National Authority for Electronic Certification and Cyber Security


WHAT IS PETYA RANSOMWARE?A few weeks after the Ransomware WannaCry attacks, another ransomware is rapidly spreading worldwide, affecting many organizations around the world, including the Ukrainian Central Bank Merck, and the giant Russian oil Rosneft : the campaign has started in Ukraine spreading to Russia, Scandinavia and Western Europe, demanding $ 300 in bitcoin.

According to the information sent by NATO, a new version of Petya ransomware, known as Petwrap, which spreads rapidly using the same vulnerability of Windows SMBv1 as WannaCry, infected over 300,000 systems and servers worldwide within 72 hours last month.

Petya in most cases does not encrypt files one by one, but re-boots the "victim" computer and encrypts the hard disk MFT (Master File Table). Then the Master Boot Record (MBR) becomes ineffective, limiting access to the system by accessing information related to the files names, size, and location on the physical disk.

Petya replaces the MBR of the computer with its code, and displays a message that makes it impossible to boot the computer.

Another version, which targets individual files in case the rebooting fails, called "PetrWrap / Petya.A" may include other malwares such as Loki Bot, a banking system Trojan that steals credentials and personal data.This Ransomware also uses the method to bypass Windows Security by imitating Microsoft's digital signature (fake certificate with MS Corp. name): (Source: Microsoft)



PROTECTIVE MEASURES:

1. Make sure that your devices that have a Windows operating system are up-to-date according to MS17-010 security bulletin and are properly implemented. SMB / RDP should be blocked across hosts that have internet access.

2. Disable old protocols including SMBv1, SMBv2, SMBv3.

3. Be vigilant when you open documents from unknown or untrusted sources, especially when you are connected to the Internet. Encrypted documents have extensions: (Source: Microsoft)


4. Block systems that do not have security support, if possible.

5. Any potential incident should be reported to AKCESK.

Security experts have discovered a “vaccinefor the cyberattack attacking organizations in the world yesterday.
Creating a single file can only stop the attack on the device that is created. However, one has not yet been found kill switch  which would eventually stop ransomware from spreading to other devices, and the origin and purpose of the attack has not yet been found.
The solution is called perfc
Create a read-only file called perfc and put it in the file “C:\\Windows”. The steps you need to follow to get your computer's vaccine are located here.
As mentioned above, this method only protects the computer that has the file created perfc, and no solution has yet been found to completely block the further spread of Petya Ransomware.
Along with creating the file perfc, for most users, simply updating the Windows operating system is an effective measure to stop the infection from attack.

 

...................................................................................................................................................................Published on 28.06.2017