• Peter Hanney

NotPetya / GoldenEye - First thoughts


Update 29/06/2017 - Microsoft have recently published the following:

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

----------------------Original Post follows------------------------

A new ransomware attack is spreading globally this afternoon and evening. Known as either NotPetya or GoldenEye, it infects PCs and overwrites the Master Boot Record.

The malware then forces a shutdown of Windows to force the system to boot from this new MBR code. Upon bootup, the code begins encrypting every sector of the hard drive while displaying a “chkdsk” output that shows a hard drive repair in progress. Upon completion, a ransom note is displayed to the user.


As the email address has now been shut down by the ISP, there is no current route for victims to successfully pay for decryption.

Propagation

Reports indicate that the initial attack vector is through email and/or a compromised updated for tax accounting software: M.E.Docs. Once within a corporate network it spreads through two methods:

  1. The EternalBlue SMBv1 vulnerability used recently by WannaCry.

  2. Via PSExec or WMIC

It will also attempt to enumerate dhcp scopes before port scanning.

Prevention

Standard best practice will help:

  • Ensure PCs are patched

  • Test software updates in a non-live environment before deploying

  • Educate users not to open links or attachments in unsolicited email

We've also seen numerous reports that the creating the read-only file c:\windows\perfc.dat will act as a killswitch. However, we have not had the opportunity to test or validate this approach so advise testing before you try it.

Detection and Removal

You can check at the following site to confirm whether your anti-malware software detects it.

Update: 44/61 products shown as having the appropriate signatures as of 07:40 on 28.6.17.

https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

#Security #Malware

Crown Commercial Supplier Logo
Cybr Essentials Certified Logo

© 2019 Through Technology Limited

enquiries@throughtechnology.uk

  • LinkedIn Social Icon
  • Twitter Social Icon