A new Ransomware variant with worm like capabilities has infected many organizations around the world. The media is calling it "Petya" but it is not similar to the Petya variants seen before. In the propagation process, the malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above.
The malware has three mechanisms used to propagate once a device is infected:
- EternalBlue - the same exploit used by WannaCry.
- Psexec - a legitimate Windows administration tool.
- WMI - Windows Management Instrumentation, a legitimate Windows component.
If the computer is shut down before the reload, MBR can be reestablished with "bootrec /FixMbr" command. (in Vista+, for Windows XP "fixmbr" can be used).
In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted:
The Malware also clears system logs.
Most Anti-Virus vendors now have signatures for this ransomware sample but other samples with similar characteristics may not have proper detection rates.
Microsoft has also advised on how to disable smbv1 which can be an additional mitigation.
A potential (unverified by TechCERT) kill switch has been found within the samples:
The creation of the file "C:\Windows\perfc".
Additional information shows that the killswitch requires the following:
"Simply, all that is needed are 3 files (perfc, perfc.dll, and perfc.dat) to already exist on the Windows machine, under C:\Windows, with READONLY permissions."
- Microsoft Security Bulletin MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server - https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
- PETYA KillSwitch - https://github.com/petermbenjamin/petya-killswitch
- Schroedinger’s Pet(ya) - https://securelist.com/schroedingers-petya/78870/