About Petya/NotPetya

Petya/NotPetya, another ransomware following close on the heels of WannaCry is also based on the EternalBlue exploit. Ukraine and Russia has the most attacks reported, possibly due to the suspected initial vector via MeDoc(Tax software), commonly used in Ukraine. Notably Rosneft (One of the largest crude oil producers), A.P. Moller-Maersk (Shipping said to be affected worldwide), WPP (World’s largest advertising

QuanHeng LimBy: QuanHeng Lim, Dec 13, 2017
TwitterFacebookLinkedIn
 

Petya/NotPetya, another ransomware following close on the heels of WannaCry is also based on the EternalBlue exploit. Ukraine and Russia has the most attacks reported, possibly due to the suspected initial vector via MeDoc(Tax software), commonly used in Ukraine.

Notably Rosneft (One of the largest crude oil producers), A.P. Moller-Maersk (Shipping said to be affected worldwide), WPP (World’s largest advertising agency), Chernobyl radiation monitoring systems, Ukraine’s government network and the central bank have been affected. Additional victims have been reported in Europe and the US.

While organisations who have taken action to protect themselves against the WannaCry ransomware by patching their systems with Windows Update are safe, this version is more dangerous as the computers affected will not be able to boot and will not be responsive.

The ransomware has been poorly designed with a shared payment address and the payment acknowledgement email(wowsmith123456@posteo.net) has been shut down by the provider. There is no way for the criminals to identify who had made payments. Payment will not guarantee the release of your data and there is no way to get a decryption key.

If you think you are affected and see a “Repairing file system on C: screen” power off your PC. That is the encryption process and interrupting it might allow you to recover some files.

So far Petya is known to be spreading via 2 vectors:

  • Email with weaponised Microsoft Word and PDF documents. The malware is downloaded and run when the documents are opened, executing the EternalBlue(CVE-2017–0144) Server Message Block (SMB) worm. This will then be spread to other computers within the network. EternalRomance exploit is also known to be used.
  • A poisoned update for the MeDoc update common in Ukrainian organisations. FireEye has a detailed analysis at https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html. Ukraine police reports update server upd.me-doc.com.ua released a exe on June 27 containing the malware.

Who is Affected:

  • Windows Server 2016
  • Windows Server 2012 and Window Server 2012 R2
  • Window Server 2008 and Windows Server 2008 R2
  • Windows 10
  • Windows 8.1
  • Windows RT 8.1
  • Windows 7
  • Windows Vista
  • Windows XP

What Can I Do:

Details:

NotPetya uses the same EternalBlue SMB exploit as Wannacry and the Windows patch will block it. It uses a modified version of https://github.com/gentilkiwi/mimikatz to get network admin credentials from memory.

 
https://securelist.com/schroedingers-petya/78870/

It will attempt to infect other network computers via PsExec and WMIC. It is design to spread internally before activating in 10–60 min.

It rewrites the master boot record so windows will not start, and encrypts data via AES-128.

For all files, one AES-128 key is generated.

This AES key is encrypted with threat actors’ public RSA-2048 key.

Encrypted AES keys are saved to a README file.

Keys are securely generated.

 

References:

https://securelist.com/schroedingers-petya/78870/

https://researchcenter.paloaltonetworks.com/2017/06/unit42-threat-brief-petya-ransomware/

QuanHeng Lim
By: QuanHeng Lim, Dec 13, 2017

Quanheng “Q” Lim is Director of CyberOps at Horangi.

TwitterFacebookLinkedIn