DBSA:2017-062701

From Digibase Knowledge Base
Revision as of 18:55, 27 June 2017 by Kradorex Xeron (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Petya Ransomware

Keywords: Petya Ransomware Malware Infection WMIC PExec SMB Eternalblue Wannacry

ATTENTION: This Advisory is regarding a still developing situation, information provided here may be terse and updated as the situation progresses

DBSA ID: 2017-062701

Regarding: Petya Ransomware

Writeup: Kradorex Xeron (talk) 17:31, 27 June 2017 (EDT)

Date: 2017 06 27

Last Modified: 20170627185523 by Kradorex Xeron

Who should take note: Everyone

Classification

Priority: HIGH

Rationale: Not engaging in immediate action may result in loss of data

Severity: HIGH

Rationale: Not engaging in immediate action may result in loss of data

Spread of Issue: SINGLE-PLATFORM HIGH

Rationale: All Windows systems are impacted, even potentially those patched against the "ms17-010 EternalBlue" exploit.

Description

Petya is a family of ransomware class malware that is highly virulent and has high spread that has impacted multiple major businesses, governments and other organizations. It is noted that it is somewhat like the previously renowned Wannacry ransomware but is quite different in behavior and method.

Its noted local process seems to consist of the following unconfirmed steps given current research:

  1. Executed by email.
  2. Utilizes an exploitation method, potentially via pass-the-hash to gain administrator access.
  3. Malware writes c:\windows\perfc.dat and executes via rundll32, a valid Windows component.
  4. Performs network propegation via the local network via Windows Management Instrumentation and PExec mechanisms which infects other systems on the LAN, the EternalBlue exploit may be utilized as well.
  5. Writes a custom boot loader and operating environment the Master Boot Record.
  6. Transmits the encryption key to remote servers.
  7. Destablizes the system and forces a STOP error/BSOD, which forces a reboot.
  8. The custom boot environment starts and displays a false CHKDSK in text mode which is the ransom encryption process proper that encrypts all files.
  9. Once the encryption process is completed, the system remains in text mode and displays the ransom message in orange text, prompting for $300 in Bitcoin and providing an email address.

The provider of the email address has elected to terminate service for the email address noted, which indicates that communications between victims and the Petya author and operator has been cut.[3]

Mitigation/Solution

Do not pay any ransoms.

It is strongly advised to maintain a current and up to date backup of your that can restored to with ease.

It is strongly advised to treat all emails as suspicious unless you are expecting them and to never open any attachments you are not expecting, even if they appear to be from known sources without first verifying by other means that they sent the file(s).

It is strongly advised to ensure your systems are patched against the "ms17-010 EternalBlue" exploit and if you do not require the functionality, to disable SMBv1 (Server Message Block version 1) on all Windows systems. It may also be advisable in home environments and some domainless small business environments to ensure you have a firewall enabled that blocks TCP and UDP ports 137-139 and 445.

It also may be advisable in enterprise environments to purge the local system credential cache with the "rundll32.exe keymgr.dll,KRShowKeyMgr" command and remove domain administrators via the local admin account after domain admin login.

If your system encounters a sponteneous reboot or STOP screen/BSOD followed by a prompt CHKDSK as noted in reference "2", immediately disregard the on-screen message and power off your system immediately. The system is compromised and should have data recovery performed by an alternate boot environment such as a Linux LiveCD paired with an external hard drive if there is no backup. Once this is complete, the system should be wiped and reinstalled from known good media (e.g. DVD) not including an on-system recovery partition. If you are unable, it may be advisable to turn the system over to a technical professional along with this advisory information.

If you have the experience and systems with the file permission "Security" tab enabled, it may also be beneficial to create the file "c:\windows\perfc.dat" and disable write all access to this file, even to your own account, all administrators and SYSTEM. This has been shown to help immunize against infection.

References