Wednesday, June 28, 2017

Petya / Nyetya; A new ransomware attack hit the world

What is it?

It wasn’t long since the massive WannaCry ransomware hit the cyber-world, and starting from yesterday, Tuesday June 27tha massive new attack of the ransomware variant has been identified, affecting organizations around the globe (wired article).

This ransomware is a new version Petya, also known as NotPetya (as it is a variant that borrows code from Petya but it’s different) and has other different names as Petrwarp, Nyetra, SortaPetya and Petna.

The attack first took place in Ukraine and started spreading quickly throughout the world. It is reported by Kaspersky that more than 2000 organizations globally are infected, including Maersk, Rosneft, and many others. The result of the attack is a large scale power-down of sites and services around the globe, with a major effect on daily business and logistics.

Why is it so dangerous?

This ransomware is more aggressive compared to WannaCry, as it encrypts the MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer. It’s also forcefully reboots systems and prevents them from working altogether.

This ransomware also contains advanced propagation techniques that makes it more dangerous than any ransomware before.

Why can the attack spread so fast?

After infecting a single machine the ransomware then propagates using several techniques, one of them is in a similar fashion as WannaCry; through exploitation EternalBlue.

Another propagation technique includes stealing of credentials and exploiting users’ permissions and using legitimate methods of connecting to other hosts.

This what makes the current ransomware more dangerous compared to WannaCry that uses only the EternalBlue exploit, as credentials harvesting results in very fast lateral movement. It spreads like an oil spill with a logarithmic character.

If only 1 computer is infected in the network and this computer stores login credentials of a network administrator, the entire network is compromised.

Technically speaking, the ransomware uses PsExec, WMI and SMB connections via ADMIN$ in order to propagate in the LAN.

It then tries to forcefully reboot the system and also creates a scheduled task to reboot the infected system one hour after the initial infection. The full encryption happens when the system reboots. It is not 100% clear if no encryption happens prior to the reboot.

Where does it come from?

At this point there are no clear indicators where the attack comes from. With information currently available, it is suggested that Petya was deployed onto potentially several millions of computers by hacking Ukrainian accounting software called “MeDoc”. It then used their automatic update feature to download the malware onto all computers using the software. 

Although MeDoc being the initial infection vector is unconfirmed (andeven denied by the company itself), current evidence points to them (source1source2source3).

Who are or can be affected?

It appears a Windows only variant so far. So Windows users are at risk.
Multiple large enterprises are hit: Maersk, TNT, and several Ukrainian entities are amongst them.
Any other Windows-based organization can be hit as well.

How can we protect our company?

We in Comsec recommend the following recommendations, prevention and mitigation measures:

  • It is recommended to make all employees aware of this event to make sure suspicious emails are not opened and any suspicious email or activity is reported to the relevant IT personnel. 
  • Obtain and patch systems to the latest version using the manufacturer security update, as it is likely to believe that Petya is actively exploiting known vulnerabilities inside networks. (TechNet Article)
  • For unsupported or unpatched systems, it is recommended to isolate them from the network and to consider shutting them down if possible. Alternatively, Microsoft released a security update for the SMB vulnerability also for Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003 (Technet Article. The system update is available here: KB4012598 
  • Disable SMBv1 in all unpatched machines, and in all machines where it does not impact their business purpose.
  • Isolate communication UDP ports 137 and 138 as well as TCP ports 139 and 445 in networks to avoid spreading or infection.
  • Update all AntiVirus and AntiMalware products signatures
  • Make sure all the organization’s critical data is backed up both in online and offline backup storage.
  • If possible, block the ADMIN$ share in the network. The worm uses this share with WMI to spread itself, thus disallowing access prevents the possible spread.
  • If you are infected, do not pay the 300$ asked ransom fee. The e-mail address referred to is no longer in service. The decryption key will not be received when you pay the fee.
  • The malware tries to reboot immediately and then again after 30-60 minutes. If infection is identified (pretends to be a windows CheckDisk scan) shut down the infected machine immediately.
  • In the recent hours it was found that a vaccine is available to prevent infection of a host. Create 3 read-only files named perfc, perfc.dll and perfc.dat in C:\Windows. This can be done by using the following script file (rename to vaccine.bat and execute in the entire domain using the GPO). It has to be noted that the vaccin works only if the executed / inject dll matches the exact name 'perfc'

@echo off

echo Administrative permissions required. Detecting permissions...
net session >nul 2>&1

if %errorLevel% == 0 (
       if exist C:\Windows\perfc (
              echo Computer already vaccinated .
       ) else (
              echo Vaccination file. > C:\Windows\perfc
                echo Vaccination file. > C:\Windows\perfc.dll
                echo Vaccination file. > C:\Windows\perfc.dat

              attrib +R C:\Windows\perfc
                attrib +R C:\Windows\perfc.dll
                attrib +R C:\Windows\perfc.dat

              echo Computer vaccinated.
) else (
       echo Failure: You must run this batch file as Administrator.

We can help you, just ask!

Comsec is constantly tracking the recent developments in the world and we update our blog accordingly. We are ready to assist with any questions or requests that you may have.

For further questions or help, please contact: or