Ransomware: It’s happened again….

Posted by Elliot Dacosta on 28 June, 2017

Today we woke up to the news of yet another ransomware attack targeting businesses around the globe. Ukraine seems to have felt the brunt of the Petya attack which renders you unable to log into your machine – even if you pay the ransom – however countries across the world have been targeted such as France, Denmark and the USA.

The Ransomware encrypts files on a machine and requests that the user sends $300 equivalent in bitcoins to an email address which has subsequently been shut down but has had adverse effects already.

This ransomware is spread by a worm; it automatically replicates and infects other machines. This worm functionality appears to make use of several software vulnerabilities, as well as using system utilities like psexec and WMI which can be used to execute code on remote systems. Infection may also occur independent of the worm capability, and can be directly delivered through malicious attachments in emails.

Specialist Countercept teams are still performing ongoing investigation into this and additional work streams are ongoing to correlate the activity being seen globally to help identify what activity is and is not related to this ransomware.

Ransomware attacks are a daily occurrence, however the amount of large scale attacks seem to becoming increasingly common as hackers think of elusive ways to beat the systems in place to stop them.

Here at Solar we pride ourselves in maintaining the highest levels of security possible, as evidenced by ISO27001 accreditation which shows our commitment to comply with regulatory and contractual requirements regarding data security, privacy and IT governance around security of sensitive and confidential information.

Our initial advice based on what we have learned so far is summarised below, please be aware this may change as more is learned.

In order to reduce the likelihood of becoming infected, the following steps are recommended:

Patch the following vulnerabilities, which the malware may use:

o   CVE-2017-0199

o   CVE-2017-8543

o   MS17-010 (the so-called EternalBlue exploit)

 

Ensure port 445 (SMB) is not accessible on the internet, and is blocked as far as feasible on internal networks

Block network access to the following:

o   french-cooking.com

o   84.200.16.242

o   185.165.29.78

o   111.90.139.247

o   95.141.115.108

Create the following file and set it to be read-only:  C:\Windows\perfc.dat

Consider powering down non-critical systems

Be especially careful opening Office documents from unknown or suspicious sources

You may be able to detect if a host has been affected, and possibly catch it before the actual encryption of files begins, by looking for the following:

 

  • The following scheduled task, set to execute an hour after infection, which will reboot the system to begin the encryption process:  schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST <TIME>
  • The existence of the following file (which is in fact a copy of the psexec utility):  %PROGRAMDATA%\dllhost.dat
  • The existence of the file C:\Windows\perfc.dat

You may be able to stop the ransomware on a host after it is infected if you catch it quickly enough.

  • A scheduled task reboots the system 1 hour after initial infection, it is only then that files are encrypted
  • After the reboot, a modified Master Boot Record (MBR) runs code which encrypts files
  • Remove the scheduled task, and fix the MBR using Windows installation media's Repair utility
  • The scheduled task looks like: schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST <TIME>

 

For further in depth information, please download the guide attached below:

Solar Petya Decryption Guide

For any further information, please contact us at info@solar.co.uk or call 0330 3333 999