The past week has been one crazy ride with the ransomware/wiper attack Nonpetya outbreak. This malware caused a havoc around the globe especially in Ukraine, Russia, India and US with many more countries in the list. This ransomware/wiper uses wowsmith123456@posteo.net as the contact detail and asks for $300 in bitcoins to a given address.
Working of NotPetya
The ransomware Petya/Not Petya encrypts MFT (Master File Tree) tables for NTFS partitions and that overites the MBR (master Boot Record) with a custom boot loader that shows a message of ransom to the user upon booting. According to several resources Payload Security, Avira this virus exploits the Microsoft's SMB vulnerability ETERNALBLUE, that was also used for Wannacry. Upon more research deep down that the virus also uses one more exploit ETERNALROMANCE.
Once the device is infected it uses the following mechanisms to propagate.
Once the device is infected it uses the following mechanisms to propagate.
- EternalBlue : Exploit used by WannaCry
- EternalRomance : A SMBv1 Exploit leaked by "Shadow Brokers"
- PsExec : It is a light weight telnet-replacement that lets you perform different process on the system.
- WMI : Windows Management Instrumentation
Targeted File for encryption
.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
Ransom Note found on the infected devices
"If you see this text, then your files are no longer accessible, because
they have been encrypted. Perhaps you are busy looking for a way to recover
your files, but don\'t waste your time. Nobody can recover your files without
our decryption service.
We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
Send $300 worth of Bitcoin to following address:
Send your Bitcoin wallet ID and personal installation key to e-mail :
wowsmith123456@posteo.net"
EMAIL No Longer Valid !!!
This is email address was only single point of contact with the NotPetya authors, and it was to be used for verifying bitcoin payments. This was later in the day blocked by the email service provider Posteo.net. This german based email service provider made sure that they are not linked by whatsoever mean to any malicious activity. Since the email was only single point of contact to receive the decryption keys after being hit, now it would be impossible for the victims to receive their encrypted files.
A Wiper Malware/Not a ransomware
Throughout the whole havoc, it was assumed that the Notpetya is a ransomware and is designed to earn money in the form of bitcoins but later it was discovered that the design of the virus was flawed and the encrypted files could not be decrypted at any cost. It was assumed that the files are encrypted one by one but the Petya reboots the victims computer and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR).
Many big guns were hit by this wiper attack including several government offices.
- AP Moller-Maersk
- WPP
- Merck & Co.
- Ukranian Banks, Power Grid
- Saint Gobain
- Evraz
How did the Virus or Wiper malware spread ?
This massive outbreak spread when an unidentified attacker compromised the M.E.Doc servers. M.E.Doc is a popular accounting software used by Ukranian companies. When the tainted software reached the clients, the malware Notpetya was then delivered to them.
How to Save yourself from this Wiper malware ?
First and foremost, one must do the following steps and make sure they are not the brink of being effected.
- One must apply the MS provided patch MS17-010, this will help do half work.
- Disable SMBv1 on your devices and move to SMBv2.
- Ensure you have high end Anti-malware/virus to keep you safe.
One cannot stop NotPetya from spreading but you can keep your system safe by performing the below vaccination.
While trying to understand the working of this malware, the researchers found out that this malware looks up for a file and if that file is found the encryption process would not proceed. Notpetya look for file called perfc in the C:\Windows folder. No we need to create the same in our C:\Windows folder.
Once all the files are visible, you will find notepad.exe in windows folder. Make a duplicate copy of the same and it will be named as notepad-copy.exe . Now rename the copy file with perfc and it will ask you to confirm for the change in the file name. Continue with "yes" and left to click to check the properties of perfc file and check the read-only box.
While trying to understand the working of this malware, the researchers found out that this malware looks up for a file and if that file is found the encryption process would not proceed. Notpetya look for file called perfc in the C:\Windows folder. No we need to create the same in our C:\Windows folder.
Steps to consider
Make sure your files are readable and not hidden. You can do the same by going to your windows folder and under tools tab.
Once all the files are visible, you will find notepad.exe in windows folder. Make a duplicate copy of the same and it will be named as notepad-copy.exe . Now rename the copy file with perfc and it will ask you to confirm for the change in the file name. Continue with "yes" and left to click to check the properties of perfc file and check the read-only box.
Now, click on apply. The file perfc is now created and that is all we need to vaccinate our computer.
Your device is now vaccinated from Petya/NotPetya/Petrwrap/Nyetya/ransomware.
