A new Ransomware variant with worm like capabilities has infected many organizations around the world. The media is calling it “Petya” but it is not similar to the Petya variants seen before. In the propagation process, the malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above.
The malware has three mechanisms used to propagate once a device is infected:
Malware writes its code to Hard Drive MBR, initiates system reload and adds reload commands to Windows planner (“schtasks” and “at” commands). After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive.
If the computer is shut down before the reload, MBR can be reestablished with “bootrec /FixMbr” command. (in Vista+, for Windows XP “fixmbr” can be used).
In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted:
3ds,7z,accdb,ai,asp,aspx,avhd,back,bak,c,cfg,conf,cpp,cs,ctl,dbf,disk,djvu,doc,docx,dwg,eml,fdb,gz,h,hdd,kdbx,mail,mdb,msg,nrg,ora,ost,ova,ovf,pdf,php,pmf,ppt,pptx,pst,pvi,py,pyc,rar,rtf,sln,sql,tar,vbox,vbs,vcb,vdi,vfd,vmc,vmdk,vmsd,vmx,vsdx,vsv,work,xls,xlsx,xvd,zip.
The Malware also clears system logs.
Make sure to update Microsoft Windows and all third party software. It’s crucial to apply the MS17-010 bulletin immediately.
Most Anti-Virus vendors now have signatures for this ransomware sample but other samples with similar characteristics may not have proper detection rates.
Microsoft has also advised on how to disable smbv1 which can be an additional mitigation.
A potential (unverified by TechCERT) kill switch has been found within the samples:
The creation of the file “C:\Windows\perfc”.
Additional information shows that the killswitch requires the following:
Simply, all that is needed are 3 files (perfc, perfc.dll, and perfc.dat) to already exist on the Windows machine, under C:\Windows, with READONLY permissions.
