ITB - IT Solutions for the next generation
linkedin logo twitter logo facebook logo google+ logo
 

Petya or ExPetr Latest Ransomware Outbreak

Wednesday, June 28, 2017
Petya or ExPetr Latest Ransomware Outbreak

It seems like only weeks since the WannaCry outbreak that wreaked havoc among computer systems (especially legacy operating systems) through out the world and hit the NHS particularly hard. 

Yesterday we feared it was all about to start again with a new Variant of the Petya Ransomware Virus which has been adapted to use the EternalBlue Exploit Kit leaked from the NSA's private stash of OS exploits.

One of our close partners Kaspersky Labs have released some information regarding this Variant: 

"Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. While it has several strings similar to Petya, it possesses entirely different functionality. We have named it ExPetr."

Kaspersky telemetry data have indicated that around 2,000 system have been affected so far. Mainly in Russia and the Ukraine but also systems in Poland, Italy, the UK, Germany, France and the US have been compromised. 

Kaspersky state: "This appears to be a complex attack, which involves several vectors of compromise. We can confirm that modified EternalBlue and EternalRomance exploits are used by the criminals for propagation within the corporate network."

The ExternalBlue exploit affects un-patched windows operating systems from Windows XP through to Windows 7 and uses the SMBv1 (file sharing) Protocol. Users who have installed the Microsoft MS17-010 patches have greater protection from this exploit but we have seen multiple attack vectors with this version of Ransomware including attacks against SMB and RDP protocols as well as email attachments. 

As well as this the Ransomware triess to gain administrative access to the computer and then use these credentials to attack other machines in the network.

The main difference between ExPetr and WannaCry is the items that are encrypted. Along with encrypting the individual files on the computer if the Virus can gain administrative access to the computer it will also encrypt the MFT which contains all information of where files are located on a hard drive and then changes the boot records so that loading the Operating system is impossible. 

Whilst the majority of Ransomware variants aim to make as much money as possible this variant seems to be aimed at disabling systems, so more Cyber Sabotage instead of Cyber Extortion.

The Ransomware asks for a ~$300 ransom to be paid in order to retrieve customers data although reports suggest that the payment address for the ransom has been shut down so there is no mechanism to pay the ransom or receive decryption keys.

To date there is no kill switch found in this variant which will allow the virus continue spreading across the world, although hopefully since WannaCry we would hope most companies using legacy systems would have patched them against the leaked NSA exploits.

Reports have also come out regarding the original exposure to the virus being spread through a fake update of MeDocs which is widely used in Eastern Europe. 

So how can you Protect yourselves...

 

The obvious is keeping all systems up to date with security patches to limit the EternalBlue and EternalRomance exploits. 

Ensure all anti-virus is up to date:

McAfee have released an ExtraDAT file available here. And have added the signatures to their GTI network.

Kaspersky have added the signatures to their KSN network.  

Signature Based AV can only protect against the known, this is an important factor when these new strains of virus spread so quickly. Relying on signaure based AV alone is not appropriate for protecting companies assets, behavioral based anti-malware products such as Kaspersky System Watcher or McAfee Adaptive Threat Protection are a must for cyber security in 2017 as each attack is getting more complex and variant perform with obfuscated code which changes each time the virus is executed or downloaded.

Speak to ITB today about the latest in Anti-Malware protection for your organisation.

GO BACK