Europe is under major cyber attack and now is spreading across the world. The malware appears to be a variant of a piece of ransomware that emerged last year, according to the cybersecurity experts. The ransomware variant is called Petya and detected earlier, but this time with a new variant. The IP Addresses apparently involved in Petya ransomware cyber attack is 84.200.16.242, 95.141.115.108,111.90.139.247. This attack is similar to the WannaCry ransomware which caused a severe global attack a month back.Researchers and industry experts suggest that the malware responsible for current attack spreads by exploiting the same weaknesses similar to WannaCry, i.e., the SMB (Server Message Block) vulnerability.Petya ransomware is highly successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network-based threat (MS17-010). Propagation method uses the Remote Desktop Protocol (RDP) and or Server Message Protocol (SMB). Some experts have informed the media that they have witnessed malware sale on many forums over the last 12 months, which costs only $28 (Dhs 102 / INR 1805). They also predict that the cyber attack would continue and the chance for cessation is low as it is very lucrative. British advertising agency WPP, Russian oil giant Rosneft, Ukrainian firms including the state power distributor and Kiev's main airport have reported issues and disrupted IT systems as a consequence. The first reports were from Ukraine, where this malware hit government owned banks, energy firms, transportation and ministers' computers. Reports also inform that a South Korean hosting firm has paid $1m to regain their data, which is a great success for the cyber criminals. It is a great incentive for the attackers. Another big firm Maersk, Danish shipping company has revealed that they faced disruption at offices even at UK and Ireland and said that it could affect its global operations. Seventeen shipping container terminals run by Maersk subsidiary APM Terminals are also on the hacked list, including two in Rotterdam and 15 in other parts of the world, according to Dutch television. Also, many ventures in US, India, and Norway have reported about the ransomware attack. The hack has also caused an impact on Chernobyl exclusion zone which made them shift to manual radiation monitoring at the site of 1086 nuclear disaster. This variant of malware infects computers and the display message on screen demands a ransom/pay of $300 in Bitcoin if the firms need their encrypted files back. Ransomware might show the following type of messages on an infected PC. “Repairing the file system on C: The type of the file system is NTFS. One of your disks contains errors and needs to be repaired.*** “ After encryption, the ransomware infected PC prompt and forced the user to reboot. That completes the whole process, and then the ransom note appears on the screen. Norway’s national security agency said the ransomware was affecting an unnamed “international company” in the country. Rozenko Pavlo, the Ukraine deputy Prime Minister, said he and other members of the government experienced restriction to access their computers. The malware has also spread the infection to many banks in the country along with other financial firms. As a result, customer service and banking operations are facing difficulties and have lost its momentum. “The defensive procedures against the attack are well set up and are trying to neutralize the cyber attacks on banks’ IT systems,” said The National Bank. Boryspil International Airport in Kiev, the largest in Ukraine, were also down and was unable to operate through computers and flight schedule display boards were not working properly. Metro passengers were also affected which made their card payments fail. Countries like Ukraine blame Russia for repeated cyber attacks targeting critical infrastructure during the past three years. However, in contrary, Russia has denied involvement and the orchestrators of Tuesday’s attack were not known, although onlookers estimated they could make billions of dollars from the ransomware attack. Guillaume Poupard, director general of the National Cybersecurity Agency of France (ANSSI) said intensifying attacks were coming from unspecified states, as well as criminal and extremist groups. “We must work collectively, not just with two or three Western countries, but on a global scale,” he added, saying attacks could aim at espionage, fraud, sabotage or destruction. “We are getting closer, clearly, to a state of war - a state of war that could be more complicated, probably, than those we have known until now.”
Petya/Petwrap Ransomware
Petya is different from the other popular ransomware these days. Instead of encrypting files one by one, it denies access to the full system by attacking low-level structures on the disk. This ransomware’s authors have not only created their bootloader but also a small kernel, which is 32 sectors long.Affected countries (as of now):
UK, Ukraine, India, North Korea, the Netherlands, Spain, Denmark, and others.Behavior:
Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.Actions to be taken:
1. Block source E-mail address wowsmith123456@posteo.net 2. Block domains: http://mischapuk6hyrn72.onion/ http://petya3jxfp2f7g3i.onion/ http://petya3sen7dyko2n.onion/ http://mischa5xyix2mrhd.onion/MZ2MMJ http://mischapuk6hyrn72.onion/MZ2MMJ http://petya3jxfp2f7g3i.onion/MZ2MMJ http://petya3sen7dyko2n.onion/MZ2MMJ http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin COFFEINOFFICE.XYZ http://french-cooking.com/ 3. Block IPs: 95.141.115.108 185.165.29.78 84.200.16.242 111.90.139.247 4. Apply patches:5. Disable SMBv16. Update Anti-Virus hashes(Most of the AV vendors have come out with latest DAT file addressing this ransomware variant. McAfee, Kaspersky are few of them) a809a63bc5e31670ff117d838522dec433f74bee bec678164cedea578a7aff4589018fa41551c27f d5bf3f100e7dbcc434d7c58ebf64052329a60fc2 aba7aa41057c8a6b184ba5776c20f7e8fc97c657 0ff07caedad54c9b65e5873ac2d81b3126754aac 51eafbb626103765d3aedfd098b94d0e77de1196 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f 7ca37b86f4acc702f108449c391dd2485b5ca18c 2bc182f04b935c7e358ed9c9e6df09ae6af47168 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5 82920a2ad0138a2a8efc744ae5849c6dde6b435d myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6 BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD Watch this space or securereading.com site for latest threat intelligence on this attack/malware.Disclaimer:
Secure Reading has no confirmed sources for the information shared in the above news/articles. It relies on various unconfirmed inputs, social media claims, and websites for its content, and cannot guarantee the accuracy, timeliness, and genuineness of the same. If there is any error in the news, and once it is brought up to our attention with relevant evidence, Secure Reading is willing to make necessary corrections as applicable.