Petya Ransomware
A new version of the ransomware, Petya, has spread rapidly to many countries (including UK, Spain, Russia, Vietnam and Germany), with particular impact in Ukraine, in a matter of hours today. Petya is utilizing MS17-010, or ETERNALBLUE, a vulnerability disclosed by the Shadow Brokers to distribute this strain of ransomware. ETERNALBLUE uses Windows SMB remote code execution (CVE-2017-0143 through CVE-2017-0148).
Additional information can be found at:
- https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- https://support.microsoft.com/en-us/help/4013389/title
Recommendations:
- Immediately ensure systems are patched against MS17-010.
- Ensure TCP ports 139, 445, 22, 23, 3389 and UDP 137 and 138 are not accessible from the Internet.
- Ensure proper backup procedures to protect against data loss.
- Disable SMBv1 for those running Windows Vista and later.
- Secure RDP under VPN.
Vulnerable Versions:
- Windows Server 2008 R2
- Windows 8.1
- Windows Server 2016
- Windows Server 2012 and Windows Server 2012 R2
- Windows 7
- Windows 10
- Windows Vista
- Windows RT 8.1
Patches:
Microsoft released patches for MS17-010 on March 14, 2017:
Workarounds:
Alternative method for customers running Windows 8.1 or Windows Server 2012 R2 and later.
For client operating systems:
- Open Control Panel, click Programs, and then click Turn Windows features on or off.
- In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
- Restart the system.
For server operating systems:
- Open Server Manager and then click the Manage menu and select Remove Roles and Features.
- In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
- Restart the system.
Indicators of Compromise:
| FileName | Hash-MD5 | Hash-SHA1 |
|---|---|---|
| Order-20062017.doc | 415FE69BF32634CA98FA07633F4118E1 | 101CC1CB56C407D5B9149F2C3B8523350D23BA84 |
| myguy.xls | 0487382A4DAF8EB9660F1C67E30F8B25 | D225DC0F73736752744122A0B5EE4B95DDAD634D |
| BCA9D6.exe | A1D5895F85751DFE67D19CCCB51B051A | EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6 |
- IP Address: 84.200.16 [.] 242
- IP Address: 111.90.139 [.] 247
- Domain: COFFEINOFFICE [.] XYZ
Alert detection:
The Masergy Threat Intelligence Team has deployed the following alerts to detect the exploitation of this vulnerability:
EXP:ETERNALBLUE
Possible ETERNALBLUE exploit attempt which exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. This vulnerability was patched by Microsoft in the MS17-010 update.
EXP:ETERNALBLUE-ECHO1
SMB echo request indicating possible exploit attempt for the ETERNALBLUE exploit.
EXP:ETERNALBLUE-ECHO2
SMB echo response indicating possible exploit usage of the ETERNALBLUE exploit. The ETERNALBLUE exploit was patched by Microsoft in MS17-010.
DNS:PETYA-PAYLOAD
Detected a DNS query for a domain used to drop the Petya ransomware.
DNS:PETYA-PAYLOAD2
Detected a DNS query for a domain used to drop the Petya ransomware.
BD:PETYA-PAY-DL
Detected an HTTP request for a payload which spreads the Petya ransomware.
BD:PETYA-PAY-DL2
Detected contact with an IP address that may be associated with a campaign that spreads the Petya ransomware.