A ransomware dubbed Petya has been rapidly spreading throughout Europe, infecting airlines, financial institutions and utilities. The Petya ransomware, also known as Petrwrap, has been around since 2016. It initially targeted HR departments with phishing emails containing links to a DropBox with a tainted resume file. It has recently been upgraded to allow it to spread using EternalBlue, the Windows SMB exploit released by The Shadow Brokers and the same attack vector used by the WannaCry ransomware.

Even though this may look like a WannaCry copycat, Armor’s Security Operations team believes it has the potential to be far more devastating. Unlike WannaCry, Petya goes beyond just encrypting the files and actually modifies the Master Boot Record of the machine. This renders the affected computer unable to boot. Instead, it displays a phony check disk operation while the malware is encrypting the master file table. Without the master file table to reference, the operating system is unable to access the files. Microsoft now has evidence that the ransomware initially started from the legitimate MEDoc updater process – a dangerous trend involving software supply chain attacks. With this lateral movement capability, Petya only takes a single infected machine to affect a network.

The ransomware spreading functionality is composed of multiple methods responsible for:

  • Stealing credentials or re-using existing active sessions
  • Using file-shares to transfer the malicious file across machines on the same network
  • Using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines

Since Petya utilizes the same exploit as WannaCry, our proactive security measures remain the same. Learn more in our ransomware response kit.

Recommendations

Related IPs:

  • 165.29[.]78
  • 200.16[.]242
  • 90.139[.]247
  • 141.115[.]108

Related Domains: COFFEINOFFICE[.]XYZ

Crypto Currency Address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Resources

Webinars

Overcoming Petya

Join Jeff Schilling, CISM, Armor, as we explore the significance of the Petya ransomware strain, what you must do to protect yourself and how Armor is fighting against it.

Brooke Blackwell Image

Brooke Blackwell

Strategic Web Guru

Jun 272017

Vigilance Required: European Ransomware Petya Moves into Russia and U.S.

Chris Hinkley, OSCP, CISSP | Senior Security Architect

Following in the footsteps of WannaCry, a new ransomware named Petya appears to be instigating similar global havoc with EternalBlue. Follow Armor for the latest intelligence on this emerging threat.

Chris Hinkley, OSCP, CISSP

Senior Security Architect

As senior security architect of FireHost, Chris Hinkley utilizes a decade of security expertise to design, test and deploy next generation security processes and techniques for the cloud. His work at Armor was instrumental in Armor being one of the first cloud companies globally to achieve PCI DSS compliance.

Prior to Armor, Hinkley worked as a Web Developer for TargetScope, an interactive marketing and Web development company. In that role he created everything from website animations to complex and dynamic product configurations using the latest technology and development frameworks. With Armor, Hinkley has held a number of security and technology-related roles, including security engineer, lead engineer and support manager. In those roles he has serviced thousands of FireHost customer servers, including Windows and Linux, and overseen the security of all hosting environments to meet PCI, HIPAA and other compliance guidelines.

Hinkley is a sought after speaker and author on cloud, security and open source topics, publishing regular columns in SecurityWeek and other industry magazines. Hinkley is a Certified Information Systems Security Professional (CISSP).

Jun 282017

Petya: Using Blast Radius to Deduce Attribution

Jeff Schilling, CISM | Chief Security Officer

As the global ransomware attack coined Petya continues to proliferate globally, identifying the culprits is an important piece of the puzzle. At this point, it’s prudent to attempt to rule out who it doesn’t appear to be through process of elimination. While there was clear forensic evidence connecting the code used by the WannaCry actors […]

Jeff Schilling, CISM

Chief Security Officer

Jeff Schilling (Colonel, Retired) is the Chief Security Officer at Armor Defense, the first Totally Secure cloud company and is responsible for the Security and Compliance of our customer and corporate environment.

Prior to joining, Armor, Jeff was the Director of the Global Incident Response practice for SecureWorks where his team supported more than 300 customers with incident response planning, capabilities development, digital forensics investigations and active incident management.  

Jeff retired from the US Army after 24 years of service in July of 2012.   In his last assignment, Jeff was the Director of the Army’s global Security Operations Center under US Army Cyber Command.  In this position, Jeff was responsible for synchronizing the global security operations and incident response for more than one million computer systems, on 350 wide area networks, supporting all Army organizations in more than 2500 locations. Previous to this position, Jeff was the Director of the Department of Defense’s (DOD) Global Security Operations Center with Joint Task Force Global Network Operations, where he managed security operations and global incident management for more than four million globally connected computer systems.