Originally identified as Petya, a ransomware that first started circulating in 2016, the current attack now appears to be a Petya offshoot, with added refinements such as stronger encryption. Some researchers call this new iteration “NotPetya” or “GoldenEye,” while others still refer to it as Petya. Regardless of the name, it has already hit 2,000 targets.The latest sweeping ransomware assault bares some similarity to the WannaCry crisis that struck seven weeks ago. But while WannaCry's many design flaws caused it to flame out after a few days, this latest ransomware threat doesn't make the same mistakes. If you are affected by new ransomeware your screen will look like this
How does ransomware spread?
To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.Other observed infection vectors include:
*A modified EternalBlue exploit, also used by WannaCry.
*The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
*An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection toall the other computers through WMI or PSEXEC.
What does ransomware do?
The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools.Once it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note.
File Decryption
Are there any hopes of decrypting files for victims already infected? Unfortunately, the ransomware uses a standard, solid encryption scheme so this appears unlikely unless a subtle implementation mistake has been made. Keys are securely generated. The criminals behind this attack are asking for $300 in Bitcoins to deliver the key that decrypts the ransomed data, payable to a unified Bitcoin account. Unlike Wannacry, this technique would work because the attackers are asking the victims to send their wallet numbers by e-mail to “wowsmith123456@posteo.net”, thus confirming the transactions. Till now the Bitcoin wallet has accrued 24 transactions totalling 2.54 BTC or just under $6,000 USD.
What we can do?
1. Run a robust anti-malware suite with embedded anti-ransomware protection
2. Make sure you update Microsoft Windows and all third party software.
3. Do not run open attachments from untrusted sources.
4. Backup sensitive data to external storage and keep it offline
Early reports suggest that like WannaCry, Petya is using the leaked NSA exploit known as EternalBlue to spread. Everything about this situation indicates that plenty of governments and companies around the world didn’t take WannaCry seriously, failed to patch their systems and are now paying the price.
No comments:
Post a Comment