{"id":3176,"date":"2017-06-28T10:19:05","date_gmt":"2017-06-28T08:19:05","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=3176"},"modified":"2017-06-28T12:02:29","modified_gmt":"2017-06-28T10:02:29","slug":"news-about-notpetya-ransomware-killswitch-found","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/06\/28\/news-about-notpetya-ransomware-killswitch-found\/","title":{"rendered":"News about (Not)Petya ransomware &ndash; Killswitch\/vaccine found?"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>Currently a new variant of Petya ransomware (aka PetyaWrap, aka NotPetya) are infecting companies and organisations (see <a href=\"https:\/\/borncity.com\/win\/2017\/06\/27\/petya-ransomware-is-back-using-wannacry-vulnerabilties\/\">Petya ransomware is back \u2013 using WannaCry vulnerabilties<\/a>). First analyses indicating, that this ransomware not only broke infected systems. There are indications, that the malware also steals user credentials. There are also hints, that spreading the malware via networks isn't restricted to unpatched SMBv1 vulnerabilities. And there is hope, that a kind of Killswitch\/vaccine has been found to protect a machine from encryption.<\/p>\n<p><!--more--><\/p>\n<h2>Talos analysis of 'Nyetya' malware<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/1e5179802e2d48a3b6ab793d2acfa937\" alt=\"\" width=\"1\" height=\"1\" \/>Security experts from Talos (Cisco) are calling the new Petya ransomware as Nyetya (for Not Petya) and has published a <a href=\"http:\/\/blog.talosintelligence.com\/2017\/06\/worldwide-ransomware-variant.html\" target=\"_blank\" rel=\"noopener\">first analysis<\/a>.<\/p>\n<ul>\n<li>The assumption, that the primary infection vector of this malware was an e-mail attachment hasn't been confirmed.<\/li>\n<li>Talos found indications, that the infection started via a compromised update system of Ukrainian tax system M.e.Doc.<\/li>\n<\/ul>\n<p>Kaspersky has published a graphic, shown that the majority of infections (60%) are affecting systems within the Ukraine.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/986406\/Ransomware\/NotPetya\/Petya-chart.jpg\" width=\"617\" height=\"333\" \/><br \/>\n(Source: Kaspersky\/BleepingComputer)<\/p>\n<p>Within a <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/879780972991885316\" target=\"_blank\" rel=\"noopener\">tweet<\/a> GossiTheDog says a forged digital signature is responsible for a compromised update system.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p dir=\"ltr\" lang=\"en\">The payload appears to specifically reference the update process and uses a forged digital signature. It may be unconnected of course still. <a href=\"https:\/\/t.co\/o7pFzuNQXx\">https:\/\/t.co\/o7pFzuNQXx<\/a><\/p>\n<p>\u2014 Kevin Beaumont (@GossiTheDog) <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/879780972991885316\">27. Juni 2017<\/a><\/p><\/blockquote>\n<p><span id=\"preserve467f17de08d04722ac9e2e9a43b16965\" class=\"wlWriterPreserve\"><script src=\"\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/p>\n<p>At Bleeping-Computer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/petya-ransomware-outbreak-originated-in-ukraine-via-tainted-accounting-software\/\" target=\"_blank\" rel=\"noopener\">this article<\/a> also addresses this topic, the owner of M.E.Doc confirmed a virus infection, but denies later, that it's the source of the Petya attack.<\/p>\n<h2>Distribution via PsExec and WMIC in networks<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/7da2cec5cb0d4327ab32ec8c58078594\" alt=\"\" width=\"1\" height=\"1\" \/>If a Windows system is infected, a copy of admin tool PsExec (from Sysinternals tools) will be stored as <em>dllhost.dat<\/em> within the Windows folder. Then the malware uses WMIC commands and other strategies, to reach other machines within the network.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p dir=\"ltr\" lang=\"en\">Just patching with EternalBlue (MS17-010) doesn't appear to save you &#8211; other techniques for lateral movement in play here it looks like.<\/p>\n<p>\u2014 Dave Kennedy (ReL1K) (@HackingDave) <a href=\"https:\/\/twitter.com\/HackingDave\/status\/879738542276186114\">27. Juni 2017<\/a><\/p><\/blockquote>\n<p><span id=\"preserve0f486c1ed56241369f74eabb23d88c91\" class=\"wlWriterPreserve\"><script src=\"\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/p>\n<p>The <a href=\"https:\/\/twitter.com\/HackingDave\/status\/879738542276186114\" target=\"_blank\" rel=\"noopener\">tweet<\/a> above from Dave Kennedy says, that patching the ETHERNALBLUE vulnerability (MS17-010) doesn't prevent the malware spread over a network. Talos has published an <a href=\"http:\/\/blog.talosintelligence.com\/2017\/06\/worldwide-ransomware-variant.html\" target=\"_blank\" rel=\"noopener\">article<\/a>, containing commands to invoke PsExec and WMIC.<\/p>\n<pre>C:\\WINDOWS\\dllhost.dat \\\\w.x.y.z -accepteula -s -d C:\\Windows\\System32\\rundll32.exe C:\\Windows\\perfc.dat,#1<\/pre>\n<p>The command above contains a file <em>perfc<\/em>, mentioned below within the Killswitch section. Then a WMIC command tries to reach shares using a user name and a user password:<\/p>\n<pre>Wbem\\wmic.exe \/node:\"w.x.y.z\" \/user:\"username\" \/password:\"password\" \"process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1\"<\/pre>\n<p>Currently Talos tries to analyze, how the malware is able to obtain user credentials.<\/p>\n<h2>Credential Stealer integrated<\/h2>\n<p>Within <a href=\"https:\/\/twitter.com\/hackingdave\/status\/879735897205460992\" target=\"_blank\" rel=\"noopener\">this tweet<\/a> I got the information, the same information, that login data are used within a network. Also <a href=\"https:\/\/twitter.com\/hackingdave\/status\/879786970225967104\" target=\"_blank\" rel=\"noopener\">this tweet<\/a> contains a similar information:<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p dir=\"ltr\" lang=\"en\">Not sure on technique yet here, but crews being used for authentication to systems not just loggedin_user <a href=\"https:\/\/t.co\/fEumwgs4Ho\">https:\/\/t.co\/fEumwgs4Ho<\/a><\/p>\n<p>\u2014 Dave Kennedy (ReL1K) (@HackingDave) <a href=\"https:\/\/twitter.com\/HackingDave\/status\/879786970225967104\">27. Juni 2017<\/a><\/p><\/blockquote>\n<p><span id=\"preserve7148bf2366b8480788278d45ee3b7872\" class=\"wlWriterPreserve\"><script src=\"\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/p>\n<p>This A<a href=\"https:\/\/arstechnica.com\/security\/2017\/06\/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide\/\" target=\"_blank\" rel=\"noopener\">rstechnica article<\/a> cites security researcher saying, that a 2nd function within this ransomware tries to harvest user names and passwords and send it to servers controlled by the attackers. So the infected system is forced to be inaccessible, but the attackers gain access to login data and may use it to infect more machines.<\/p>\n<h2>Killswitch found?<\/h2>\n<p>On Twitter <a href=\"https:\/\/twitter.com\/0xAmit\" target=\"_blank\" rel=\"noopener\">Amid Serper<\/a> posted <a href=\"https:\/\/twitter.com\/0xAmit\/status\/879778335286452224\" target=\"_blank\" rel=\"noopener\">this tweet<\/a>, indicating a 'Kill switch' has been found to stop an infection:<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p dir=\"ltr\" lang=\"en\">98% sure that the name is is perfc.dll Create a file in c:\\windows called perfc with no extension and <a href=\"https:\/\/twitter.com\/hashtag\/petya?src=hash\">#petya<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Nopetya?src=hash\">#Nopetya<\/a> won't run! SHARE!! <a href=\"https:\/\/t.co\/0l14uwb0p9\">https:\/\/t.co\/0l14uwb0p9<\/a><\/p>\n<p>\u2014 Amit Serper (@0xAmit) <a href=\"https:\/\/twitter.com\/0xAmit\/status\/879778335286452224\">27. Juni 2017<\/a><\/p><\/blockquote>\n<p><span id=\"preservec3ec7f443c4f488dbb600e87d8662fa2\" class=\"wlWriterPreserve\"><script src=\"\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/p>\n<p>So a write-only file <em>perfc <\/em>(without extension) located within the Windows folder may stop the ransomware. <a href=\"https:\/\/twitter.com\/PTsecurity_UK\/status\/879779707075665922\" target=\"_blank\" rel=\"noopener\">Here<\/a> are a 2nd source confirming that. So it's possible to copy a file and rename it. It seems that this file prevent the encryption routine on a infected machine \u2013 but that's far away from a kill switch stopping other infections. At MalwareBytes <a href=\"https:\/\/www.malwaretech.com\/2017\/06\/petya-ransomware-attack-whats-known.html\" target=\"_blank\" rel=\"noopener\">a blog post<\/a> also says, it prevents only the malware on the current machine. Bleeping Computer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak\/\" target=\"_blank\" rel=\"noopener\">has this article<\/a> detailing how to create the file mentioned above.<\/p>\n<h2>Addendum: Microsoft has details and recommdations<\/h2>\n<p>Microsoft has published <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/\" target=\"_blank\" rel=\"noopener\">this blog post<\/a>\u00a0with many details about Petya. Microsoft confirms some infection theories, says, that Defender and other MS AV products\u00a0\u00a0has been updated to recognise this ransomware and gives also hints to avoid infections.<\/p>\n<p><strong>Similar articles:<\/strong><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2017\/06\/27\/petya-ransomware-is-back-using-wannacry-vulnerabilties\/\">Petya ransomware is back \u2013 using WannaCry vulnerabilties<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2017\/05\/25\/wannacry-co-eternalblue-vulnerability-checker-und-crysis-ransomware-decryptor\/\">WannaCry &amp; Co.: EternalBlue Vulnerability Checker and Crysis Ransomware Decryptor<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2017\/05\/13\/ransomware-wannacry-infected-worldwide-thousands-of-windows-systems\/\">Ransomware WannaCry infected worldwide thousands of Windows systems<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Currently a new variant of Petya ransomware (aka PetyaWrap, aka NotPetya) are infecting companies and organisations (see Petya ransomware is back \u2013 using WannaCry vulnerabilties). First analyses indicating, that this ransomware not only broke infected systems. There are indications, that &hellip; <a href=\"https:\/\/borncity.com\/win\/2017\/06\/28\/news-about-notpetya-ransomware-killswitch-found\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[918,919,549,243,69,194],"class_list":["post-3176","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-notpetya","tag-nyetya","tag-petya","tag-ransomware","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/3176","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=3176"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/3176\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=3176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=3176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=3176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}