Large-Scale Ransomware Attack In Progress, Hits Europe Hard

A large-scale ransomware attack reported to be caused by a variant of the Petya ransomware is currently hitting various users, particularly in Europe. This variant, which Trend Micro already detects as RANSOM_PETYA.SMA, is known to use both the EternalBlue exploit and the PsExec tool as infection vectors. Users and organizations are thus advised to perform the following mitigation steps immediately in order to prevent and avoid infection:

  • Apply the security patch MS17-010
  • Disable TCP port 445
  • Restrict accounts with administrator group access

Trend Micro also protects its customers against this threat through Predictive Machine Learning and other relevant ransomware protection features found in Trend Micro XGen™ security. We are currently analyzing this threat and will update this post as more details become available.

Infection Flow

As previously mentioned, this ransomware’s initial entry into the system involves the use of the PsExec tool, an official Microsoft utility used to run processes on remote systems. It also uses the EternalBlue exploit–previously used in the WannaCry attack–that targets a vulnerability in Server Message Block (SMB) v1. Once on a system, this Petya variant uses the rundll32.exe process to run itself. The actual encryption is then carried out by a file named perfc.dat, located in the Windows folder.

This ransomware then adds a scheduled task, which reboots the system after at least an hour (. Meanwhile, the Master Boot Record (MBR) is also modified so that the encryptor will carry out the encryption and the appropriate ransom note will be displayed. A fake CHKDSK notice is initially displayed; this is when the encryption is actually carried out. Unusually for ransomware, it does not change the extensions of any encrypted files. More than 60+ file extensions are targeted for encryption; it is worth noting that the file extensions targeted are focused on file types used in enterprise settings; images and video files (targeted by other ransomware attacks) are notably absent.

Figure 1. Infection diagram

Figures 2 and 3. Ransomware notices displayed after reboot

Aside from the use of the EternalBlue exploit, there are other similarities to WannaCry. Like that attack, this Petya variant’s ransom process is relatively simple: it also uses a hardcoded Bitcoin address, making decryption a much more labor-intensive process on the part of the attackers. This is in contrast to earlier Petya attacks, which had a more developed UI for this process. Each user is asked to pay US$300. As of this time, approximately US$7,500 had been paid into the Bitcoin address. As in all ransomware attacks, we advice against paying the ransom–this is particularly true in this case, as the email account mentioned in the ransom note is no longer active.

Trend Micro Solutions

Further information about Trend Micro solutions may be located within this article.

The following SHA256 hashes are related to this threat:

  • 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
  • 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Large-Scale Ransomware Attack In Progress, Hits Europe Hard

Read more: Large-Scale Ransomware Attack In Progress, Hits Europe Hard

Story added 27. June 2017, content source with full text you can find at link above.