Motherboard reported: “A quickly-spreading, world-wide ransomware outbreak has reportedly hit targets in Spain, France, Ukraine, Russia, and other countries.
Motherboard continued: “The attacks are similar to the recent WannaCry outbreak, and motherboard has seen several reports of infections shared by victims on Twitter. We were not able to immediately confirm the veracity of the reports, but several security researchers and firms also reported the attacks.
Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin.
“If you see this text, then your files are no longer accessible, because they are encrypted,” the text reads, according to one of the photos. “Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
Raiu believes the ransomware strain is known as Petya or Petrwrap, a highly sophisticated Russian strain, without all the errors that WannaCry contained, and no kill-switch. According to a tweet from anti-virus company Avira, the Petya attacks were taking advantage of the EternalBlue exploit previously leaked by the group known as The Shadow Brokers
EternalBlue is the same exploit used in the WannaCry attacks; it takes advantage of a vulnerability in the SMB data-transfer protocol, and Microsoft has since patched the issue. However, whether customers apply that patch is another matter.
Security researchers from Kaspersky Lab reported that the ransomware hit Russia, Ukraine, Spain, France, among others. Several people on Twitter reported witnessing or hearing reports of the outbreak in their respective countries, and across a wide range of industries. Companies around the world also reported computer outages.
If You Have Not Done So Yet, Apply This Patch Immediately.
From what we have been able to learn, this new worm spreads through SMB jkust like WannaCry so when we’re talking about machines behind firewalls being impacted, it implies port 445 being open and at-risk hosts listening to inbound connections. It’d only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm.
In the meantime, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the “MS17-010” security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails. https://technet.microsoft.com/
Note, the patch is included in the Monthly Quality rollups. Also, block inbound connections on TCP Port 445
[UPDATE 6/27/2017] 1:40pm
“It is definitely using EternalBlue to spread,” says Fabian Wosar, a security researcher at the defense firm Emsisoft, which specializes in malware and ransomware. “I confirm, this is a WannaCry situation,” Matthieu Suiche, the founder of security firm Comae Technologies, wrote on Twitter.
Group-IB believes the attacks on Ukraine and Rosneft were simultaneous and coordinated. Kaspersky and Flashpoint think they’re observing signs of the Petya (a.k.a. Petrwrap) strain of ransomware in the attacks.
Other major infestations are reported by the Danish shipping concern A.P. Moller-Maersk, pharmaceutical company Merck (this in the US), Deutsche Post (its operations in Ukraine), and British ad agency WPP. More are sure to come.
The ransom note’s text has appeared in English, but Ukrainian authorities blame Russian hackers, especially since the attack coincides with tomorrow’s observance in Ukraine of Constitution Day. On this interpretation the attack’s spread is due either to the inherently difficult-to-control nature of malware, deliberate misdirection, or willingness to take such targets of opportunity as present themselves.
UPDATE 6/27/2017 2:13pm
Delivery/Exploitation
We have not yet confirmed the initial infection vector for this new Petya variant. Previous variants were spread through e-mail, but we have not identified this latest sample carried in any e-mail related attacks.
Installation
This variant of Petya is spread as a DLL file, which must be executed by another process before it takes action on the system. Once executed, it overwrites the Master Boot Record and creates a scheduled task to reboot the system. Once the system reboots, the malware displays a ransom note which demands a payment of $300 in bitcoin.
Command and Control
Petya contains no Command and Control mechanisms that we know of. After a host is infected, there is no communication from the malware back to the attacker.
Lateral Movement
Petya may spread to other hosts directly using SMB or through the ETERNALBLUE exploitation tool.
