One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 378949 |
| Date de publication | 2017-06-27 23:01:00 (vue: 2017-06-27 23:01:00) |
| Titre | New Variant of Petya / PetrWrap Ransomware Strikes |
| Texte |
.png)
On June 27th the AlienVault Labs Team became aware of a new ransomware, a variant of the Petya malware, that is spreading rapidly and is known to have affected organizations in Russia and the Ukraine, and some other parts of Europe. A pulse detailing the Indicators of Compromise for this variant of Petya can be found in the AlienVault Open Threat Exchange (OTX) at https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/.
Once it has compromised a system, the ransomware will:
Overwrite the Master Boot Record (MBR), encrypt individual files that match a list of file extensions (including documents, archives, and more), and after a reboot of the system will present the user a message requesting a ransom of $300 in Bitcoin to decrypt the system. To date, we understand that over $3000 has been paid in ransom, but we have not heard of any affected organizations having successfully decrypted their files.
Attempt to replicate itself to other systems on your network.
Understanding how this ransomware variant works is first in understanding how to protect your existing assets, and in detecting when any of your systems have been compromised. In addition to this blog we've also created a short white paper detailing the facts behind this ransomware. You can access it here.
What We Know About this Ransomware Campaign
What we know is that, like WannaCry, this variant of Petya affects Microsoft Windows computers and is technically a 'compute worm', meaning that it replicates itself in order to spread to other computers. In addition, the campaign does not rely on a user clicking on an attachment to infect the host, nor is it known to communicate with a Command & Control (C2 or C&C) server in order to get instructions.
What this variant of Petya is known to use to distribute itself to other systems are the PsExec service (PsExec is dropped as dllhost.dat by the ransomware) and WMI services. In addition, the ETERNALBLUE exploit toolkit (which was released by the Shadow Brokers group in April 2017 and used to such great success by WannaCry) is suspected to be a key part of the attack.
There are also reports that some organizations were infected through a software update for a Ukrainian tax accounting package called MeDoc, which given the locations of many of the attacked organizations and the below data from Kapersky is likely
Once a system has been compromised, the ransomware takes the following steps:
Writes a message to the raw disk partition
Clears the Windows Event log using Wevtutil
Restarts the machine
Encrypts files matching a list of file extensions (including .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf .ppt, .pptx, .pst, .pvi, .py .pyc, |
| Notes | |
| Envoyé | Oui |
| Condensat | $300 $3000 related 'compute 010 139 2017 27th 29th 365 3ds 445 9am ability able about accdb access accounting across action actual addition additional advance advanced affected affects after against alarm alarms alienapp alienapps alienvault all allow already also alto anti any anywhere appliance applications approach april archives are asp aspx assessment asset assets assured attach attachment attack attacked attempt authority available avhd aware back backed bak became becomes been behavioral behind below better bitcoin black block blog boot both brokers bulletin but c&c called campaign can carbon cdt center cfg clears clicking cloud com/pulse/59525e7a95270e240c055ead/ combat command communicate complete compliance compromise compromised computers conf confirming console context continuously control cpp created crime critical ctl customer customers dat data date dbf decrypt decrypted depending detailing detect detecting detection different directly disable discovery disk disks distribute djvu dllhost doc documents docx does domains drives dropped dwg each effective emerging eml enables encrypt encrypts ensure ensures entity environments eternalblue europe event events events example exchange existing exploit extensions external facts fdb file files firewall first follow following following: forensics found from further gathered generate generation get given gives giving glass great group has have having hdd heard help here highlight: host hosting hour how https://otx ic3 identify ids immediately incident incidents include included includes including including: indicators individual infect infected infrastructure install installed instructions intelligence internet intrusion investigate isolate its itself june kapersky kdbx key know known labs last latest leverages like likely list locations log mac machine mail malware malwareongoing management many march master match matching may mbr mdb meaning medoc message methods microsoft missing mitigate monitoring more most motion ms17 msg need needed network networking networks new next nor not nrg office often once one open ora orchestrate order organization organizations ost other otx outside ova over overwrite ovf package paid palo pane paper part partition parts patches pdf petrwrap petya petya: php pmf ports power ppt pptx premises present presents prevent printer protect protecting protection provides psexec pst pulse pvi pyc ransom ransomware rapidly rar raw reboot recent record recording released rely replicate replicates report reported reports requesting require required reserve resort respective respond response responses restarts restore rtf run running russia saas scope screen search security server service services several severity shadow sharing ships short should siem signatures similar single sln smb software some special specialist spot spread spreading sql steps steps: storiesdiversity strikes subscription success successfully such suspected system systems takes tar tax team technically text those threat threat—all threats through thursday timeline tool toolkit tools ukraine ukrainian under understand understanding unified unifies update updated use used user using usm variant vbox vbs vcb vdi vfd visibility vmc vmdk vmsd vmx vsdx vsv vulnerabilities vulnerability vulnerabilitymacronleaks wannacry wanted watch way we're we've webcast well wevtutil what when which white will will: windows within wmi work works worm' writes xls xlsx xvd you're your zip |
| Tags | |
| Stories | Wannacry |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.