You may have heard that there is a new ransomware campaign leveraging the EternalBlue (MS17-10) exploit from the recent Vault 7 leaks. In less than 36 hours, Petya has had a global impact. Initial reports indicate Petya was targeted at banks and power companies in Ukraine. However, it has spread globally, affecting pharmaceutical companies in the UK, oil shipping companies in Russia, multiple companies across North America and Europe, and transport ships operating in international waters.
Revolutionary Security has been tracking this attack, and we feel that it is important that distilled and actionable information be disseminated immediately. It is easy to find more extended detail on this campaign, but in this article, you will find what you need to know now.
FIRST AN IMPORTANT WARNING: Petya implements whole disk encryption through a CHKDSK ploy during the Windows boot process. If your computer reboots and enters a CHKDSK screen, you should immediately power the computer off and seek assistance with recovery. If CHKDSK is allowed to continue your files will be encrypted, and your data may be difficult or impossible to recover despite promises to the contrary.
Do not pay the ransom. The cybercriminals responsible for this attack can no longer receive email on the address they provide, and if you pay them you will have nothing to show for it – your files will NOT be restored. To date they have received approximately $10,000 from this attack. Paying their ransom may also encourage a second variant by continuing to fund their efforts.
It is important to note that a fully patched and supported Windows system is the best way to prevent this attack. However, Petya can travel in a similar fashion to a self-propagating worm and any unpatched system or server on your network is potentially vulnerable. Revolutionary Security recommends that you follow the steps below for immediate effect to mitigate the impact of Petya against your company:
Four Practical Steps
- Prevent MS17-10: Microsoft has released updates for all impacted versions of the Windows operating system. Updates addressing this security bulletin will protect you from the worm portion of this attack, but an email exposure will remain.
Please review the Microsoft security bulletin for information on how to patch your systems (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)
- Prevent CVE-2017-0199: Initial Petya infection appears to have been conducted via email phishing campaigns containing a Word document exploiting an HTA handler vulnerability.
Mitigation: Exercise proper cyber hygiene and do not open attachments that are unknown, from unknown sources, or unexpected.
Mitigation: Review the Microsoft security advisory for information on how to patch your systems (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199)
- Immunize Your Computers: If you have operational systems that are not or cannot be patched, with admin access, you can implement a best effort “innoculation” that has been known to halt the spread of this variant of Petya. On installation, the current Petya variant checks for the presence of a known file name and if it is detected the ransomware will stop execution without further infection. This is not a complete fix. It will only stop infection on the PCs you have immunized, and only against the current variant of the ransomware.
Mitigation: Leverage your software distribution systems or Group Policy Objects to create the files “C:\Windows\perfc” and “C:\Windows\perfc.dat” to protect your systems prophylactically or for systems that cannot be patched against the exploits. Empty files will work.
Mitigation: If not in a corporate environment, you can execute the following command in a Command Prompt with Administrative permission (echo PETYA FIX > C:\Windows\perfc && echo PETYA FIX > C:\Windows\perfc.dat)
- Backup: A good backup process is its own mitigation for many potential issues. As a Petya compromise represents a real risk of permanent data loss, please ensure you know your backup policies, and are ready to restore if becomes necessary. If you do not have a backup strategy and were hit by Petya, there is a possibility that Revolutionary Security can help you recover your data from the Petya encrypted disk.
For those of you with the desire to dig deeper into the technical details of the attack, BinaryDefense has one of the best technical write-ups out currently.