In just one day, the “Petya.A” crypto virus became the largest cyber attack in the history of Ukraine. Read our analytics about the origin, consequences and methods of its prevention.
In its last year’s report, McAfee called 2016 “year of ransomware”, but as recent events show, last year It was a warm-up: only in the first half of 2017, the IT infrastructures of Ukrainian and global companies underwent cyber attacks of virus coders: WannaCry, XDATA, and on June 27, a new version of the extortioner Petya.A.
The damage done by the Petya.A cryptovirus is comparable to that in one day of activity in Ukraine and exceeds the damage done by WannaCry and XDATA earlier. From open sources it is known that more than 80 largest Ukrainian companies in all sectors of the economy suffered from the attack. Among them: Oschadbank, Ukrgasbank, DTEK, Ukrenergo, Kyivenergo, Ukrtelecom, Vodafone, Lifecell, Aeroport “Borispol”, Ukrposhta, “Novaya Pochta”, Ukrzaliznytsya and many others, also did not work publishing sites Korrespondent, football.ua. The banks, government agencies and the media suffered the most, but since not all companies publish data on the consequences of the attack, it is necessary to estimate the actual number of victims in the future.
Petya.A is a new modification of the encryption virus of the same name, which was distributed in the spring of 2016 and had several modifications. Crypto-virus distribution vector is standard: a targeted user receives an email with an attachment or a link to a malicious file. In addition, according to Microsoft data, a significant portion of the malware was distributed through a software update for reporting and workflow – “M.E.doc.” Spread over the network — via DoblePulsar and EthernalBlue, similar to the methods of the WannaCry virus.
Immediately after opening the file, the vulnerability CVE-2017-0199 is exploited and the file hxxp: //18.104.22.168/myguy.xls is loaded.
After loading, the powershell script is launched, which loads the rest of the Petya functionality from the command server hxxp: //coffeinoffice.xyz: 80 / cup / wish.php. The C: \ Windows \ perfc.dat file with the basic encryption functionality is loaded.
The cryptographer spreads over the network in the same way that WannaCry was distributed: during the exploitation of the SMB protocol vulnerability (MS17-010). Also, a delayed reboot job is created in the scheduler and the logs are cleared (System, Security, Application).
A large number of file types are encrypted: .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl , .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg,. ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip .
Also, the malware makes changes to the MBR, after which a reboot occurs. When rebooting, the system goes to BSOD, after which the user is shown an imitation of the CHKDSK utility, but during the so-called “validation” data is actually encrypted (by the way, this behavior was observed in older versions of Petya). Upon completion, the PC reboots again and the encryption message text is displayed in the modified boot-screen. The ransom amount is $300 in bitcoins. After completing the transfer, the user is advised to send the wallet ID and personal identification code to the attacker’s address (firstname.lastname@example.org) and receive the decryption key in return. At the moment, 42 transactions have been made and the attackers have earned about $10,000 in Bitcoin equivalent. Interestingly, after a couple of hours after the start of the attack, it became known that the attackers did not send the decryption key even after payment.
Today, most antivirus vendors have released signatures to detect threats:
With a surge in activity of the previous version of Petya, the user under the nickname leostone was able to develop an algorithm that allows decrypting data. There is no decryption tool for this modification. Unlike WannaCry, for Petya.A there is also a killswitch site, which will prevent further data encryption. But for this cryptographer, you can create a file C: \ Windows \ perfc (without extension) with read-only access rights, which will serve as a local “switch”.
To protect against this type of zero-day attack, CheckPoint offers one-stop perimeter and endpoint protection solutions: CheckPoint products SandBlast Zero-Day protection. PoC video provided by Nick McKerall is available at the link:
IBM is leading a campaign to monitor and counter the incident, so users who use IBM QRadar with an X-Force subscription can always track malware activity attempts in their IT infrastructure using Threat Intelligence components:
Qualys has released vulnerability detection signatures that are exploited by the malware for the Vulnerability Manager module.
As you can see, Petya.A uses the most effective tools available at the moment, taking the most successful, from an attacker’s point of view, attack techniques used by the “classic” version of Petya, XDATA and WannaCry. What is not surprising: after the publication in open access of the NSA ShadowBrockers toolkit, attacks of this type will only intensify and become more sophisticated. It is likely that Petya.A is not the latest version of the cryptographer, which will create inconveniences for not only Ukrainian, but also other global companies in general.
UPDATE from 29.06
According to information from IBM, the Petya.A encryption virus has moved into the wiper category (data shredder). The purpose of this malware is to destroy as much information as possible, and not to get a ransom for decrypting files. In the case of Petya. A, the virus wants to appear an extortionist and regularly takes money for “decryption”, but in fact generates a unique ID, using the CryptGenRandom crypto-resistant random number generator function. That is, the generated ID will not give the attacker any useful information to decrypt the files. In addition, the mailing address specified in the message of the extortionist is blocked. Thus, it is impossible to contact the creator of the malware and get your files back!
Integrity Vision is the only Check Point Certified Partner in Ukraine for the SandBlast product, which is a universal tool for protection against zero-day attacks. Key features of Check Point SandBlast include:
Integrity Vision’s portfolio includes various information security solutions for any task and scope. We are ready to provide comprehensive protection of your business from financial, organizational and reputational losses. Contact us!