28 June 2017

Petya or Petwrap ransomware (Update: Kill-switch)

The Kill-switch for Petya ransomware has already been found, the company Positive Technologies has published how to disable ransomware here.


To detect the Petya attack in the infrastructure, the following indicators can be used: 
   C:\Windows\perfс
   A task in Windows Scheduler with an empty name and action (reboot) "%WINDIR%\system32\shutdown.exe /r /f"

IDS/IPS rule triggers:

   msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; sid: 10001254; rev: 2;
   msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; sid: 10001255; rev: 3;
   msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; sid: 10001256; rev: 2;
   msg: "[PT Open] Petya ransomware perfc.dat component"; sid: 10001443; rev: 1
   msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; sid: 10001444; rev:1


Signatures::
https://github.com/ptresearch/AttackDetection/blob/master/eternalblue(WannaCry%2CPetya)/eternalblue(WannaCry%2CPetya).rules

Petya use the TCP ports 135, 139, 445 atraves dos serviços SMB e WMI.

How to active the Kill-switch?

Petya checks if the perfc file exists in the "C:\Windows" the directory and the drive is hardcoded. The perfc file has no content is just an empty file without extension and only with read permissions.

Source: www.ptsecurity.com
Again it is not recommended to pay the ransom and so far there is still no way to recover the encrypted files.

27 June 2017

Petya or Petwrap ransomware

There is one more ransomware that is taking advantage of the SMB V1 vulnerability and that is spreading worldwide.

If you consult the hastag #ransomware can check that already made some victims.

This is why it is extremely important to update the operating systems not only Microsoft but also Linux and Apple. All systems have vulnerabilities, all systems have flaws so all systems have ransomware. If you don't believe, do a search.

But there's the following problem:

O Petya use NSA exploits "Spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit." source: Mikko Hyppone

All recommendations say not to pay the ransom!! The email address used is already blocked and up to the time there have already been 28 victims who made the payment. You can consult the transfers here.

How can I protect you?

The recommendations are:
  1. Disable SMB v1;
  2. Disable WMIC (Windows Management Instrumentation Command-line);
  3. Install all Microsoft patches.