A Quick Overview of PETYA Ransomware

Petya Ransomware is different than regular ransomwares we have seen in. It infects low-level structure (MBR [Master Boot Record], MFT [Master File Table]) and doesn’t allow the computer to boot normally. It will infect MBR and on restart, it has its own low language code to encrypt MFT, which makes the drive inaccessible. 

Affected countries:

UK, Ukraine, India, the Netherlands, Spain, Denmark, and others

Behaviour observed:

Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.

Malware dropped file:

http://185.165.29.78/~alex/svchost.exe

Infection and Propagation Vectors :

This malware is known to be propagated via spam emails that contain a link to a dropbox shared .zip file. This archive contains a .jpg photo and the actual malware executable. Known filenames of the photo and executable:

• Bewerbungsbild.jpg

• Bewerbungsfoto.jpg

• Bewerbungspoto.jpg

• Bewerbungsmappe-gepackt.exe

• Bewerbungsunterlagen.PDF.exe

• BewerbungsmappePDF.exe

Indicators Of Compromises (IOCs):

1. Source E-mail address

wowsmith123456@posteo.net

2. Domains:

http://mischapuk6hyrn72.onion/

http://petya3jxfp2f7g3i.onion/

http://petya3sen7dyko2n.onion/

http://mischa5xyix2mrhd.onion/MZ2MMJ

http://mischapuk6hyrn72.onion/MZ2MMJ

http://petya3jxfp2f7g3i.onion/MZ2MMJ

http://petya3sen7dyko2n.onion/MZ2MMJ

http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin 

https://www.linkedin.com/redir/invalid-link-page?url=COFFEINOFFICE%2eXYZ

https://www.linkedin.com/redir/invalid-link-page?url=http%3A%2F%2Ffrench-cooking%2ecom%2F

3. Suspected IPs:

95.141.115.108

185.165.29.78

84.200.16.242

111.90.139.247

How to Mitigate the attacks of PETYA:

The basic mitigation methods for such infection are the usual best practices in network security. By following them and training users to follow them, the chance of getting infected by ransomware is lowered considerably:

• Avoid opening attachments in emails from untrusted sources. If your company allows, implement rules to block attachments with common executable extensions.

• Avoid opening links in email and chat windows from untrusted sources, and double-check them if they are sent by a trusted connection. Sometimes an infected machine may send links to all contacts found in the email/chat application, which would appear to the destination as if coming from a trusted contact.

• Keep all of your software up to date, including your operating system, Office package, browser, and any plugins you may be using. Disable any unnecessary plugins to avoid the extra attack surface.

• Keep your Antivirus up to date to help avoid other infections that may bring the ransomware to your machine.

• Apply all the latest patches released by MS for mitigating WannaCry Attacks:

• Disable SMBv1 messaging protocol from all the servers and end user PCs

• Update the following Anti-Virus hashes:

a809a63bc5e31670ff117d838522dec433f74bee

bec678164cedea578a7aff4589018fa41551c27f

d5bf3f100e7dbcc434d7c58ebf64052329a60fc2

aba7aa41057c8a6b184ba5776c20f7e8fc97c657

0ff07caedad54c9b65e5873ac2d81b3126754aac

51eafbb626103765d3aedfd098b94d0e77de1196

078de2dc59ce59f503c63bd61f1ef8353dc7cf5f

7ca37b86f4acc702f108449c391dd2485b5ca18c

2bc182f04b935c7e358ed9c9e6df09ae6af47168

1b83c00143a1bb2bf16b46c01f36d53fb66f82b5

82920a2ad0138a2a8efc744ae5849c6dde6b435d

myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6

BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

Other Useful Information about PETYA

Seems that the PETYA malware is spreading through ETERNALBLUE & WMIC (Windows Management Instrumentation Command-line) Utility used by Sys Admins

(https://twitter.com/0x09AL/status/879702450038599681)

PETYA has hit much of the Infastructure of Ukraine, including Large Banks, the Government, Multiple Fuel Companies and more (https://twitter.com/DevinAckles/status/879696955210952704)

PETYA has infected big European companies such as Maersk so far from the start of the attack (https://twitter.com/Maersk/status/879689865184636928)

And at least one other large company (https://twitter.com/SwiftOnSecurity/status/879702625737994240)

Is not Limited to Ukraine, at least one report in Spain & USA.

Bitcoin Addr receiving payments: 

• https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Arrange a Conversation