{"id":8066,"date":"2017-06-27T13:10:01","date_gmt":"2017-06-27T21:10:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/27\/news-1843\/"},"modified":"2017-06-27T13:10:01","modified_gmt":"2017-06-27T21:10:01","slug":"news-1843","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/06\/27\/news-1843\/","title":{"rendered":"Petya-esque ransomware is spreading across the world"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Tue, 27 Jun 2017 20:26:29 +0000<\/strong><\/p>\n<p>Ringing with echoes of WannaCry, a new strain of ransomware called Petya (or Petrwrap, or NotPetya) is impacting\u00a0users\u00a0around the world, shutting down firms in Ukraine, Britain, and Spain.<\/p>\n<h3>Background<\/h3>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/04\/petya-ransomware\/\" target=\"_blank\" rel=\"noopener noreferrer\">Petya<\/a>, created in July 2016, started off as one of the next-generation ransomware strains that utilizes an MBR (Master Boot Record) locker. In the early days of ransomware, strains that modified the startup of a system were popular, but they had died off for many years. Today, not long after its one year anniversary, Petya has come back with a vengeance and a nasty new distribution method.<\/p>\n<p>As to whether or not this malware is the same Petya that we have dealt with in the past, <a href=\"https:\/\/twitter.com\/HowellONeill\/status\/879743360906350592\/photo\/1\" target=\"_blank\" rel=\"noopener noreferrer\">many other researchers, including our own<\/a>, claim that the malware is heavily influenced and likely developed by the creators of Petya. This malware has indicators and code that matches previous versions of Petya, but with additional functionality.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\">\n<p lang=\"en\" dir=\"ltr\">Kaspersky Lab analysts say new attacks are not a variant of Petya ransomware as publicly reported, but a new ransomware they call NotPetya <a href=\"https:\/\/t.co\/Uf8phx9Pkf\">pic.twitter.com\/Uf8phx9Pkf<\/a><\/p>\n<p>&mdash; Patrick O&#39;Neill (@HowellONeill) <a href=\"https:\/\/twitter.com\/HowellONeill\/status\/879743360906350592\">June 27, 2017<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>We are not going to claim attribution or even confirm what family we are dealing with until more analysis has been completed and more evidence is available.\u00a0What we can say for sure is that this ransomware uses tactics rarely seen in the wild.<\/p>\n<h3>Infection vector<\/h3>\n<p>Taking a page out of WannaCry\u2019s book, this new ransomware\u00a0utilizes the same EternalBlue SMB exploit that was used in the outbreak that occurred more than a month ago. There are also currently reports that this attack uses email spam to distribute infected Office documents in efforts to rapidly spread and distribute the ransomware. This malware also includes the ability to use PSExec on a system it has administrative credentials on, allowing it to execute duplicates of the malware on any system on the network.<\/p>\n<p>However, not all of these\u00a0reports have been confirmed by Malwarebytes staff, so its true original infection vector beyond SMB exploitation is up in the air. But the combination of the PSExec method with the EternalBlue exploit gives this malware a lot of power in its ability to spread across a network.<\/p>\n<h3>Execution<\/h3>\n<p>After execution, the ransomware\u00a0infects the system at a low level, modifying the MBR and presenting the user with the following prompt:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/shutdown.png\" target=\"_blank\" rel=\"noopener noreferrer\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18556 size-full\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/shutdown.png\" alt=\"\" width=\"372\" height=\"171\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/shutdown.png 372w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/shutdown-300x138.png 300w\" sizes=\"auto, (max-width: 372px) 100vw, 372px\" \/><\/a><\/p>\n<p>After a reboot, instead of loading\u00a0into the\u00a0operating system installed on the computer, the user is faced with a faux Check Disk operation that, instead of actually checking your hard disk for issues, is actually encrypting files! This is done to buy the ransomware\u00a0more time to encrypt all the relevant files on the system without being stopped by the user.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18550 size-large\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/chkdsk-1-600x338.png\" alt=\"\" width=\"600\" height=\"338\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/chkdsk-1-600x338.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/chkdsk-1-300x169.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/chkdsk-1-400x225.png 400w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/chkdsk-1.png 725w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>The MFT (Master File Tree) and the MBR are also encrypted. The MBR is overwritten to display the ransom note, which makes it impossible to boot the system without remediation\u2014meaning users must either pay the culprit or be unable to access their system. The computer will then display a menacing black screen with red lettering listing the ransomware&#8217;s purpose and its demands. The attack affects users by encrypting anywhere from a single file to the entire system.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18546 size-large\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/screen1-600x336.png\" alt=\"\" width=\"600\" height=\"336\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/screen1-600x336.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/screen1-300x168.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/screen1-400x225.png 400w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/screen1.png 724w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>While this situation could have been easily avoided by simply keeping all antivirus database and operating system updates current, the now-infected users must\u00a0pay $300 in Bitcoins to regain access to their files.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\">\n<p lang=\"en\" dir=\"ltr\">An interesting aspect of this attack is the targeted filetypes. The intended victims are rather different from Petya or &#39;normal&#39; ransomware. <a href=\"https:\/\/t.co\/mTRcPTHbpF\">pic.twitter.com\/mTRcPTHbpF<\/a><\/p>\n<p>&mdash; Yonathan Klijnsma (@ydklijnsma) <a href=\"https:\/\/twitter.com\/ydklijnsma\/status\/879751670355439617\">June 27, 2017<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>As stated on Twitter by <a href=\"https:\/\/twitter.com\/ydklijnsma\" target=\"_blank\" rel=\"noopener noreferrer\">@ydklijnsma<\/a>, it would appear that the file types being targeted are aimed more toward the programs that developers would use, such as, .vbs, .ova, .vbox, and so on. This makes it appear like target of these attacks are likely businesses and especially firms that specialize in software development.<\/p>\n<p>Unfortunately, unlike WannaCry, Petya does not have a &#8220;killswitch&#8221; readily available or known.<\/p>\n<h3>Remediation\/protection<\/h3>\n<p style=\"text-align: left;\">Malwarebytes detected this ransomware in the zero hour, meaning those that have <a href=\"http:\/\/www.malwarebytes.com\/premium\" target=\"_blank\" rel=\"noopener noreferrer\">Malwarebytes Premium<\/a> or our standalone\u00a0<a href=\"https:\/\/forums.malwarebytes.com\/forum\/172-anti-ransomware-beta\/\" target=\"_blank\" rel=\"noopener noreferrer\">anti-ransomware<\/a> technology have been protected from the instant this attack began.\u00a0Both Malwarebytes <a href=\"https:\/\/www.malwarebytes.com\/business\/\" target=\"_blank\" rel=\"noopener noreferrer\">business users<\/a> and consumers users are protected if they are using the latest version of the above products.<\/p>\n<p style=\"text-align: left;\">We detect this ransomware as either <strong>Ransom.Petya<\/strong> or <strong>Ransom.Petya.EB<\/strong><\/p>\n<p style=\"text-align: left;\">Full protection from this threat can also be achieved\u00a0by:<\/p>\n<ul>\n<li style=\"text-align: left;\">Updating and deploying security software with anti-ransomware capabilities<\/li>\n<li style=\"text-align: left;\">Updating and securing operating systems on your network, including checking for any open SMB ports on any Internet-facing systems<\/li>\n<li style=\"text-align: left;\">Locking down user accounts from having administrative powers and possibly even removing\/shutting down admin systems that might utilize the PSExec method of spreading the malware<\/li>\n<li style=\"text-align: left;\">If you are a business owner, making sure your users are aware of this current threat<\/li>\n<li style=\"text-align: left;\">Opening emails with a high degree of scrutiny in the near future<\/li>\n<\/ul>\n<p> <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/petya-esque-ransomware-is-spreading-across-the-world\/#gallery-18549-1-slideshow\">Click to view slideshow.<\/a> <\/p>\n<p style=\"text-align: left;\">We are going to regularly update this post to inform you about new developments with this attack, a deeper look at its spread, and possible motivations\/infection methods. In addition, we are currently working on a post that analyzes the malware binary to its core. Expect that shortly.<\/p>\n<p style=\"text-align: left;\">Thanks for reading and safe surfing!<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/petya-esque-ransomware-is-spreading-across-the-world\/\">Petya-esque ransomware is spreading across the world<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/petya-esque-ransomware-is-spreading-across-the-world\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Tue, 27 Jun 2017 20:26:29 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/petya-esque-ransomware-is-spreading-across-the-world\/' title='Petya-esque ransomware is spreading across the world'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/shutterstock_641796844.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Ringing in with echoes of WannaCry, Petya (or Petrwrap, NotPetya), is a new ransomware strain outbreak affecting many users around the world.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/malware\/\" rel=\"category tag\">Malware<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/eternalblue\/\" rel=\"tag\">EternalBlue<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit\/\" rel=\"tag\">exploit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/germany\/\" rel=\"tag\">germany<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malwarebytes-labs\/\" rel=\"tag\">malwarebytes labs<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/notpetya\/\" rel=\"tag\">NotPetya<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/petrwrap\/\" rel=\"tag\">Petrwrap<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/petya\/\" rel=\"tag\">petya<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/smb\/\" rel=\"tag\">SMB<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spreading\/\" rel=\"tag\">spreading<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ukraine\/\" rel=\"tag\">ukraine<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/united-kingdom\/\" rel=\"tag\">United Kingdom<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/united-states\/\" rel=\"tag\">united states<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/wannacry\/\" rel=\"tag\">WannaCry<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/wannacrypt\/\" rel=\"tag\">WannaCrypt<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/wannacryptor\/\" rel=\"tag\">WannaCryptor<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/petya-esque-ransomware-is-spreading-across-the-world\/' title='Petya-esque ransomware is spreading across the world'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/petya-esque-ransomware-is-spreading-across-the-world\/\">Petya-esque ransomware is spreading across the world<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[4503,12319,11638,1195,3764,11530,12830,12831,12823,3765,12321,12832,8642,1579,403,12252,12273,12323],"class_list":["post-8066","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cybercrime","tag-eternalblue","tag-exploit","tag-germany","tag-malware","tag-malwarebytes-labs","tag-notpetya","tag-petrwrap","tag-petya","tag-ransomware","tag-smb","tag-spreading","tag-ukraine","tag-united-kingdom","tag-united-states","tag-wannacry","tag-wannacrypt","tag-wannacryptor"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8066","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8066"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8066\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8066"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}