Microsoft has partly solved the mystery behind one of the Wanacrypt’s successors
Petya, or what some researchers are calling as NoPetya is a ransomware that has came into highlight after it hit Ukrain and some other European countries. It has been compared with Wanacry in terms of catastrophe although it has a shorter attack arena till now.
In a blog post, Microsoft has revealed the working of Petya ransomware. Contrary to what security firms have believed , Microsoft says that it has “good evidence” that a software supply chain attack method was used for malware propagation.
Microsoft has quoted the malware initiation process as:
“Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, software supply chain attacks are a recent dangerous trend with attackers, and it requires advanced defense.
We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.”
and its propagation inside the LAN as:
“Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call DhcpEnumSubnets() to enumerate DCP subnets all hosts on all DHCP subnets before scanning for tcp/139 and tcp/445 services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.”
A soft reminder to our readers:
As referenced in our previous articles, Eternal Blue is a leaked NSA tool that uses the outdated IPC protocol SMBv1 to spread itself. This tool is being used by all the current and surfacing ransomware. So it is advisable to disable SMBv1 on your system(s) as soon as possible.
How to protect yourself:
1. First of all disable SMBv1.
2. Patch your system(s) against EternalBlue
3.Use Amit Seper’s kill switch
” create a new file named perfc in the C:\Windows directory without any extension”
Note that this is a temporary fix which will work until hackers modify the malware code.
4. Stay informed on the internet to stay safe on the internet.
1 Comment
There is a typo in https://www.technotification.com/2017/06/microsoft-cracks-the-petya-mystery.html.
It should be \windows\perfc and prefc as article states.