Introduction

The worldwide outbreak of the most obnoxious cyber-attack focusing on Microsoft Windows PCs was outlined not to fill the pockets of offenders, but rather spread cheerful anarchy.

The malware, named NotPetya in light of the fact that it takes on the appearance of the Petya Ransomware, spread over the world on 27 June 17, taking out organizations from transportation to commercial centers to financial and law offices. Its first attack victim appeared on June 27, The National Bank of Ukraine along with Kiev International Airport. Also  The Chernobyl radiation monitoring system was infected as reported by AFP News. Once inside a corporate system, this all charged up harmful program works its way from PC to PC, encoding the contaminated machine’s file systems.

Petya|NotPetya Ransomware
Image credit: Symantec systems

Despite the fact that it requests about $300 in Bitcoin to release the victim’s information, the system set up to gather this cash from the subject immediately brakes down. Regardless of the smooth programming behind the quick spreading malware, little exertion or thought was put into taking the plunder, it shows up.

Outbreak summary

World’s biggest companies such as Rosneft, Maersk, WPP, Merck have acknowledged that they have been hit by a massive scale cyber-attack.

Petya spreads via email spam in the form of office documents. These documents use CVE-2017-0199 office RTF vulnerability to download and run the Petya installer which later executes SMB worm and spreads all across the machines in the same network.

The Ransomware, similar to the larger part of strains of the malware, is said to be locking PCs that are contaminated and encoding records on them. Apart from other conventional Ransomware, Petya does not inject records on a focused system one by one. Rather, Petya reboots PCs and encodes the hard drive’s master document table (MFT)  rendering the master boot record (MBR) inoperable, limiting access to the full framework by seizing data about record names, sizes, and segments on the hard drive. Petya replaces the PC’s MBR with its own noxious code that shows the payoff note and leaves PCs not able to boot.

Targeted file extensions

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb
.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln
.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vm x.vsdx.vsv.work.xls.xlsx.xvd.zip.

Ransom Note: README.TXT

Ransom Note text:

Send your Bitcoin wallet ID and personal installation key to e-mail 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX Ooops, your important files are encrypted. If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key. Please follow the instructions: Send $300 worth of Bitcoin to following address:

C&C payment servers:

http://mischapuk6hyrn72.onion/

http://petya3jxfp2f7g3i.onion/

http://petya3sen7dyko2n.onion/

The situation isn’t completely out of hands though

Amit Serper a security researcher claims and has been confirmed by other researchers that he has found a way to prevent Ransomware from executing on vulnerable systems. All you have to do is follow the simple steps

“98% sure that the name is is perfc.dll Create a file in c:\windows called perfc with no extension and #petya #NotPetya won’t run! SHARE!! “https://t.co/0l14uwb0p9

— Amit Serper (@0xAmit) June 27, 2017

Preventive Measures

  • Enable restrictions on execution of PowerShell’s/WSCRIPT in enterprise environment. make sure you use the latest version (currently v5.0) of PowerShell.
  • Use an updated antivirus.
  • Check whether all the stored information is well integrated.
  • Use firewalls and block all publicly available incoming connections. Use only explicit services.
  • Apply patches as mentioned by Microsoft security advisory MS17-010.
  • Apply patches Microsoft office vulnerabilities (CVE-2017-0199).
  • Any breach in the network services please disable or block access to those services until you apply the patch.
  • Ensure that programs which ask for administration access are legitimate programs.
  • Block Auto play to prevent any automatic launches of unknown executable applications.
  • Unnecessary services are the loopholes for attacks, turn off or remove auxiliary services which are not critical.
  • Keep patch levels updated for HTTP, FTP, DNS services and emails.
  • Enable email servers to block or remove email containing file attachments with extensions such as .vbs, .bat, exe, .pif, & .src files.
  • Machines which are compromised should be isolated immediately.
  • Make sure the codes/scripts used in the database are well integrated.
  • Implement sender policy framework (SPF) for your domain.
  • Refrain from clicking any suspicious links or documents sent via emails.
  • Block binaries such as %APPDATA%, %PROGRAMDATA%, & %TEMP% paths using strict implementation of software restriction policies (SRP).
  • Segregate administrative networks from business processes with virtual LANs, physical and controls.
  • Disable ActiveX content in MS office applications.
  • Enable admin restriction to install any unwanted software’s or scripts.
  • Enable firewall at workstations.
  • Consider installing enhanced host-level anti-exploitation tools or mitigation experience toolkit.
  • Individual or organisations are not encouraged to pay the ransom, as this does not guarantee your data retrieval. Report such incidents to Law Enforcement Agencies.

Are You Secured From Petya|NotPetya Ransomware?