Petya Ransomware

Petya Ransomware


A new version of the ransomware, Petya, has spread rapidly to many countries (including UK, Spain, Russia, Vietnam and Germany), with particular impact in Ukraine, in a matter of hours today. Petya is utilizing MS17-010, or ETERNALBLUE, a vulnerability disclosed by the Shadow Brokers to distribute this strain of ransomware. ETERNALBLUE uses Windows SMB remote code execution (CVE-2017-0143 through CVE-2017-0148).

Additional information can be found at:

Recommendations:

  • Immediately ensure systems are patched against MS17-010.
  • Ensure TCP ports 139, 445, 22, 23, 3389 and UDP 137 and 138 are not accessible from the Internet.
  • Ensure proper backup procedures to protect against data loss.
  • Disable SMBv1 for those running Windows Vista and later.
  • Secure RDP under VPN.

Vulnerable Versions:

  • Windows Server 2008 R2
  • Windows 8.1
  • Windows Server 2016
  • Windows Server 2012 and Windows Server 2012 R2
  • Windows 7
  • Windows 10
  • Windows Vista
  • Windows RT 8.1

Patches:

Microsoft released patches for MS17-010 on March 14, 2017:

Workarounds:

Alternative method for customers running Windows 8.1 or Windows Server 2012 R2 and later.

For client operating systems:

  • Open Control Panel, click Programs, and then click Turn Windows features on or off.
  • In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
  • Restart the system.

For server operating systems:

  • Open Server Manager and then click the Manage menu and select Remove Roles and Features.
  • In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
  • Restart the system.

Indicators of Compromise:

FileName Hash-MD5 Hash-SHA1
Order-20062017.doc 415FE69BF32634CA98FA07633F4118E1 101CC1CB56C407D5B9149F2C3B8523350D23BA84
myguy.xls 0487382A4DAF8EB9660F1C67E30F8B25 D225DC0F73736752744122A0B5EE4B95DDAD634D
BCA9D6.exe A1D5895F85751DFE67D19CCCB51B051A EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
  • IP Address: 84.200.16 [.] 242
  • IP Address: 111.90.139 [.] 247
  • Domain: COFFEINOFFICE [.] XYZ

Alert detection:

The Masergy Threat Intelligence Team has deployed the following alerts to detect the exploitation of this vulnerability:

EXP:ETERNALBLUE

Possible ETERNALBLUE exploit attempt which exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. This vulnerability was patched by Microsoft in the MS17-010 update.

EXP:ETERNALBLUE-ECHO1

SMB echo request indicating possible exploit attempt for the ETERNALBLUE exploit.

EXP:ETERNALBLUE-ECHO2

SMB echo response indicating possible exploit usage of the ETERNALBLUE exploit. The ETERNALBLUE exploit was patched by Microsoft in MS17-010.

DNS:PETYA-PAYLOAD

Detected a DNS query for a domain used to drop the Petya ransomware.

DNS:PETYA-PAYLOAD2

Detected a DNS query for a domain used to drop the Petya ransomware.

BD:PETYA-PAY-DL

Detected an HTTP request for a payload which spreads the Petya ransomware.

BD:PETYA-PAY-DL2

Detected contact with an IP address that may be associated with a campaign that spreads the Petya ransomware.

We've updated our privacy policy. We use cookies to improve the experience of our users, better understand how our website is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. You can read more and make cookie choices by visiting our privacy policy.