On the heels of the recent WannaCry attack, Europe has been hit with a new ransomware variant known as Petya. Ukraine reported ransom demands targeting the government and key infrastructure, and the Danish Maersk conglomerate said many of its systems were down.
This ransomware used a software update and social engineering to download the malicious file, either as a ZIP or PDF. It looks to exploit a vulnerability in Microsoft Office when handling RTF documents (CVE-2017-0199). It also looks to utilize the same vulnerability as WannaCry in the SMBv1 file sharing protocol (Microsoft security bulletin MS17-010) to spread laterally within an organization. Note there is NO KILL SWITCH implemented in this new ransomware, so it has clearly evolved since the WannaCry attack. However, researchers have discovered a way to vaccinate machines by creating readonly files on your machine as described below.
This ransomware is an evolution of the original Petya malware from 2015 which modifies the Master Boot Record (MBR). Unlike the original version this edition has been modified to exploit the new vulnerabilities in SMBv1 and encrypts all files rather than just the MBR in the original.
Seed vector
The attack looks like it was seeded through an accounting software (MeDoc) update mechanism required by companies working with the Ukrainian government. This also explains why it spread so widely in the Ukraine first. A second wave of infections were spread through email attachments as described earlier using classic phishing techniques.
Origin
According to many reports it is now looking like this ransomware was more like a cyberattack rather than a money making venture. The payment methodologies were so badly designed that each infected machine was directed to the same location. In addition, there was a single email account you can use to communicate with the attackers, which has already been shut down. It now seems more likely that this was designed for significant damage and specifically towards the Ukraine.
Some researchers are now claiming that this was a state sponsored attack against the Ukraine. There is still no hard evidence to suspect which country is involved. The NSA previously determined that WannaCry originated in North Korea.
How to protect yourself
If you have not done so, you should install the MS17-010 patch from Microsoft.
Researchers have also found a way to vaccinate your computer from the ransomware by creating a readonly directory and files on your machine. Use the following commands when running the command prompt as administrator:
attrib +R C:\Windows\perfc
attrib +R C:\Windows\perfc.dll
attrib +R C:\Windows\perfc.dat
Once these files have been created the encryption will no longer run.
More details of this attack will be updated as they are discovered.
Related Posts
BlackFog Wins 2024 CyberSecurity Breakthrough Award
BlackFog Wins Coveted ‘AI-based Cybersecurity Innovation of the Year' in the 2024 CyberSecurity Breakthrough Awards Program
Big Game Hunting is on the Rise in Cybercrime
Big game hunting in cybercrime refers to attacks where cybercriminals target large organizations with the goal of demanding hefty ransoms. This article explores the tactics used in these attacks, provides real-world examples, and explains why this form of cybercrime is becoming increasingly common.
RansomHub: The Rise of a New Ransomware Threat
Explore RansomHub, a ransomware group emerging in Feb 2024. Discover their tactics, notable attacks, sophisticated techniques, and links to other cybercriminals.
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
TAG Blog Series 3 – How ADX is Integrated by BlackFog
Integrating Anti Data Exfiltration (ADX) solutions is essential for enterprise cybersecurity. This article examines how BlackFog's ADX enhances existing technologies by focusing on prevention and the shift-left paradigm. It illustrates ADX's effectiveness against ransomware and its support for modern managed security service providers, demonstrating how ADX integration creates a comprehensive security solution.
Data Exfiltration Extortion Now Averages $5.21 Million According to IBM’s Report
According to IBM's 2024 Data Breach Report, the financial toll of data exfiltration extortion has surged, with the average cost now reaching $5.21 million per incident. This alarming trend highlights the growing sophistication of cybercriminals and the increasing financial risks organizations face when sensitive data is compromised. As data breaches continue to escalate, businesses must prioritize robust cybersecurity measures to mitigate these costly threats.