Summary

Similar to the WannaCrypt outbreak last month, another round of ransomware attacks has been launched.  Initially identified as a new Petya ransomware variant, research by Kaspersky Labs suggests this is not actually Petya but a new, never-seen-before, ransomware that they have labeled as NotPetya.  Regardless, it has hit numerous sites across the globe, with confirmed outbreaks in Russia, Ukraine, Spain, France, the United States and elsewhere.

This ransomware is using the NSA’s EternalBlue exploit to propagate, meaning it is exploiting Microsoft vulnerability MS17-010, a critical vulnerability affecting Server Message Block, which is primarily used for accessing files, printers, and enabling communications between network devices.  Microsoft issued the patch in March of this year, and during the WCry outbreak, they released patches for their non-supported operating systems.

This being said, there are sporadic reports that “fully patched systems” are also being exploited. However, it is unclear if said “fully patched systems” were actually patched properly and fully.

Once inside a network, it further propagates via remote Windows Management Instrumentation (WMI) and PsExec, not just SMB.  It spreads very fast with one researcher seeing 5000 system compromised in under 10 minutes.

While there are some similarities to the WannaCrypt malware, research indicates that this malware appears much more advanced and could have a much larger impact.  The fact that it does not have a kill-switch and propagates via WMI and PsExec supports this assessment.

Research is ongoing as we are in the early stage of discovery on this outbreak. As we learn more, we will update you with new information and corrections to existing information.

Impact Assessment

Infection of this Ransomware would have a major negative effect on the impacted system and prevent any files from being accessed or used.  As such, any critical files residing on that device would be inaccessible.

Because of its propagation method: it worms through a network, any devices not currently patched for MS17-010 are at risk of infection.

Security-On-Demand Actions

SOD has been monitoring the events closely.  Our Security Operations Center is on high alert and hunting for applicable indicators across all of our clients.  We will immediately inform our customers of any indication that an incident may be occurring or has occurred in their network.

 

Mitigation Recommendations

For Organizations currently unaffected:

  • If not already done, apply Microsoft Patch MS17-010. Based on what we know at the current time, this completely prevents infection.
  • Disable admin share via GPO

Currently affected:

  • If files are backed up or stored on a network share, ensure that the backup location or share is not infected. We recommend wiping and restoring the affected system.
  • If files are not backed up, follow applicable corporate policy.
  • Disable admin share via GPO across network to stem further propagation

Long-Term Ransomware Protection

  • Develop a security policy and procedures for handling Ransomware
  • Do not store important files on local systems.
  • Employ a Disaster Recovery and Business Continuity Plan that includes data backup and restoration procedures

Sources

Tags: Petya, WCry, WannaCrypt, Ransomware

Indicators

Email Address wowsmith123456@posteo.net
Dropper IP Address 185.165.29.78
IP Integer 3114605902
MD5 Hash a809a63bc5e31670ff117d838522dec433f74bee
MD5 Hash bec678164cedea578a7aff4589018fa41551c27f
MD5 Hash d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
MD5 Hash aba7aa41057c8a6b184ba5776c20f7e8fc97c657
MD5 Hash 0ff07caedad54c9b65e5873ac2d81b3126754aac
MD5 Hash 51eafbb626103765d3aedfd098b94d0e77de1196
MD5 Hash 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
IP Address 84.200.16.242
IP Integer 1422397682
MD5 Hash 7ca37b86f4acc702f108449c391dd2485b5ca18c
MD5 Hash 2bc182f04b935c7e358ed9c9e6df09ae6af47168
MD5 Hash 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
MD5 Hash 82920a2ad0138a2a8efc744ae5849c6dde6b435d
File name Order-20062017.doc
MD5 Hash 415FE69BF32634CA98FA07633F4118E1
Sha-1 Hash 101CC1CB56C407D5B9149F2C3B8523350D23BA84
Sha-256 Hash FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206
File size 13893
Executable Name mshta.exe
File Path C:\myguy.xls.hta
File name 10807.exe
File Name BCA9D6.exe
MD5 Hash A1D5895F85751DFE67D19CCCB51B051A
Sha-1 Hash 9288FB8E96D419586FC8C595DD95353D48E8A060
Sha-256 Hash 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
IP Address 111.90.139.247
IP Integer 1868205047
Domain coffeeinoffice.xyz
Sha-256 Hash 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
MD5 Hash c5bd3bb710ae377938b17980692b785b
MD5 Hash 46418e52b546c1f696eb8a524f18c56e
MD5 Hash 5216f0c62d1fd41b1d558e129e18d0fe
MD5 Hash f07e68575f50a62382d99e182baa05d5
MD5 Hash c5d1d4cdade7dcfbe14ec10dcf66cfb1
MD5 Hash da2b0b17905e8afae0eaca35e831be9e
Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search