Petya Ass It's Ransomware Again!

FrgMstr

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,634
Update 2: While not confirmed, it looks as if Petya / Petwrap is a fake MS certification to run PSEXEC with stolen/blackmarket SMB logins.

Update: Our in-house security expert is telling me that Petya / Petwrap looks to be a worm with multiple propagation functionality. "The worst I have ever seen. Ever. This is going to be very bad." So far this is looking to affect all Windows OS variants. The latest patch from Microsoft for EternalBlue likely does nothing for Petya. There is no killswitch.

Twitter is alive and well this morning and it seems that a new strain of ransomware known as "Petya" is getting a lot of attention over in the Ukraine and elsewhere. This looks to possibly be a Zero Day exploit (meaning that there is likely no immediate patch for this) that is spinning up much like the Wannacry ransomworm that was just dealt with recently. And others are suggesting that is is simply another SMB protocol exploit. We are waiting for our in-house security expert to give us some insight from his own sandbox. Petya, also known as Petwrap, has already hit Russia Russia Russia, Spain, and France very hard, but is quickly spreading across Europe and Asia. This Ransomware gives a fake ChkDsk screen that appears to run but is actually encrypting your data. The Hacker News has some insight.

Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
 
Last edited:
I wonder why it is that the places in the U.S. don't get hit as hard. I know for certain that there are plenty that don't have any sort of patching in place. But yet it still seems to barely make a dent here compared to other countries.
 
Mmm if it's just the MFT and MBR wonder how difficult it would be to just pull files, not exactly something exotic to recover files from a corrupt mft, granted a pain.
 
So it uses the same exploit as the previous malware, which was patched weeks ago.... Any company that gets infected deserves it, there was plenty of warning and time to patch... Our whole company made sure patches were pushed to all workstations/servers to avoid this.
 
Biznatch said:
So it uses the same exploit as the previous malware, which was patched weeks ago.... Any company that gets infected deserves it, there was plenty of warning and time to patch... Our whole company made sure patches were pushed to all workstations/servers to avoid this.
Click to expand...

Oh, did you miss this part?
This looks to possibly be a Zero Day exploit (meaning that there is likely no immediate patch for this) that is spinning up much like the Wannacry ransomworm that was just dealt with recently.
Click to expand...

I guess we'll need to wait and see, but you might need to check your understanding of reading.
 
Biznatch said:
So it uses the same exploit as the previous malware, which was patched weeks ago.... Any company that gets infected deserves it, there was plenty of warning and time to patch... Our whole company made sure patches were pushed to all workstations/servers to avoid this.
Click to expand...
Chances are that the companies not affected by it, haven't even heard about it. At least at the executive level. And a few it employees can't make enough noise from down below in a few weeks to get the attention of the business managers.
 
Shotglass01 said:
I guess we'll need to wait and see, but you might need to check your understanding of reading.
Click to expand...
Read the full article it says this probably uses the same exploit as wannacry, but it's yet to be confirmed.
 
That pic gave me some serious flashbacks of the awesome Toshiba plasma screens from the 80's. Those things were awesome!

tumblr_inline_n7lz8ltsHM1rzzdzb.jpg
 
Update: Our in-house security expert is telling me that Petya / Petwrap looks to be a worm with multiple propagation functionality. "The worst I have ever seen. Ever. This is going to be very bad." So far this is looking to affect all Windows OS variants. The latest patch from Microsoft for EternalBlue does nothing for Petya. There is no killswitch.
 
The articles do not mention how it's initially contracted. Can we assume the usual email fail clicking?
 
carlbme said:
I wonder why it is that the places in the U.S. don't get hit as hard. I know for certain that there are plenty that don't have any sort of patching in place. But yet it still seems to barely make a dent here compared to other countries.
Click to expand...

Because most of us purchased a legitimate copy of Windows.
 
Update 2: While not confirmed, it looks as if Petya / Petwrap uses a fake MS certification to run PSEXEC with stolen/blackmarket SMB logins.
 
Last edited:
Recovery should not be too problematic as NTFS backs up the boot table and MFT. The utility required, Testdisk, is here.
 
Stupid people going to click on stupid things. How I do enjoy reading about it though.
 
Kaspersky just mentioned its not a variant of Petya but something new. 2k infections so far, mostly in russia/ukraine.

Edit: Link:

hahaha, Kaspersky has named it NotPetya, lol.
 
Didn't [H] have an article about Wannacrypt showing that it was a currency manipulation job? I wonder if this is a repeat attempt?
 
Quartz-1 said:
Didn't [H] have an article about Wannacrypt showing that it was a currency manipulation job? I wonder if this is a repeat attempt?
Click to expand...
Was a theory thrown out there, but not provable.
 
"UDS:DangeroundObject.Multi.Generic" basically means: We don't know ff its virus or not but it seesm to have a lot of system level activity so we better flag it for the users"
Kaspersky is ralyl bad about using this classification on evne good software ( aka everything i release gets detected as this because its a system level software)

Hurray for heuristic scanners or something
 
SvenBent said:
"UDS:DangeroundObject.Multi.Generic" basically means: We don't know ff its virus or not but it seesm to have a lot of system level activity so we better flag it for the users"
Kaspersky is ralyl bad about using this classification on evne good software ( aka everything i release gets detected as this because its a system level software)

Hurray for heuristic scanners or something
Click to expand...
Symantic isn't much better. In 7 years here, Symantic has flagged our software about 6 times.
 
Shotglass01 said:
Oh, did you miss this part?


I guess we'll need to wait and see, but you might need to check your understanding of reading.
Click to expand...


Something along the lines of an attack vector not being the same thing as the payload which is what does the damage, like wannacry's payload, using a different attack vector.
 
Quartz-1 said:
Didn't [H] have an article about Wannacrypt showing that it was a currency manipulation job? I wonder if this is a repeat attempt?
Click to expand...

The last I remembered hearing was that this was a false flag and that the FBI was saying it's the North Koreans doing it just for the damage value. Something about no one actually cashing in much.
 
I am so glad the US government kept these exploits secret for their own use, oh wait, as always with exploits they get out in the wild.
 
M76 said:
Read the full article it says this probably uses the same exploit as wannacry, but it's yet to be confirmed.
Click to expand...

Biznatch said:
No, but I read the linked article that says it's using the same exploit as wannacry....
Click to expand...

lcpiper said:
Something along the lines of an attack vector not being the same thing as the payload which is what does the damage, like wannacry's payload, using a different attack vector.
Click to expand...

Yes, thanks all for pointing out my first class ticket all aboard the fail train. :( Remind me to never post before coffee time. Apologies Biz.
 
Shotglass01 said:
Yes, thanks all for pointing out my first class ticket all aboard the fail train. :( Remind me to never post before coffee time. Apologies Biz.
Click to expand...

The man is gracious and humble all at the same time.

Well I'm not going to throw him the salt. He carries the wound well enough as is ;)
 
HighYield said:
So how does this spread? If your company was already infected, but you never turned on your computer today...would the payload already be there? This thing is brutal.
Click to expand...

From what I've seen it seems to spread using a number of different vulnerabilities that so far have all been fixed including the SMB flaw WannaCry used, some years ago if the info I saw earlier was correct. Again this seems to mostly be about unpatched software though you could get the payload through email, that's one of the attack vectors.

If Microsoft was ever thinking about backing down more from its forced updates, it has to some degree with 10 Pro, I think the last two months are forcing their hand. Updates are not a panacea but this is kind of crazy if what I'm reading about this is correct. Years old flaws still being effective?
 
Last edited:
heatlesssun said:
From what I've seen it seems to spread using a number of different vulnerabilities that so far have all been fixed including the SMB flaw WannaCry used, some years ago if the info I saw earlier was correct. Again this seems to mostly be about unpatched software though you could get the payload through email, that's one of the attack vectors.

If Microsoft was ever thinking about backing down more from its forced updates, it has to some degree with 10 Pro, I think the last two months are forcing their hand. Updates are a panacea but this is kind of crazy if what I'm reading about this is correct. Years old flaws still being effective?
Click to expand...
I'm no fan of the NSAs part in this, but AFAICT, this is a case of negligence by IT or management. there's just no excuse for not applying patches that are almost 4 months old. People who don't apply patches are like parents who don't vaccinate their kids.
 
HighYield said:
So how does this spread? If your company was already infected, but you never turned on your computer today...would the payload already be there? This thing is brutal.
Click to expand...

Petya/Notpetya is introduced to a system via a RTF exploit in microsoft office (malicious word doc). It is speculated that it is also introduced through a compromised software update to MeDoc accounting software used the Ukraine.
Once the malicious doc is activated it will serve as a petya downloader. The ransomware will hit the target box and immediately shift into SMB scanning ala EternalBlue. If it can't find success with EB it will shift to an ARP scan, followed by attempting lateral movement via WMIC $Admin and PSEXEC rolled out with a fake MS Cert.

Infection will commence on each device after a schtask is started setting a windows restart /r /f condition. A timer will then count down between 10 and 60 minutes before initiating that task. In the meantime the malware is scanning within a subnet with various tools looking for targets. It will also create a perfc.dat file in the C:/Windows directory (which is why the vaccination works with a read only file of that name). Rundlle32.exe is used heavily.

Patching is only partially effective due to the "swiss army knife" nature of this malware's propagation mechanism including everything from EB to PSEXEC and WMIC. That being said, unpatched systems will get pwned extremely rapidly as EB is incredibly fast at prop.
 
You must log in or register to reply here.
Back
Top