DBSA:2017-062701
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Petya Ransomware
Keywords: Petya Ransomware Malware Infection WMIC PExec SMB Eternalblue Wannacry
ATTENTION: This Advisory is regarding a still developing situation, information provided here may be terse and updated as the situation progresses
DBSA ID: 2017-062701
Regarding: Petya Ransomware
Writeup: Kradorex Xeron (talk) 17:31, 27 June 2017 (EDT)
Date: 2017 06 27
Last Modified: 20170627180924 by Kradorex Xeron
Who should take note: Everyone
Classification
Priority: HIGH
Rationale: Immediate action may result in loss of data
Severity: HIGH
Rationale: Immediate action may result in loss of data
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: All Windows systems are impacted, even potentially those patched against the "ms17-010 EternalBlue" exploit.
Description
Petya is a family of ransomware class malware that is highly virulent and has high spread that has impacted multiple major businesses.
Its noted local process seems to consist of the following unconfirmed steps given current research:
- Executed by email.
- Utilizes an exploitation method, potentially via pass-the-hash to gain administrator access.
- Malware writes c:\windows\perfc.dat and executes via rundll32, a valid Windows component.
- Performs network propegation via the local network via Windows Management Instrumentation and PExec mechanisms which infects other systems on the LAN, the EternalBlue exploit may be utilized as well.
- Writes a custom boot loader and operating environment the Master Boot Record.
- Transmits the encryption key to remote servers.
- Destablizes the system and forces a STOP error/BSOD, which forces a reboot.
- The custom boot environment starts and displays a false CHKDSK in text mode which is the ransom encryption process proper that encrypts all files.
- Once the encryption process is completed, the system remains in text mode and displays the ransom message in orange text, prompting for $300 in Bitcoin and providing an email address.
The provider of the email address has elected to terminate service for the email address noted, which indicates that communications between victims and the Petya author and operator has been cut.[3]
Mitigation/Solution
Do not pay any ransoms.
It is strongly advised to maintain a current and up to date backup of your that can restored to with ease.
It is strongly advised to treat all emails as suspicious unless you are expecting them and to never open any attachments you are not expecting, even if they appear to be from known sources without first verifying by other means that they sent the file(s).
It is strongly advised to ensure your systems are patched against the "ms17-010 EternalBlue" exploit and if you do not require the functionality, to disable SMBv1 (Server Message Block version 1) on all Windows systems. It may also be advisable in home environments and some domainless small business environments to ensure you have a firewall enabled that blocks TCP and UDP ports 137-139 and 445.
It also may be advisable in enterprise environments to purge the local system credential cache with the "rundll32.exe keymgr.dll,KRShowKeyMgr" command and remove domain administrators via the local admin account after domain admin login.
If your system encounters a sponteneous reboot or STOP screen/BSOD followed by a prompt CHKDSK as noted in reference "2", immediately disregard the on-screen message and power off your system immediately. The system is compromised and should have data recovery performed by an alternate boot environment such as a Linux LiveCD paired with an external hard drive if there is no backup. Once this is complete, the system should be wiped and reinstalled from known good media (e.g. DVD) not including an on-system recovery partition. If you are unable, it may be advisable to turn the system over to a technical professional along with this advisory information.
If you have the experience and systems with the file permission "Security" tab enabled, it may also be beneficial to create the file "c:\windows\perfc.dat" and disable write all access to this file, even to your own account, all administrators and SYSTEM. This has been shown to help immunize against infection.
References
- [1] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
- [2] https://twitter.com/i/web/status/879793827267174400 (CHKDSK Message)
- [3] https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomware-email-account-in-question-already-blocked-since-midday