Petya Ransomware

Petya Ransomware


A new version of the ransomware, Petya, has spread rapidly to many countries (including UK, Spain, Russia, Vietnam and Germany), with particular impact in Ukraine, in a matter of hours today. Petya is utilizing MS17-010, or ETERNALBLUE, a vulnerability disclosed by the Shadow Brokers to distribute this strain of ransomware. ETERNALBLUE uses Windows SMB remote code execution (CVE-2017-0143 through CVE-2017-0148).

Additional information can be found at:

Recommendations:

  • Immediately ensure systems are patched against MS17-010.
  • Ensure TCP ports 139, 445, 22, 23, 3389 and UDP 137 and 138 are not accessible from the Internet.
  • Ensure proper backup procedures to protect against data loss.
  • Disable SMBv1 for those running Windows Vista and later.
  • Secure RDP under VPN.

Vulnerable Versions:

  • Windows Server 2008 R2
  • Windows 8.1
  • Windows Server 2016
  • Windows Server 2012 and Windows Server 2012 R2
  • Windows 7
  • Windows 10
  • Windows Vista
  • Windows RT 8.1

Patches:

Microsoft released patches for MS17-010 on March 14, 2017:

Workarounds:

Alternative method for customers running Windows 8.1 or Windows Server 2012 R2 and later.

For client operating systems:

  • Open Control Panel, click Programs, and then click Turn Windows features on or off.
  • In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
  • Restart the system.

For server operating systems:

  • Open Server Manager and then click the Manage menu and select Remove Roles and Features.
  • In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
  • Restart the system.

Indicators of Compromise:

FileName Hash-MD5 Hash-SHA1
Order-20062017.doc 415FE69BF32634CA98FA07633F4118E1 101CC1CB56C407D5B9149F2C3B8523350D23BA84
myguy.xls 0487382A4DAF8EB9660F1C67E30F8B25 D225DC0F73736752744122A0B5EE4B95DDAD634D
BCA9D6.exe A1D5895F85751DFE67D19CCCB51B051A EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
  • IP Address: 84.200.16 [.] 242
  • IP Address: 111.90.139 [.] 247
  • Domain: COFFEINOFFICE [.] XYZ

Alert detection:

The Masergy Threat Intelligence Team has deployed the following alerts to detect the exploitation of this vulnerability:

EXP:ETERNALBLUE

Possible ETERNALBLUE exploit attempt which exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. This vulnerability was patched by Microsoft in the MS17-010 update.

EXP:ETERNALBLUE-ECHO1

SMB echo request indicating possible exploit attempt for the ETERNALBLUE exploit.

EXP:ETERNALBLUE-ECHO2

SMB echo response indicating possible exploit usage of the ETERNALBLUE exploit. The ETERNALBLUE exploit was patched by Microsoft in MS17-010.

DNS:PETYA-PAYLOAD

Detected a DNS query for a domain used to drop the Petya ransomware.

DNS:PETYA-PAYLOAD2

Detected a DNS query for a domain used to drop the Petya ransomware.

BD:PETYA-PAY-DL

Detected an HTTP request for a payload which spreads the Petya ransomware.

BD:PETYA-PAY-DL2

Detected contact with an IP address that may be associated with a campaign that spreads the Petya ransomware.