very unlikely to become infected if your computer is not on the same network as the infected computer). Assuming that the size of the networks is limited and they can be checked quickly enough, the spread of malicious software will stop after checking the local network. Therefore, there is no danger here, as in the case of the WannaCry virus, which still continues to spread (although I have already prevented its activation with the help of an “emergency switch”).
PsExec Detection Order with DatAlert
If you have DatAlert version 6.3.150 or later, you can detect the PsExec.exe file on Windows file servers as follows:
1. Select Tools -> DatAlert -> DatAlert
2. Search for the system admin string.
3. For each of the selected rules (expand the groups to view), click Edit Rule and check the box Enabled
If PsExec is detected, DatAlert will create alerts for system administrator tools in the Reconnaissance alert category, for example, the System administration tool created or modified or the operation failed in the tool that failed. usually used by system administrators).
This should help detect if the Petya virus uses the PsExec mechanism for distribution to file servers. Continue to read this article, because there are not all actions that will help prevent initial infection and stop the spread of Petya virus to your endpoints.
What does the Petya virus do?
After the appearance of the NotPetya virus on the computer, it waits for an hour and a half before the start of the attack, most likely, this time is allocated for infecting other machines and making it difficult to find the entry point.
At the end of the waiting time, the following occurs.
1. It encrypts the main table of files on local NTFS media.
2. It copies itself to the master boot record of the infected workstation or server.
3. Forces the computer to reboot to block users.
4. Displays a lock screen with a ransom demand at boot (shown below).
All computers in the office are not working. Global attack #Ransomware. I heard that several other companies were also attacked. Make backups and take care of yourself. pic.twitter.com/YNctmvdW2I
- Migir (Mihir, @mihirmodi) June 27, 2017
By encrypting the main file table, the computer is disconnected from the network until the required amount is paid. This could potentially harm the organization much more than encrypting some files on the server. In most cases, IT staff must work individually with each computer; The standard response to the blackmailers “We will just restore these files from a backup copy” was ineffective.
If there are no processes for remote boot or image creation, and it is impossible to recover infected computers, then you may need to manually restore the workstations to correct the situation. Although in most cases this is possible, for companies with many remote installations it will be very difficult and time consuming. For transport companies that have 600 or more cargo ships on board at any one time, this is almost impossible.
As noted by Microsoft: “Only if there are maximum rights (for example, when the SeDebugPrivilege parameter is enabled) the virus tries to overwrite the master boot record code” - if the infected user does not have administrator rights on the computer, the virus will try to encrypt user data with the following permissions.
It does not add a unique extension to encrypted files (for example, .locky) - it encrypts the contents and preserves the original file name and extension.
What to do?
Prevention of Petya virus infection is very similar to the actions that could have been taken earlier in relation to the WannaCry attack:
- disabling SMBv1 during patch installation;
- blocking TCP port 445 from external connections (or connections between segments, if possible);
- installing patches!
Local safety switch
There is also some semblance of a local safety switch. If the% WINDIR% \ perfc file (without the extension) exists on this computer, the blackmailer will not be executed. You can be resourceful in deploying this file to all workstations in your environment.
In addition, you can see which antivirus products for endpoints can detect the Petya virus in the VirusTotal scan results.
A sample of the Petya virus, obtained by the researchers, was compiled on June 18th.
Should I pay?
The blackmailer program message indicated a Posteo account (email service provider). The Complaints and Security department of Posteo posted the following update .
They did the following.
1. Blocked this account.
2. Confirmed that no decryption keys were sent from the account.
3. Appealed to the authorities with the offer of assistance by all available means.
All this leads us to the conclusion that you should not pay the required amount, since you will not receive the necessary decryption keys.
The story continues to evolve, and we will update this note as new information becomes available.
Source: https://habr.com/ru/post/337186/
All Articles