Petya Ransomware - Petware
28 June 2017
On June 27th 2017, reports of a new virus (Petya/Petware), more specifically a ransomware infection, began spreading across Ukraine, with approximately 12.500 infected machines, and thereafter quickly expanded to Russia and European countries such as Denmark, The Netherlands, Spain, France, United Kingdom and Belgium. Later on spreading worldwide to e.g. Brazil and the United States.
The new ransomware, Petya or Petware, is reportedly spreading via two known vulnerabilities, including one exploit for SMB (EternalBlue/DoublePulsar) that the Wannacry (WannaCrypt0r 2.0) ransomware used as well. Therewithal, it shares similar code with the known “Ransom: Win32/Petya”, hence its name, but is more sophisticated than his predecessor. Amongst others the ransomware has lateral movement capabilities, meaning that it only takes a single infected machine or device to affect a larger network. The ransomware spreads itself via an internal Windows toolkit (WMIC) and via the Telnet alternative PsExec.
Petware is capable of, not limited:
- stealing credentials or re-using existing active sessions.
- using file-shares to transfer the malicious file across machines on the same network.
- using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines.
Ransomware in general propagates via different channels, e.g. infected email attachments, unpatched programs, free software downloads and compromised websites. The initial attack-vector of Petware is currently unknown but it looks like the virus was spread via an excel document with a fake Windows signature (LokiBot).
Once activated, the ransomware encrypts certain types of files stored on a device and/or network. It is known that the Petware ransomware encrypts the following extensions: ".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd. kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.v di.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv .work.xls.xlsx.xvd.zip”. Once in force, the ransomware displays a message which offers to decrypt the data if a payment is made by a stated deadline.
Current information indicates that the systems, which are patched for WannaCry, are still vulnerable to Petware. We are currently aware of infections on multiple operating systems (Windows XP, 7 and 10).
What can we as an organization do against these types of ransomwares?
- Do not pay, especially not for Petware, as the email adres which provides the decryption key is offline. There are other methods to recover from a ransomware attack.
- Take adequate backups to ensure that you can restore with as little impact as possible.
- Update and patch your systems (servers, workstations, …) timely.
- Update Antivirus, Intrusion Detection/Prevention Systems (IDS/IPS) and consider Advanced Endpoint Protection (AEP).
- Prohibit Local Administrator rights for employees.
- Look for the following ‘scheduled task’ and delete “C:\Windows\system32\shutdown.exe /r /f”
- Make employees aware of the Cyber Security threats via awareness campaigns and trainings