For Incident response services, contact firstname.lastname@example.org – we will contact you ASAP.
A large-scale Ransomware outbreak is currently underway. The Ransomware in question we’ll refer to as NotPetya – or #NotPetya, if you prefer.
The computer screen displays a Windows CHKDSK – but in fact this is not an actual CHKDSK, the CHKDSK which is shown is actually launched by the Ransomware.
“This behaviour is typical to Petya.”
NotPetya encrypts files on the systems it has infected, the price to recover the encrypted files is currently set USD300.
Once the owner of the infected system decides to pay the ransom, the owner will have to include the transaction ID that is displayed by the Ransomware.
The threat actor behind this ransomware outbreak uses the transaction ID to verify whether the owner of the infected system has paid the ransom.
This new (Not)Petya outbreak bears similarities to the recent WannaCry outbreak in the sense that it’s a large-scale attack and spreads laterally.
The mass Ransomware infection has been confirmed in the following countries (27/06/2017, 17:00CEST):
- The Netherlands,
At this moment, the Ransomware is only being detected by 11 of 61 Anti-Virus companies listed on Virustotal.com.
For Incident response services, contact email@example.com – we will contact you as soon as possible.
The Ransomware is currently using 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX as its Bitcoin payment address. If you are interested in seeing how many transactions (i.e. successful infections) have taken place, it might be interesting to monitor the Blockchain address via blockchain.info.
“There is no guarantee that you will get your files back after paying the ransom.”
The RedSocks Malware Intelligence Team is currently working to gather technical details regarding this Ransomware outbreak.
How does it work?
The ransomware uses a timed process. Once the ransomware is activated on the device, the ransomware will schedule a restart task which will activate a reboot after 1 hour.
In that hour the ransomware will try to infect other devices with credentials that it might have obtained via the infected device.
Email Account Has Been Shut Down
The threat actor behind the ransomware attack used the Posteo.net hosting service to receive emails on the mail address firstname.lastname@example.org. The German hosting provider Posteo.net noticed that complains were being filled against email@example.com and decided to shut the email down. If the shutdown of the mail was a wise choice is a separate discussion.
The Ransomware uses a unique ransomware message to inform the system user that the system has been infected and encrypted:
Mitigation & Remediation
CVE-2017-0144 is the vulnerability exploited in the NSA EternalBlue Exploit, which was previously also seen in the WannaCry outbreak.
CVE-2017-1045 was exploited in the NSA EternalRomance Exploit.
Both vulnerabilities can be remediated by rollup out Microsoft Windows Security Update MS17-010.
Disable SMBv1 where possible, and block outside access to ports 137, 138, 139 and 445.
Quick Fix to Prevent Encryption
Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but does *not* stop it from propagating further over network using SMB.
NotPetya uses the administrator rights of users logged on to their workstations. As remediation; ensure that users don’t have administrative rights, unless they need to perform tasks for which such rights are needed. This includes system administrators within the organisation.