New Ransomware Variant – Petya

Email Us - 877.583.2841 - Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

  • This field is for validation purposes and should be left unchanged.

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

New Ransomware Variant – Petya

This is a security alert for all TruShield clients and the community at large. TruShield has learned of a new ransomware variant known as Petya, with a different strategy for restricting access to files.

Overview and Attack Vector

As the onslaught of ransomware emerging in 2016 continues, researchers for several security firms have discovered countless strains that infect systems and encrypt individual files. The majority of such ransomware has been delivered as malicious office documents with macros attached to emails, often disguised as invoice related. However, a new ransomware threat known as Petya takes a few different approaches. First, it arrives by email disguised as being related to an employment application. Rather than containing the file itself, it contains a Dropbox link to a malicious ZIP file with two components. Second, it aims at the low-level portions of file storage, rather than individual files.

Operation

When the payload component within the malicious ZIP file is executed it requires administrator rights in order to do the intended damage. Such execution is designed to generate a unique value by use of ECC, that will be given to the victim for retrieval purposes at the time of payment. This step also results in the encryption of a user’s MBR and a BSOD or crash of the system. The next step is a false CHKDSK screen, which is displayed while the user’s MFT is being encrypted. A ransom note later falsely informs users that their entire hard drive is now encrypted, but this is not the case. The infected system is essentially useless at this point, beyond displaying the ransom note and lengthy unique value. This means that users need to carefully copy the unique value and navigate to the ransom payment site from a separate device.
 

Conclusion

With this new malicious strategy, Petya presents both new challenges and new flaws. One challenge is that traditional network monitoring alone may fail to catch this ransomware, since the bulk of execution happens without any additional communication. Security controls such as email spam filters, restriction of file sharing sites, endpoint anti-malware, and proper use of UAC can make a major difference in detection or even prevention of the execution of Petya. Thanks to the two-step nature of the payload execution, even after infection it is possible to power down the system prior to the second step and recover files from the hard drive by connecting it to a different computer and booting from a different hard drive. It is critical for businesses to adopt proactive strategies against threats like Petya before further imitations and adaptations are seen in the coming months.

 

Indicators of Compromise

File Hashes
a92f13f3a1b3b39833d3cc336301b713
dfcced98585128312b62b42a2a250dd2
af2379cc4d607a45ac44d62135fb7015
7899d6090efae964024e11f6586a69ce
d80fc07cc293bcd36e630d45a34aca11

 

Mitigation and Prevention

  • Keep regular backups both on and off-site.
  • Filter inbound emails based on attachments and subject lines.
  • Use updated antimalware and antivirus products.
  • Do not open unknown files and compare with known IOCs.
  • Turn off automatic restart after system failure.
  • Power off any infected system prior to fake CHKDSK execution.
  • Use application control software with a base deny policy on executables.
  • Use administrative or elevated privileges carefully.
  • Isolate infected systems from the network and storage devices.

 

References

http://blog.trendmicro.com/trendlabs-security-intelligence/petya-crypto-ransomware-overwrites-mbr-lock-users-computers/

https://usblog.kaspersky.com/petya-ransomware/6941/

https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/

 

Download the PDF Version

Leave a reply

Copyright © 2017