Hackers use Twitter Card vulnerability and attack users
infosec

Hackers use Twitter Card vulnerability and attack users

Twitter was found with a new vulnerability, which could allow hackers to attack its users ...
Read More
infosec

Firefox 70 brings Lockwise password manager. Get ready for a lot of hacks!

Mozilla brings Lockwise password manager to Firefox 70, which is expected to be released on October 22. Firefox ...
Read More
inet infosec

Google buys random human data for just $ 5

Google is one of the world's largest technology companies and is constantly working on new, innovative projects. It employs a ...
Read More
infosec

How dangerous and frequent is an attack on RDP-enabled computers?

How long does it take for an attack on RDP-enabled computers? In some cases, a few minutes. In most, less than 24 hours. The...
Read More
infosec

Watchbog: Attacks on servers to "keep the internet safe"

Hackers are exploiting vulnerable Jira and Exim servers to infect them with a new variant of Watchbog Linux ...
Read More
Latest Posts

Petya or NotPetya: the next day How Ransomware works & spreads

It is in progress the new massive wave of ransomware attacks which has caused chaos in airports, banks, businesses and many other governmental and non-governmental organizations across Europe. The reason for Petya (or NotPetya), a new form of ransomware that uses EternalBlue to penetrate Windows computers, similarly to WannaCry.

The main difference?

WannaCry, it was disastrous, but it was a tool full of bugs created by amateurs. Petya, according to experts, is not an amateur tool but a powerful ransomware that can infect any version of Windows, including Windows 10.

Petya or NotPetya

Let's see how it is spreading and how the destructive Ransomware works.

According to Kaspersky's security team, ransomware is based on a customized tool named «A to Minikatz» for its dissemination. This extracts the credentials needed for the spread, from process lsass.exe. Lsass or Local Security Authority Subsystem Service is one of the most critical files in the Windows system.

"Malware uses a variety of tools to spread across a network, infecting computers in the process. It uses a tweaked build of the Minikatz open source tool to extract the network administrator credentials from the machine's memory. It then uses these access elements to connect and execute commands to other machines by using them PsExec and WMIC to infect them. "

The attack is believed to have started through a susceptible information of the Ukrainian MeDoc software, which is used by many governmental organizations in the country. According to reports, this is the reason why Ukraine was hit more than all other countries.

Kaspersky reports that over 60 percent of the attacks took place in Ukraine and Russia is the second on the list with 30 percent. And these are just the initial findings of the company's ongoing research.


How does Petya work?

Once malware infects a computer, it stays idle for about an hour and then restarts the system. After the reboot, the files are encrypted and the victims receive an ransom note on their computer. During the reboot process, victims are warned not to end the system because they may lose their files.

How many ransom have so far been paid?

As we have already mentioned, ransom payments are made to Bitcoins, and all transactions made in the attacker's wallet ID are shown in the following link:

https://bitref.com/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

So far 42 payments have been made, about 4 BTC (~ $ 10.000).

Petya or NotPetya;

Symantec, as well as several other security companies and analysts, believe that new ransomware belongs to the Petya family. "Petya" ransomware was first detected in 2016, according to Symantec researchers.

"Petya is from 2016. It differs from standard ransomware because it does not only encrypt files, but it replaces and encrypts the master boot record (MBR), "the company said.

However, Kaspersky Lab appears to disagree with this approach, noting that it is a new form of ransomware that belongs to its own classification and appears for the first time, calling Ransomware as "NotPetya".

In any case, one is the only one: Petya or NotPetya is still intact, and this time there does not seem to be a Switch kill to stop his frantic course. All that remains is to see how all this will develop.

UPDATE 28 / 06 / 2017
In order to prevent a possible infection, users and administrators should make sure that their systems have the latest security update released by Microsoft to successfully address SMB exploits in Windows. The patch named "MS17-010" can be found at the following link: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx In addition, SMBv1 should be disabled (see here how) and block access to the 137, 138, 139, and 445 ports.
UPDATE 29 / 06 / 2017
According to a Microsoft announcement, Microsoft Windows Defender finds the new ransomware format as 'Ransom: Win32 / Petya', so make sure you run the 1.247.197.0 version in order for antivirus to successfully prevent the threat.

Share
Do you have an opinion? Leave your comment.

The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by

Reader Interactions

Leave a reply

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *