Online Support

Petya/Petwrap Ransomware information

As you may be aware, just under 24 hours ago a further global outbreak of Malware attack began similar to the Wannacry attack we reported on in May. Following further investigations and analysis by multiple parties, this is the latest intelligence available to us regarding the Petya/Petwrap/Notpetya/Petna ransomware attack:

How does it attack?
While the malware can potentially infect machines through phishing attacks, the main attack vector appears to have been a hacked software update procedure for the Accounting software 'MeDoc', while this has been denied at present by the company, all available analysis suggests this has been the main attack vector, and correlates with the pattern of infections we have seen.

Following infection, the malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools.

Upon reboot, files are then encrypted through a fake CHKDSK message. Once files are encrypted the ransom message is then displayed. If the infected machine is turned off during the CHKDSK message, before the ransom message is displayed, files appear to be recoverable using a live CD/USB.

The ransomware moves laterally through the network using a range of methods, including a modified ETERNALBLUE exploit (also used by WannaCry), ETERNALROMANCE (a remote code exploit patched by MS17-010), and through credential capture, using code previously seen in 'Mimikatz'. Once credentials are captured, the ransomware can then spread through the network via PsExec/WMIC.

Quickly after the nature of the attack was discovered, the email domain for manual encryption was quickly taken offline, so even upon paying the ransom, the chances of decryption are slim to none.

Advice
As before, we recommend that Windows machines are backed up and fully updated, especially with regards to MS17-010. Disabling SMBv1 is also recommended, especially on devices that cannot be patched.

Blocking "C:\Windows\perfc.dat" and "C:\Windows\perfc.dll" from running and writing will help prevent propagation via WMIC/PsExec, but does not replace MS17-010 patching as these are different propagation methods. Alternatively if you create file in %WINDIR% matching filename with no extension (perfc), this will prevent execution on the host.

Please ensure that AV and Anti-Malware software is running and up to date across all machines.

Ensure updates are applied promptly to both Windows and third-party applications.

Blocking remote use of local account credentials may also be prudent in preventing the ransomware using the LSADump exploit to capture credentials. More information here: https://blogs.technet.microsoft.com/secguide/2014/09/02/blocking-remote-use-of-local-accounts/

Latest Observation
The rate of infection appears to be slowing down at present, but we advise that you be wary of copycat attacks and the potential for other malware to use the same exploits. We will update as and when we gain new insights.

How can we help you?
If you have a Managed Windows based Server with us, the MS17-010 patch should already have been patched to your server assuming the default auto-update settings have not been changed. If you are unsure, please contact our support team immediately and we will be more than happy to check and apply for you if necessary. If you are not already a Storm Internet customer, feel free to call us on 0800 817 4727 or email us at solutions@storminternet.co.uk if you would like any further advice on how to protect yourselves from such attacks. Please also follow our Blog as we will place further updates here as we gain further news on the situation.