28 June 2017

Petya or Petwrap ransomware (Update: Kill-switch)

The Kill-switch for Petya ransomware has already been found, the company Positive Technologies has published how to disable ransomware here.

To detect the Petya attack in the infrastructure, the following indicators can be used: 
   A task in Windows Scheduler with an empty name and action (reboot) "%WINDIR%\system32\shutdown.exe /r /f"

IDS/IPS rule triggers:

   msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; sid: 10001254; rev: 2;
   msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; sid: 10001255; rev: 3;
   msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; sid: 10001256; rev: 2;
   msg: "[PT Open] Petya ransomware perfc.dat component"; sid: 10001443; rev: 1
   msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; sid: 10001444; rev:1


Petya use the TCP ports 135, 139, 445 atraves dos serviços SMB e WMI.

How to active the Kill-switch?

Petya checks if the perfc file exists in the "C:\Windows" the directory and the drive is hardcoded. The perfc file has no content is just an empty file without extension and only with read permissions.

Source: www.ptsecurity.com
Again it is not recommended to pay the ransom and so far there is still no way to recover the encrypted files.

No comments:

Post a Comment