On the heels of the recent WannaCry attack, Europe has been hit with a new ransomware variant known as Petya. Ukraine reported ransom demands targeting the government and key infrastructure, and the Danish Maersk conglomerate said many of its systems were down.
This ransomware used a software update and social engineering to download the malicious file, either as a ZIP or PDF. It looks to exploit a vulnerability in Microsoft Office when handling RTF documents (CVE-2017-0199). It also looks to utilize the same vulnerability as WannaCry in the SMBv1 file sharing protocol (Microsoft security bulletin MS17-010) to spread laterally within an organization. Note there is NO KILL SWITCH implemented in this new ransomware, so it has clearly evolved since the WannaCry attack. However, researchers have discovered a way to vaccinate machines by creating readonly files on your machine as described below.
This ransomware is an evolution of the original Petya malware from 2015 which modifies the Master Boot Record (MBR). Unlike the original version this edition has been modified to exploit the new vulnerabilities in SMBv1 and encrypts all files rather than just the MBR in the original.
Seed vector
The attack looks like it was seeded through an accounting software (MeDoc) update mechanism required by companies working with the Ukrainian government. This also explains why it spread so widely in the Ukraine first. A second wave of infections were spread through email attachments as described earlier using classic phishing techniques.
Origin
According to many reports it is now looking like this ransomware was more like a cyberattack rather than a money making venture. The payment methodologies were so badly designed that each infected machine was directed to the same location. In addition, there was a single email account you can use to communicate with the attackers, which has already been shut down. It now seems more likely that this was designed for significant damage and specifically towards the Ukraine.
Some researchers are now claiming that this was a state sponsored attack against the Ukraine. There is still no hard evidence to suspect which country is involved. The NSA previously determined that WannaCry originated in North Korea.
How to protect yourself
If you have not done so, you should install the MS17-010 patch from Microsoft.
Researchers have also found a way to vaccinate your computer from the ransomware by creating a readonly directory and files on your machine. Use the following commands when running the command prompt as administrator:
attrib +R C:\Windows\perfc
attrib +R C:\Windows\perfc.dll
attrib +R C:\Windows\perfc.dat
Once these files have been created the encryption will no longer run.
More details of this attack will be updated as they are discovered.
Related Posts
BlackFog Strengthens Leadership Team with Strategic Appointments
BlackFog strengthens leadership and the next stage of growth with Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales.
The CrowdStrike Incident: A Global IT Meltdown
Discover how the recent CrowdStrike incident caused a global IT meltdown, affecting thousands of businesses. Learn about the event timeline, its impact, and how BlackFog's advanced practices can help prevent such risks. Stay informed and protect your business from future cybersecurity threats.
6 Essential Ransomware Prevention Steps Every Firm Must Take in 2024
What essential ransomware prevention steps must businesses take as the scale of this threat continues to rise?
Data Protection vs Data Security: The key Differences to Know
Are you aware of the difference between data protection and data security? Here's what you know to keep your data safe.
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
Understanding Data Privacy and Security: How do they Relate?
Data privacy and security are critical topics for any business to focus on in today's environment. The rising costs of cyberattacks and other threats mean a clear strategy for safeguarding sensitive data is more important than ever before.