This is a security alert for all TruShield clients and the community at large. TruShield has learned of a new ransomware variant known as Petya, with a different strategy for restricting access to files.
Overview and Attack Vector
As the onslaught of ransomware emerging in 2016 continues, researchers for several security firms have discovered countless strains that infect systems and encrypt individual files. The majority of such ransomware has been delivered as malicious office documents with macros attached to emails, often disguised as invoice related. However, a new ransomware threat known as Petya takes a few different approaches. First, it arrives by email disguised as being related to an employment application. Rather than containing the file itself, it contains a Dropbox link to a malicious ZIP file with two components. Second, it aims at the low-level portions of file storage, rather than individual files.
When the payload component within the malicious ZIP file is executed it requires administrator rights in order to do the intended damage. Such execution is designed to generate a unique value by use of ECC, that will be given to the victim for retrieval purposes at the time of payment. This step also results in the encryption of a user’s MBR and a BSOD or crash of the system. The next step is a false CHKDSK screen, which is displayed while the user’s MFT is being encrypted. A ransom note later falsely informs users that their entire hard drive is now encrypted, but this is not the case. The infected system is essentially useless at this point, beyond displaying the ransom note and lengthy unique value. This means that users need to carefully copy the unique value and navigate to the ransom payment site from a separate device.
With this new malicious strategy, Petya presents both new challenges and new flaws. One challenge is that traditional network monitoring alone may fail to catch this ransomware, since the bulk of execution happens without any additional communication. Security controls such as email spam filters, restriction of file sharing sites, endpoint anti-malware, and proper use of UAC can make a major difference in detection or even prevention of the execution of Petya. Thanks to the two-step nature of the payload execution, even after infection it is possible to power down the system prior to the second step and recover files from the hard drive by connecting it to a different computer and booting from a different hard drive. It is critical for businesses to adopt proactive strategies against threats like Petya before further imitations and adaptations are seen in the coming months.
Indicators of Compromise
Mitigation and Prevention
- Keep regular backups both on and off-site.
- Filter inbound emails based on attachments and subject lines.
- Use updated antimalware and antivirus products.
- Do not open unknown files and compare with known IOCs.
- Turn off automatic restart after system failure.
- Power off any infected system prior to fake CHKDSK execution.
- Use application control software with a base deny policy on executables.
- Use administrative or elevated privileges carefully.
- Isolate infected systems from the network and storage devices.