Difference between revisions of "DBSA:2017-062701"

From Digibase Knowledge Base
Jump to: navigation, search
(Created page with "{{DBSAHEAD | TITLE=Petya Ransomware | KEYWORDS=Petya Ransomware Malware Infection WMIC PExec SMB Eternalblue Wannacry }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Petya R...")
 
Line 3: Line 3:
 
| KEYWORDS=Petya Ransomware Malware Infection WMIC PExec SMB Eternalblue Wannacry
 
| KEYWORDS=Petya Ransomware Malware Infection WMIC PExec SMB Eternalblue Wannacry
 
}}
 
}}
 +
 +
''' ''ATTENTION: This Advisory is regarding a still developing situation, information provided here may be terse and updated as the situation progresses'' '''
  
 
'''DBSA ID:''' {{PAGENAME}}
 
'''DBSA ID:''' {{PAGENAME}}
Line 31: Line 33:
  
 
==Description==
 
==Description==
 +
 
Petya is a family of ransomware class malware that is highly virulent and has high spread that has impacted multiple major businesses.
 
Petya is a family of ransomware class malware that is highly virulent and has high spread that has impacted multiple major businesses.
  
Line 48: Line 51:
 
Do not pay any ransoms.
 
Do not pay any ransoms.
  
It is strongly advised to maintain a current and up to date backup of your data that you can restore to with ease.
+
It is strongly advised to maintain a current and up to date backup of your that can restored to with ease.
  
 
It is strongly advised to treat all emails as suspicious unless you are expecting them and to never open any attachments you are not expecting, even if they appear to be from known sources without first verifying by other means that they sent the file(s).  
 
It is strongly advised to treat all emails as suspicious unless you are expecting them and to never open any attachments you are not expecting, even if they appear to be from known sources without first verifying by other means that they sent the file(s).  
  
It is strongly advised to ensure your systems are patched against the "ms17-010 EternalBlue" exploit and if you do not require the functionality, to disable SMBv1 (Server Message Block version 1) on all Windows systems. It may also be advisable in home environments to ensure you have a firewall enabled that blocks TCP and UDP ports 137-139 and 445.
+
It is strongly advised to ensure your systems are patched against the "ms17-010 EternalBlue" exploit and if you do not require the functionality, to disable SMBv1 (Server Message Block version 1) on all Windows systems. It may also be advisable in home environments and some domainless small business environments to ensure you have a firewall enabled that blocks TCP and UDP ports 137-139 and 445.
 +
 
 +
It also may be advisable in enterprise environments to purge the local system credential cache with the "rundll32.exe keymgr.dll,KRShowKeyMgr" command and remove domain administrators via the local admin account after domain admin login.
  
If your system encounters a sponteneous reboot or STOP screen/BSOD followed by a prompt CHKDSK as noted in reference "2", immediately disregard the on-screen message and power off your system immediately. The system is compromised and should have data recovery performed by an alternate boot environment such as a Linux LiveCD paired with an external hard drive if there is no backup. Once this is complete, the system should be wiped and reinstalled from known good media (e.g. DVD) not including an on-system recovery partition.
+
If your system encounters a sponteneous reboot or STOP screen/BSOD followed by a prompt CHKDSK as noted in reference "2", immediately disregard the on-screen message and power off your system immediately. The system is compromised and should have data recovery performed by an alternate boot environment such as a Linux LiveCD paired with an external hard drive if there is no backup. Once this is complete, the system should be wiped and reinstalled from known good media (e.g. DVD) not including an on-system recovery partition. If you are unable, it may be advisable to turn the system over to a technical professional along with this advisory information.
  
 
If you have the experience and systems with the file permission "Security" tab enabled, it may also be beneficial to create the file "c:\windows\perfc.dat" and disable write all access to this file, even to your own account, all administrators and SYSTEM. This has been shown to help immunize against infection.
 
If you have the experience and systems with the file permission "Security" tab enabled, it may also be beneficial to create the file "c:\windows\perfc.dat" and disable write all access to this file, even to your own account, all administrators and SYSTEM. This has been shown to help immunize against infection.

Revision as of 17:45, 27 June 2017

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Petya Ransomware

Keywords: Petya Ransomware Malware Infection WMIC PExec SMB Eternalblue Wannacry

ATTENTION: This Advisory is regarding a still developing situation, information provided here may be terse and updated as the situation progresses

DBSA ID: 2017-062701

Regarding: Petya Ransomware

Writeup: Kradorex Xeron (talk) 17:31, 27 June 2017 (EDT)

Date: 2017 06 27

Last Modified: 20170627174531 by Kradorex Xeron

Who should take note: Everyone

Classification

Priority: HIGH

Rationale: Immediate action may result in loss of data

Severity: HIGH

Rationale: Immediate action may result in loss of data

Spread of Issue: SINGLE-PLATFORM HIGH

Rationale: All Windows systems are impacted, even potentially those patched against the "ms17-010 EternalBlue" exploit.

Description

Petya is a family of ransomware class malware that is highly virulent and has high spread that has impacted multiple major businesses.

Its noted local process seems to consist of the following unconfirmed steps given current research:

  1. Executed by email.
  2. Utilizes an exploitation method, potentially via pass-the-hash to gain administrator access.
  3. Malware writes c:\windows\perfc.dat and executes via rundll32, a valid Windows component.
  4. Performs network propegation via the local network via Windows Management Instrumentation and PExec mechanisms which infects other systems on the LAN, the EternalBlue exploit may be utilized as well.
  5. Writes a custom boot loader and operating environment the Master Boot Record.
  6. Transmits the encryption key to remote servers.
  7. Destablizes the system and forces a STOP error/BSOD, which forces a reboot.
  8. The custom boot environment starts and displays a false CHKDSK in text mode which is the ransom encryption process proper.
  9. Once the encryption process is completed, the system remains in text mode and displays the ransom message in orange text, prompting for $300 in Bitcoin.

Mitigation/Solution

Do not pay any ransoms.

It is strongly advised to maintain a current and up to date backup of your that can restored to with ease.

It is strongly advised to treat all emails as suspicious unless you are expecting them and to never open any attachments you are not expecting, even if they appear to be from known sources without first verifying by other means that they sent the file(s).

It is strongly advised to ensure your systems are patched against the "ms17-010 EternalBlue" exploit and if you do not require the functionality, to disable SMBv1 (Server Message Block version 1) on all Windows systems. It may also be advisable in home environments and some domainless small business environments to ensure you have a firewall enabled that blocks TCP and UDP ports 137-139 and 445.

It also may be advisable in enterprise environments to purge the local system credential cache with the "rundll32.exe keymgr.dll,KRShowKeyMgr" command and remove domain administrators via the local admin account after domain admin login.

If your system encounters a sponteneous reboot or STOP screen/BSOD followed by a prompt CHKDSK as noted in reference "2", immediately disregard the on-screen message and power off your system immediately. The system is compromised and should have data recovery performed by an alternate boot environment such as a Linux LiveCD paired with an external hard drive if there is no backup. Once this is complete, the system should be wiped and reinstalled from known good media (e.g. DVD) not including an on-system recovery partition. If you are unable, it may be advisable to turn the system over to a technical professional along with this advisory information.

If you have the experience and systems with the file permission "Security" tab enabled, it may also be beneficial to create the file "c:\windows\perfc.dat" and disable write all access to this file, even to your own account, all administrators and SYSTEM. This has been shown to help immunize against infection.

References