[updated June 28 at 11:40 CEST]
On the 27th of June 2017, a new variant of the Petya ransomware started to spread havoc within various companies around the world. The first news came from the Ukraine where at least two energy companies were struck.
This Petya variant comes only weeks after the WanaCry hack made headlines around the world where hundreds of thousands devices were infected.
This variant of Petya has more spreading methods than WanaCry (in specific PSEXEC and WMI) but does share at least one of the exploits, namely: EternalBlue, which is an exploit leaked by ‘The Shadowbrokers’ and originally used by the NSA.
The Petya ransomware was in the news earlier this year for encrypting the entire hardisk rather than only files on local and remote drives, something which is more common with other ransomware.
Cisco Talos reports that the infections started in Ukraine following the auto-update feature of software by the Ukrainian company Me-Doc. Attackers likely got access to the Me-Doc update servers, using the update feature of the software to infect all their, mostly Ukrainian customers. This explains the disruptions observed within various Ukrainian companies, including airports, hospitals and other vital infrastructure. This supports what Fox-IT is observing, affected companies have business in Ukraine and observed initial Petya activity from those networks.
Because of the various spreading mechanisms of Petya the ransomware managed to reach companies in other countries, most likely as a result of existing network connections between (branch) offices or suppliers.
When a computer gets infected with this specific version of Petya, it starts to crypt files on the local machine and also attempts to spread across the local network to other machines.
After a number of hours, the infected client is restarted and is faced with a ransom screen. At this point it is no longer possible to start the Windows operating system. On this ransom screen a bitcoin address is shown, together with a string of text that uniquely identifies this infection as well as the email address to contact the authors when the payment has been made.
Where WanaCry was scanning random IP addresses on the internet, and in that way infecting other companies, this version of Petya is only
scanning internal hosts. This means that there must be a different initial infection vector. What this vector exactly is, is unknown for the time being. If the ransomware is run on a so called domain controller, one of the most important servers within a company, it will attempt to spread to all connected clients, to greatly improve spreading speed within a network.
The payment amount of $300, has to be paid in bitcoin, after which contact has to be made with the authors via the email address shown on the ransom screen. This email address however has been blocked by the provider, making it impossible to confirm payments to the people behind Petya.
- Apply Windows update MS17-010
- Disable the outdated protocol SMBv1
- Limit the use of accounts that are ‘local administrator’
- Make back-ups and verify that they can be restored
Currently the Fox-IT Network sensors are able to detect a number of the spreading methods of Petya and work is being done to identify other methods of spreading.