CA Snigdha Nigam
Last month it was the “WannaCry” virus wreaking havoc over the internet, and now this week another ransomware exploit is rapidly expanding across Europe and the Ukraine especially. The new variant, dubbed “Petya,” uses the same SMBv1 exploit that WannaCry uses to rapidly replicate throughout network systems, but holds infected computers hostage in a significantly different way.
Anti Virus Security Labs has come across a new strain of Petya Ransomware that is affecting users globally. This clearly looks like early signs of a new ransomware attack that is spreading fast across the globe. Currently, we have seen multiple reports of this ransomware attack from several countries. Petya delivery mechanism is by scam emails or phishing emails. Once the email attachment is executed on the computer it shows the prompt of User Access Control.
Recommendations
1. Block smb & wmi port 135,445,1024-1035 TCP
2. Avoid reboot! shutdown –a
Mechanisms – similarly to WannaCry is uses MS17-010. Crypt logic – once activated it will reboot the system (delayed), the it runs fake chkdsk and victim gets the ransomware request. And system boot stops. It encrypts MBR as it was done with earlier Petya Ransomware.
Please be careful , watch your email/attachments..Keep your tools updated.
File Name : Order-20062017.doc : (actually RTF with CVE-2017- 0199)
MD5 Hash Identifier : 415FE69BF32634CA98FA07633F4118E1
SHA-1 Hash Identifier : 101CC1CB56C407D5B9149F2C3B8523350D23BA84
SHA-256 Hash Identifier
FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206
File Size : 6215 bytes
File Type : Rich Text Format data
However, after executing the program it encrypts the Master Boot Record (MBR) and replaces it with a custom boot loader with a code to encrypt the full disk starting with MFT (Master File Tree) and leaves a ransom note to users. Upon successfully encrypting the whole disk of the computer it shows below ransom prompt.
All Anti Virus users are protected from this ransomware infection where an exploit called EternalBlue targets the security vulnerability MS17-010. This is the same vulnerability which WannaCry Ransomware has been exploiting to spread. Anit Virus IDS successfully blocks Eternal Blue exploit attempts. Most of Anti Virus Behavior Based Detection (BDS) also blocks and warns user of a potential attack under way. Just make sure all the security mechanism of Anti Virus are switched ON. Please keep your Anti Virus up-to- date with all the current updates that are regularly released.
Petya ransomware – How to protect your PC/Laptop
- Avoid clicking on links in email received from unknown sender.
- Apply all Microsoft Windows patches including MS17-010 that patches the Eternal Blue Vulnerability
- Make sure your Anti Virus auto update is ON and is updated to latest.
- Ensure you take a backup of your data to some external disk regularly.
- Avoid login to computer with Administrative privileges.
- Work with user account that has standard user privileges and not administrative privileges.
Microsoft issued a series of patches for this type of exploit back in April, However the company also recommends removing the unused but vulnerable SMBv1 file sharing protocol from your systems.
- Open the Control Panel (search for it from the Start Menu)
- Click Programs and Features, and then on the left hand column
- Click Turn Windows Features on or off
- Scroll down to SMB 1.0/CIFS File Sharing support,
- Uncheck it, and reboot
If a threat is executed in my computer, can I still prevent my data?
If by mistake someone executes the threat on an unprotected computer by clicking on the link in the email and downloading the attachment, and if you see a BSOD (blue screen) that restarts your computer, you can still save your data by not restarting the computer. Just keep it switched off.
When you see the BSOD screen and the system re-starts only the MBR is replaced and your data on the disk is still intact and it can be accessed by mounting the hard disk on some other clean system. Make sure you do not boot the infected computer hard disk at that stage. Once mounted the data can be accessed and copied.
(This article is written by CA Snigdha Nigam {ACA, DISA, MBA – Finance}, She is a Practising Chartered Accountant with major exposure in bank Audits. She can be reached at snigdhanassociates@gmail.com)
