Security Alert: From Ransomware to Wiper – the NotPetya Essential Facts [Updated]
A new ransomware similar to WannaCry causes damages on the Internet
These last hours have been crucial in the Internet landscape with a new ransomware outbreak starting to propagate and impacting many large companies from all over the globe.
Cyber security researchers from our team and various others (Kaspersky, Palo Alto Networks, Malwarebytes, McAfee) have reported that this ransomware strain, suspected to be Petya (Petya.A, Petya.D, or PetrWrap), is spreading fast, generating an outbreak similar to WannaCry. The resemblance is also based on the fact that this strain uses the EternalBlue exploit to infect computers and also has self-replicating abilities.
But there’s also something different about this ransomware epidemic: it uses multiple attack vectors and drops a malware cocktail meant to encrypt and then harvest and exfiltrate as much confidential data as possible.
How the attack happens
Petya ransomware made its appearance in 2016 and, unlike a typical ransomware, it doesn’t just encrypt files, but also overwrites and encrypts the master boot record (MBR).
One of the methods used for distribution is exploiting the MS17-010 vulnerability, also known and EternalBlue, which was developed by the United States’ National Security Agency. This requires no user input to get infected. If you have an Internet-connected computer and your operating system is outdated, you can be the next victim.
This ransomware strain also targets Internet users through spam emails (which still work – here’s why), which include a malicious zip archive, called “inmyguy.xls.hta“.
If the victim opens the archive, the malicious code is automatically activated, which triggers the main component of the infection to be downloaded:[% APPDATA%] \ 10807.exe
The binary code is signed with a fake Microsoft certificate name.
A second spam wave comes through a different malicious attachment, called “Order-20062017.doc“, which abuses the CVE-2017-0199 (CVSS score: 9.3) and downloads the file from the http://84.200.16 [.] 242 / myguy.xls (sanitized for your protection).
This attack vector injects itself into several system processes and triggers the data encryption stage locally. However, at the same time, it also spreads to other computers connected in the local network.
This ransomware infection does not come alone, unfortunately. LokiBOT is also dropped on the infected computers from this domain. Here’s what it does:
Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.
Antivirus detection has steadily increased since yesterday afternoon, when the ransomware outbreak started, reaching 48/61 at the moment when we published this post.
Those who’ve been already infected with this ransomware strain received a ransom message displayed on their computers (see the image below) demanding for $300 to be paid in Bitcoins.
Who’s been affected?
The bad news is that it has caused a lot of damage so far, as many important companies and organizations have had their computers and sensitive data encrypted.
The main epicenter is in Europe and Ukraine has been the most affected country, including the Government, banks, hospitals, metro system or Kiev’s airport. Petya has also “succeeded” to take down the monitoring system at Chernobyl, and other large firms such as Maersk, the Danish giant shipping company, as well as the Russian oil firms, Evraz and Rosneft.
— CNN (@CNN) June 27, 2017
Other victims include the advertising firm, WPP, the food company Mondelez, or the french construction materials company Saint-Gobain and many other private and public firms across Europe and the rest of the globe.
You can read more news on the “Petya Ransomware” topic on Twitter.
UPDATE July 13, 2017
It seems that the full story behind the “Petya Ransomware” attack is almost over.
The original author of Petya ransomware, Janus, came out and released a master decryption key that works for all Petya versions and all the victims affected can use it to recover their files.
The announcement was made public via Twitter, where Janus shared a link to this file, hosted on mega.nz service.
— JANUS (@JanusSecretary) July 5, 2017
Anton Ivanov, Senior Malware Analyst at Kaspersky successfully tested the key and confirmed that is working for all versions, including GoldenEye.
Later edit [June 29, 1 pm EEST]:
Three things happened in the last 24 hours regarding the suspected Petya attack, also called GoldenEye. Here’s what you should know:
First, cyber security researcher Amit Serper discovered a vaccine against the latest attacks, which you can apply by following the steps outlined in this article.
Of course, this is also a preventive measure and one limited to users who have a bit of technical know-how. If you want to apply the vaccine, but are unsure whether you can do it correctly, the best way to go about it would be to ask for help from someone with a bit more experience.
Second, the email provider that attackers used to host their inbox suspended the email address where victims sent their payment details. As a consequence, victims who pay the ransom (which we never recommend) cannot get their data back. You can read more details in this post on BleepingComputer.
And third, security researchers uncovered the fact that this variant of Petya is not, in fact, a ransomware, but a wiper malware.
As researcher Matt Suiche highlights:
The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.
A second confirmation came in a post on Securelist.
You may be wondering how come this was not evident on the first analysis. The truth is that second generation malware such as this one has layers of complexity built in with the purpose of confusing both victims and cyber security researchers while it spreads across the world.
This is the first of many such threats to come, which brings us again to the point of proactive security and its crucial role for the future.
What you can do right now
First of all, don’t panic! It might look like a nightmare scenario, but you need to stay calm, be proactive and take all the measures needed to stay safe and protect your important data.
Here’s what we recommend users to do:
- Don’t store your sensitive data exclusively on your PC and make sure you have at least 2 backups of your data on external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.). Read this useful guide on how to do it.
- Update, update and update again! It is mandatory to install all the latest updates for all your apps, including the operating system.
- Try not to use the administrator account every day and remember to disable macros in the Microsoft Office Package.
- NEVER open (spam) or download email (messages) from untrusted or unknown sources that could infect your device. Moreover, don’t click suspicious links.
- Make sure you have a paid antivirus product which is up to date, or consider using a proactive security product (you can check what Heimdal PRO can do for you).
- Learn how to detect cyber criminals’ phishing attacks and our article can be really helpful on this topic.
- It might be useful to remove risky plugins from the browsers you are using: Adobe Flash, Adobe Reader, Java and Silverlight.
Should you want to understand what ransomware is all about, this dedicated guide will help you do just that.
If you are a company – whether is large or small – you may realize how important is to keep your sensitive data safe. Sadly, cyber attacks happen too frequently these days and being proactive and keeping your company safe on the Internet is vital.
So, remember to take all the needed security measures to help you protect your business. A top priority would be to make sure your servers run an antivirus program to avoid infection spread and always keep your servers updated.
Please know that another important security tip is to constantly back up your data and use separate passwords for the servers and administrator’s device. We strongly recommend reading our article on how to secure your business endpoints and important information safe.
Users and companies alike need to understand that cyber security isn’t just about big threats happening and taking the first pages on the Internet, but more about WHAT you can do to stay safe and be proactive right now.