Hello Friends..
This Document will provide you the understanding of working flow and execution process of Petya Ransomeware and also you will learn how to stop this ransomeware.
1. Basic Technical Details
Petya ransomware first appeared in 2016. It is unique in the ransomware space because it encrypts the master boot record (MBR) and master file table (MFT) on infected hosts. One of Petya’s more unique aspects is that it can work even if a system is offline. It does not require a live connection to a command-and-control (C&C) server.On June 27th, 2017 Petya malware which is spreading over the Microsoft Windows SMB protocol. it appears that the current Petya payload is being distributed using the same EternalBlue exploit that was part of the so-called Shadow Brokers leaks that powered the spread of WannaCry.
The latest version of the Petya ransomware is spreading over Windows SMB and is reportedly using the ETERNALBLUE exploit tool, which exploits CVE-2017-0144 and was originally released by the Shadow Brokers group in April 2017.
After the system is compromised the victim is asked to send US $300 in Bitcoin to a specific Bitcoin address and then send an e-mail with the victim’s bitcoin wallet ID to wowsmith123456@posteo[.]net to retrieve their individual decryption key.
2. Exploitation
One of the ways Petya moves around and propagates is by scanning transmission control protocol (TCP) port 445 to identify and target machines that use unpatched versions of server message block (SMB).3. Installation and Execution
This variant of Petya is spread as a DLL file, which must be executed by another process before it takes action on the system. Once executed, it overwrites the Master Boot Record and creates a scheduled task to reboot the system. Once the system reboots, the malware displays a ransom note which demands a payment of $300 in bitcoin.4. Initial Execution Process:
Once the malware is loaded on a machine it encrypts the MBR (master boot record) and schedules a reboot. During the reboot a fake CHKDSK screen is displayed. After the fake CHKDSK run is finished, the system is again restarted and the following ransom message is shown:
The malware arrives as a DLL on infected systems. It exports an unnamed function which runs its main code.
Upon execution, the malware copies its code into a newly allocated memory and continues execution from there. The malware then deletes itself (the malware DLL) from the file system.
The malware checks if the file C:\Windows\%DllNameWithoutExtension% exists, if it does, it terminates itself, otherwise, it creates the said file to mark that it is executed on the system.
%DllNameWithoutExtension% is the name of the malware DLL without the extension. For example, if the name of the malware DLL is “perfc.dat”, the file C:\Windows\perfc is checked.
5. Propagation via EternalBlue Vulnerability
The malware propagates to target machines by exploiting the EternalBlue vulnerability.Upon successful exploitation of a target machine, the malware will be dropped as “%WINDIR%\%MalwareDllName% and will be executed by lsass.exe using the following command:
6. Command and Controls
Petya contains no Command and Control mechanisms that we know of. After a host is infected, there is no communication from the malware back to the attacker.7. Lateral Movement
Petya uses three mechanisms to spread to additional hosts.1. Petya scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on system hosting the share.
2. Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
3. Petya finally attempts to use the ETERNALBLUE exploit tool against hosts on the local subnet. This will only be successful if the targeted host does not have the MS17-010 patches deployed.
8. Behavior:
Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.9. Prevention Steps:
1. Block below source E-mail address:a. emails: wowsmith123456@posteo.net
b. emails: wowsmith123456@posteo.net
c. emails: iva76y3pr@outlook.com
d. emails: carmellar4hegp@outlook.com
e. emails: amanda44i8sq@outlook.com
2. Block below domains and URL's :
a. domain: coffeinoffice.xyz
b. domain: french-cooking.com
c. domain: sundnders.online
d. url: http[:]//french-cooking[.]com/myguy[.]exe
e. url: http[:]//84[.]200[.]16[.]242/myguy[.]xls
f. url: http://84[.]200[.]16[.]242/Profoma[.]xls
g. url: http://84[.]200[.]16[.]242/Lucky[.]exe
h. url: http://185.165.29.78/~alex/svchost.exe
i. url: http[:]//mischapuk6hyrn72.onion/
j. url: http[:]//petya3jxfp2f7g3i.onion/
k. url: http[:]//petya3sen7dyko2n.onion/
l. url: http[:]//mischa5xyix2mrhd.onion/MZ2MMJ
m. url: http[:]//mischapuk6hyrn72.onion/MZ2MMJ
n. url: http[:]//petya3jxfp2f7g3i.onion/MZ2MMJ
o. url: http[:]//petya3sen7dyko2n.onion/MZ2MMJ
p. url: http[:]//benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
3. Block below IPs:
a. ip: 95.141.115.108
b. ip-dst: 185.165.29.78
c. ip-dst: 84.200.16.242
d. ip-dst: 111.90.139.247
4. Apply latest below patches:
a. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
5. Disable SMBv1:
6. Update Anti-Virus hashes:
a. md5: 9B853B8FE232B8DED38355513CFD4F30
b. md5: CBB9927813FA027AC12D7388720D4771
c. md5: a809a63bc5e31670ff117d838522dec433f74bee
d. md5: bec678164cedea578a7aff4589018fa41551c27f
e. md5: d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
f. md5: aba7aa41057c8a6b184ba5776c20f7e8fc97c657
g. md5: 0ff07caedad54c9b65e5873ac2d81b3126754aac
h. md5: 51eafbb626103765d3aedfd098b94d0e77de1196
i. md5: 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
j. md5: 7ca37b86f4acc702f108449c391dd2485b5ca18c
k. md5: 2bc182f04b935c7e358ed9c9e6df09ae6af47168
l. md5: 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
m. md5: 82920a2ad0138a2a8efc744ae5849c6dde6b435d
sha256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
22053C34DCD54A5E3C2C9344AB47349A702B8CFDB5796F876AEE1B075A670926
1FE78C7159DBCB3F59FF8D410BD9191868DEA1B01EE3ECCD82BCC34A416895B5EEF090314FBEC77B20E2470A8318FC288B2DE19A23D069FE049F0D519D901B95
10. Conclusion
Ransomware attacks are very common, but they are rarely coupled with an exploit that allows the malware to spread as a network worm. The WannaCry attacks in May, 2017 demonstrated that many Windows systems had not been patched for this vulnerability. The ideas behind the Trojan have been seen before in earlier malware; the creators of Petya have simply combined them all in a single creation. That said, it should be acknowledged that it requires a certain degree of technical skill to implement a low-level code to encrypt and decrypt data prior to OS booting.Secondly, the spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received.
***Thank-you***
No comments:
Post a Comment