A modified version of Petya Ransomware is spreading fast !

While WannaCry continue to make victims (Honda in Japan some days ago), NotPetya is spreading fast infecting computers from corporates, power supplies and bank. It started with Ukraine, then Russia, Spain, France, UK, India …

What is NotPetya :

This new variant of Petya Ransomware, know as Petrwrap or NotPetya use same SMBv1 vulnerability than WannaCry to propagate fast (Thanks to NSA Hack tools that was leaked …).

But it exploit also WMIC (Windows Management Instrumentation Command-line) and PSEXEC  (a replacement of Telnet on Windows Systems), 2 remote command tools from Microsoft to propagate. So it can infect PC previously patched against SMBv1 exploit (used for WannaCry).

Petya is more vicious because it didn’t just encrypt your files one per one, but encrypt the file system : This mean that your PC will stop to boot your OS but ask you $300 for the ransom key. Once you see the ransom message you will not even be able to mount and read your disk from a safe PC.

NotPetya in its variation is even worst because it really replace the MBT (Master Boot Table), so you can not recover even if you pay the ransom. Moreover the email address used for the ransom was disabled. So don’t loose time and money paying the ransom : it will not work !

So NotPetya is not an ransomware, it destroy your datas. It’s not made to make money.

 

Once your computer is infected, it start infecting other Windows PC in the same local network. Then one hour later it shutdown your PC, then write on MBR (Master boot record) and MBT (Master boot table), then encrypt your file system. And your screen will look like that :

So if your PC shutdown and you think you was targeted by this malware : keep it OFF. Then remove the hard disk and try to read and backup your important datas from a safe running PC  (use an SATA->USB adapter to hotplug the disk).

Recommendations :

• Update your PC : make sure you have last Windows update and Anti-virus update.
• Do a backup of all your important datas, then keep the backup in safe place and disconnected from your PC.
• Be really prudent about fishing (mail, web), and download software only from official web site.
• If you using accounting software that force you to keep using old version of MS-Windows, MS-Office, or weak technology (old 32bits web browser, Java plugin, ActiveX, Flash) : complain to the editor ! They must do their job updating their software not to force you using unsafe environment.
• If you have infected PC on your network, then unplug the network cable.
• If you have infected PC on your network and your PC reboot : Keep it OFF. then try to read your file from a safe PC.
• Warning : when you are in co-working place or free WiFi access the risk is higher. Better to activate your firewall in that case.
• If you have an old spare computer, don’t keep it with old version of MS-Windows, use it as backup system with a fresh Linux Install or buy an Raspberry Pi.

 

 

Where it come from :

Security experts say accounting program provider MeDoc was breached and NotPetya  was spread via their software updates. Of course they deny it …

Lot of accounting softwares force users to keep old version of MS-Windows to work. So it really help to propagate.

It started in Ukraine, spread fast in Ukraine Government institutions, banks, firms and then to subsidiaries and partners sharing the same network.

As the NotPetya kill your PC pretty fast (one hour), and propagate via local network only, it explain that 90% of the victims are in Ukraine or company sharing local network here.

 

Be prepared to Worst later :

With longer incubation time for example it would had give a chance to laptops to infect PC on public WiFi access, home place or other company network.

With additional way of propagation (spreading stuff by email or skype to all victims contacts) it would be even worst …

 

They are more leaks about NSA/CIA Hacking Tools coming.

They was a big leak of Windows 10 code source last week, this should inspire some new attacks.

You will see variant of existing malware or new ones … and not only on MS-Windows.

So do updates of all your systems but also change default password (even your iOT devices).

So thing could have been worst, and you must be prepared to future stronger attacks !

 

 

 

Know Victims :

Infected Power Companies : Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, “Kyivenergo” and “Ukrenergo”. The computers that mesures radioactivity at Tchernobyl are affected too.

Infected Banks : National Bank of Ukraine (NBU), Oschadbank

Infected Businesses : Maersk (Danish shipping company, but infected in UK and Ireland too), Antonov (aircraft manufacturer), Mondelez (Spanish food giant), DLA Piper (Legal firm), St Gobain (French construction materials), Mars, Nivea, Auchan, Merck (US Pharmaceutic group), US Hospital.

Infected Transport : Kiev’s metro, Kiev’s Boryspil Airport and postal services.

Infected Telecom : 3 Ukrainian telecommunication operators (Kyivstar, LifeCell, Ukrtelecom)

 

Look like actually 9 victims paid the ransom … for nothing, because it didn’t recover your datas.

 

 

 

Updates :

20170627 :

– don’t pay, you will not get your files back because hacker email address have been suspended.

– if you are infected and your PC reboot, don’t power it up, then try to get your data from another PC or live CD. The encryption seem to be done after the restart.

– Amit Serper‏ while searching for a kill switch found an vaccine for #NotPetya : Just create a file “C:\Windows\perfc” and made that file read only.

 

Massive Global Ransomware Attack Underway. Please make sure you done all recent Windows Update to protect your PC and your precious DATA.

 

It’s now confirmed from many source :

WannaCryptOr/WannaCry ransomware is infecting Windows computers and is very virulent because of its mode of propagation.

Big infrastructures already have been infected including government agencies, hospital, ISP …

Once one computer is affected the malware infection spreads on other computers of same network using SMB vulnerability. So it may spread inside private network but also free WiFi.

From what we know Microsoft fixed this vulnerability on its Windows updates on March 14th (MS17-010). So if you didn’t yet, please update.

This Windows exploit come from the NSA Hacking tools called EternalBlue, which was dumped by the Shadow Brokers hacking group over a month ago.

 

What is Ransomware :

It’s a malware that insidiously encrypt all your personal DATA, then lock down your system and ask you money (bitcoins) to unlock your system and give you back access to your data.

As your DATA are encrypted on your system you can’t retrieve the data by yourself.

 

How to protect :

• Have your system and software up-to-date (your OS, but also your web browser, your Office suite and your chat application as vulnerabilities here are the best way to get control of your system).
• Regularly do backup of your important DATA on an external Storage, then unplug it (else your backup may be affected too).

 

Updates :

• [20170513] Microsoft officially ended its support for Windows XP  in 2014, but just done an special update because lot of sensible organisation, including England’s National Health Service hit yesterday, was still using this old version of Microsoft Windows. So if you are using old version of Microsoft Windows : Windows XP, Windows 8, Windows Visa, and Windows Server 2003, you can get the special patch here on its update catalog. Microsoft web site may be  a little slow right now …
• [20170513] To help with busy web site Microsoft published more information and direct download links.
• [20170514] Windows 10 PC seem to be safe against this local network propagation (but still vulnerable from other classic way : phishing, download, …).
• [20170514] Some security researchers found a kiil-switch inside the ransomware code that stop propagation. If one special domain name exist then it stop. They bought that domain name so now it exist for real, so please don’t block access to DNS if your network is infected, it may save some of your PC if not too late.
• [20170514] As expected WannaCry 2.0 is already out, without this kill-switch, so the propagation continue with this one …
• [20170514] WikiLeaks just released info from CIA Windows Malware Frameworks … so be prepared to see more attack of this kind in the next month …
• [20170515] If you want to be safer for current infection but also future exploits, then disable the really old and unsecure SMB 1.0 protocol on your PC (it have been replaced by 2.0 & 3.0 since long time, so you shouldn’t need 1.0 anymore) : 
• [20170516] The Hacking collective Shadow Brokers is promising to release more exploits for various desktop and mobile platform in June 2017. So be prepared to more weird attack in near future, and not only on outdated Windows machine. I recommend to keep each of your computer, smartphone or IoT updated, patched and please change default or weak password …
• [20170516] Today Apple released security update for MacOS, iOS, WatchOS and TvOS …
• [20180518] French security researchers found a way to retrieve the deleted encryption key in memory if you PC didn’t rebooted since the infection, and if the memory wasn’t reallocated … you can try if you are lucky : info about free unlock on TheHackerNews.
• [20180519] Researchers found that a more discret malware using the same NSA tools infected hundreds of thousands of computers since beginning of the month. This malware named Adylkuzz use infected computers for mining cryptocurrency, and may not be noticed (It will only make the computer slow). More info here.
• [20180519] Information about another Hacking tool from the CIA was released : Athena. It target Windows XP to Windows 10. More information here. Don’t be surprised if new malware exploit this soon.
• [20180321] A really well done article about ransomware and how to protect yourself can be read here https://pixelprivacy.com/resources/ransomware/