Breaking News

US-CERT published an alert on the last variant of Petya ransomware, including countermeasures

The Department of Homeland Security’s (DHS) US Computer Emergency Readiness Team (US-CERT) published the Alert (TA17-181A) on the Petya Ransomware.

The US-CERT urges organizations of updating their software and avoiding use unsupported applications and OSs.

The US-CERT confirmed it has received multiple reports of Petya ransomware infections related the recent massive attack. The ransomware leverages the ETERNALBLUE Exploit M2 MS17-010 to exploit vulnerabilities in Server Message Block (SMB) and makes devices unusable.

“The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional IOCs in comma-separated-value form for information sharing purposes.

Available Files:

The scope of this Alert’s analysis is limited to the newest “Petya” variant that surfaced June 27, 2017, and this malware is referred to as “Petya” throughout this Alert.” states the alert.

“Based on initial reporting, this Petya campaign involves multiple methods of initial infection and propagation, including exploiting vulnerabilities in Server Message Block (SMB). “

The flaws exist in how the SMBv1 server handles certain requests, a remote attacker could execute code by sending specially crafted messages to [an SMBv1] server.

Experts at US-CERT that analyzed a sample of the last Petya ransomware discovered that this variant encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of the victim. The experts haven’t found any link between the encryption key generation and the victim’s ID.

“However, there is no evidence of a relationship between the encryption key and the victim’s ID, which means it may not be possible for the attacker to decrypt the victim’s files even if the ransom is paid.” states the alerts.

“This Petya variant spreads using the SMB exploit as described in MS17-010 and by stealing the user’s Windows credentials. This variant of Petya is notable for installing a modified version of the Mimikatz tool, which can be used to obtain the user’s credentials. The stolen credentials can be used to access other systems on the network.”

The sample analyzed by the US-CERT will also attempt to identify other hosts on the network by checking the compromised system’s IP physical address mapping table.

The Petya variant writes a text file on the “C:\” drive containing the Bitcoin wallet address and the RSA keys for the ransom payment. The malicious code modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, then it reboots the system to replace the MBR.

“Based on the encryption methods used, it appears unlikely that the files can be restored even if the attacker received the victim’s unique ID.”

The US-CERT suggests organizations following its best practices related to SMB, such as:

  • Disabling SMBv1
  • Blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices,” the agency states. “The benefits of mitigation should be weighed against potential disruptions to users.”

Below the complete list of recommended steps for prevention that was included in the alert:

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5](link is external)
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
  • Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
  • Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
  • Test your backups to ensure they work correctly upon use.
  • Utilize host-based firewalls and block workstation-to-workstation communications.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Petya, US-CERT)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Russia-linked Turla APT allegedly used two new backdoors, named Lunar malware and LunarMail, to target…

7 hours ago

City of Wichita disclosed a data breach after the recent ransomware attack

The City of Wichita disclosed a data breach after the ransomware attack that hit the…

15 hours ago

CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog

CISA adds two D-Link DIR-600 and DIR-605 router vulnerabilities to its Known Exploited Vulnerabilities catalog. The…

18 hours ago

CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog

CISA adds two Chrome zero-day vulnerabilities to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity…

19 hours ago

North Korea-linked Kimsuky APT attack targets victims via Messenger

North Korea-linked Kimsuky APT group employs rogue Facebook accounts to target victims via Messenger and deliver malware.…

21 hours ago

Electronic prescription provider MediSecure impacted by a ransomware attack

Electronic prescription provider MediSecure in Australia suffered a ransomware attack likely originate from a third-party…

1 day ago

This website uses cookies.