On the 27th June 2017, a ransomware variant code named as the new “Petya” (aka "NotPetya") has been discovered and broke out on a global scale. Many worldwide organizations & critical industries such as the National Bank of Ukraine (NBU), Kiev’s main airport, shipping companies TNT & Maersk and even the Chernobyl nuclear power plant have been infected.
At the moment, this new threat already spread to several countries such as Ukraine, Russia, India, Spain, France, UK and many other European countries.
This new Petya ransomware (named after the previous Petya because of similar traits between the two ransomwares) is mainly using email fishing to reach its target. In its spreading process, Petya is exploiting two important Windows vulnerabilities as described below:
- RTF Vulnerability: CVE-2017- 0199
allows an attacker to exploit a Microsoft Office vulnerability when using RTF documents, allowing them to execute arbitrary commands on the user's system and control it. In short, the attacker is using Word and other Offices documents to embed malicious code and by just opening the document, it can automatically execute the code and infect the user.
- Eternal Blue Vulnerability: MS17-010
Petya is using the same vulnerability used by WannaCry, which is exploiting a Remote Code Execution (RCE) vulnerability that is present in the part of Windows that makes it possible to share files over the network through what we call SMB services (Server Message Block).
This vulnerability has been leaked through the "Eternal Blue" tool developed by the NSA, which can allow criminals to attack open port 445 of Windows systems and use system administrator privileges. In Windows Server, this port is providing LAN file or printing sharing services. The attacker is establishing a connection through the port 445 to share and use a variety of information.
The other main difference with WannaCry is that Petya can also infect all unpatched versions of Windows, including Windows 10.
New Spreading Methods
Even if the above vulnerability is patched, Petya can still spread in the network as long as ONE server/machine has been left unpatched. This ONE server/machine can infect the rest of the local servers/machines by using Windows SysInternals utility tool PSEXEC and Windows Management
Instrumentation (WMIC) command line scripting interface. Through these two tools, Petya will try to connect to hosts on the local network and executive itself to the targeted host(s).
What is PSEXEC?
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.
What is WMIC?
The Windows Management Instrumentation Command-line (WMIC) is a command-line and scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through WMI.
As you already know with all the above information, Petya is a new form of Ransomware. Computers and servers infected by this malware will find their files being encrypted, resulting in improper use of the operating system.
Unlike traditional ransomware blackmailing, Petya is using a disk encryption method, not only affecting 65 kinds of files, but also changing the master boot record (MBR) and encrypting the master file table (MFT). The victim needs to pay a ransom with a value of 300$ in bitcoins to get the decryption key.
How To Protect Your Organization
- Please update all of your Windows systems to its newest patches.
- Patch the RTF vulnerability (CVE-2017-0199) by downloading it from Windows website: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2...
- Patch the Eternal Blue vulnerability (S17-010) by downloading it from Windows website: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- Beware of fishing email, do not open unknown emails and especially unidentified attachments.
- Temporarily prohibit the use of all SMB services by blocking ports 139 and 445 for urgent protection.
- Sangfor NGAF users were automatically protected against the above vulnerabilities several weeks ago (you should always update the vulnerability database to its latest version). Please note that NONE of Sangfor NGAF users have been infected by WannaCry ransomware.
How can we help you
Send out alerts on suspicious emails that could bring in Ransomware.
Clear out known Ransomware according to over 1+ million signatures in SANGFOR database.
Detect and block emerging and new Ransomware by cloud-based threat analysis.
Damage remediation - keep Ransomware from spreading via corporate network and even block the encryption process.
Threats are continuously emerging and evolving.
Make sure that your organization is safe by requesting a FREE security assessment of your Network.