petya ransomware home page and ransom demand

Update: following technical and legal investigations from TALOS, it is highly probable that the malware has been developed to infect Ukrainian companies. Indeed one of the main infection vectors used was a malicious update of an accountability software called M.E.Doc which is used mainly in Ukraine. This malicious update came out following an attack against the M.E.Doc company itself.

On June 27th, a new wave of ransomware attacks have been performed around the world. The malware that was used shares a lot of code with a known ransomware called Petya. As a consequence, security researchers refer to this new malware as Petya, Petna, NotPetya, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya or Expetr. Below, a video of an infection on a Windows Virtual Machine:

 

Petya is probably a RaaS (Ransomware as a Service) available on the blackmarket through the ToR network:

petya ransomware profit page

The first submission on VirusTotal has been performed at 2017-06-27 10:06:22 UTC and is available at:

https://virustotal.com/

In the source code below, information related to the Posteo email address is given to pay the ransom. This email address is not working anymore:

petya ransomware

Interestingly, the malware will reboot the system before ciphering the data:

petya ransomware functionalities

The magnitude of the infection is just impressive. A lot of victims has been detected in a really short time frame. Several companies and stores have been infected and had to stop their production or business:

petya ransomware an infected shopping mall

What does Petya Ransomware do?

Similarly to WannaCry, it ciphers the victim’s data and asks for a ransom. However, according to many security researchers, this could be just a façade. In depth code analysis shows that it may not be possible to reverse the encryption. This new malware could be using a ransomware cover to hide its true nature ; a fast-spreading wiper.

How does it spread?

Petya embeds different payloads to spread itself and infect victims. Basically, it embeds the same exploits as WannaCry (EternalBlue and a variation called EternalRomance). Windows published in March 2017 a patch called MS17-010 to fix the vulnerabilities.

I cannot install the patch, what can I do?

If you cannot deploy the Microsoft security patch, you can create a new file called “perfc” in C:\Windows folder and change it to read only mode. The malware creates different files called perfc. If the file already exists, it will raise an error and prevent additional code execution. This technique has been published by Amit Serper (see the Tweet below):

petya ransomware a tweet from Amit Serper

So why does it spread much faster than WannaCry?

Petya embeds additional payload to retrieve credentials such as some of Mimikatz’ functions. Mimikatz is a really amazing tool to assess Windows authentication environments. More precisely, Mimikatz’s goal is to retrieve credentials using different techniques like the well-known pass-the-hash attack. This gives you an idea of the impact, this function grabs a hash from the network and try to reuse it in order to authenticate without knowing the password.

Where do “profits” go?

A bitcoin wallet is used to receive all payment (more than 10k so far). Due to bitcoin usage, transaction monitoring can be performed with the wallet identifier:  https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Even if lots of payment have been already performed, don’t do that. With ransomware in general (and particularly with this one), there is no insurance that you will recover your data.

I am infected, what should I do?

First of all, unplug the infected machine from the network, block TCP port 445 and deploy the Microsoft patch available at: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Secondly, format the infected computer and perform a data restoration from scratch.

Finally, monitor your network to detect any unseen infected computer to prevent it from spreading.

Who did it?

It is easy to say that the malware comes from Russia or Ukraine but the truth is it is not so trivial and no one can be affirmative on this point except the author or probably authorities.

The last word: do not believe anything on internet, there is a lot of fakes 😉

Below, a photoshopped picture of an airplane:

petya ransomware fake airplane picture

Source

http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-012/index.html

https://securelist.com/schroedingers-petya/78870/