Ransomware Pentya

Petya/Petwrap

Another form of Ransomeware whose propagation route is similar to that of wanna cry. Companies are using the unpacked version of windows which lead the another wide spread of Petya which uses the same SMBV1 exploit which wanna cry uses. It mostly starting the exploit when user download a attachment from anonymous sender just like wanna cry then use SMBV1 to spread in the network.  

Now lets look a little closer what petya us and how it works. 

Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.Instead, Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Petya replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
Screenshots of the latest Petya infection shared on Twitter shows that the ransomware displays a text, demanding $300 worth of Bitcoins. Here’s what the text read:

“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

Now the main question is “is the world not ready”. Most of the people thought tha after the wanna cry attack the giants would have geared up and increased their security against these type of attack. Maersk, an international logistics company, has also confined on Twitter that the latest Petya attacks have shut down its IT systems at multiple locations and business units.

“We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently asserting the situation. The safety of our employees, our operations and customers’ business is our top priority. We will update when we have more information,” the company said.

The ransomware also impacts multiple workstations at Ukrainian branch’s mining company Evraz.

The most severe damages reported by Ukranian businesses also include compromised systems at Ukraine’s local metro, and Kiev’s Boryspil Airport.

Affected Telecommunication Industry:

Three Ukrainian telecommunication operators, Kyivstar, LifeCell, Ukrtelecom, have also affected in the latest Petya attack. 

Petya ransomware has already  infected — Russian state-owned oil giant Rosneft, Ukrainian state power distributors “Kyivenergo” and “Ukrenergo,” in last year hours.

“We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine’s Security Service (SBU) to switch them back on,” Kyivenergo’s press service said.

There are reports from several banks, including National Bank of Ukraine (NBU), Oschadbank; and companies that they have been hit by the Petya ransomware attacks.

Precautions

Now as the Ransome ware is spreading there are some measures which we or the companies can take to prevent it from entering its environment. Below are the precautions : 

1. Block source E-mail address

wowsmith123456@posteo.net

2. Block domains:

http://mischapuk6hyrn72.onion/

http://petya3jxfp2f7g3i.onion/

http://petya3sen7dyko2n.onion/

http://mischa5xyix2mrhd.onion/MZ2MMJ

http://mischapuk6hyrn72.onion/MZ2MMJ

http://petya3jxfp2f7g3i.onion/MZ2MMJ

http://petya3sen7dyko2n.onion/MZ2MMJ

http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin 

COFFEINOFFICE.XYZ

http://french-cooking.com/

 3. Block IPs:

95.141.115.108

185.165.29.78

84.200.16.242

111.90.139.247

4. Apply patches:

Refer(in Russian): https://habrahabr.ru/post/331762/

5. Disable SMBv1

6. Update Anti-Virus hashes

a809a63bc5e31670ff117d838522dec433f74bee

bec678164cedea578a7aff4589018fa41551c27f

d5bf3f100e7dbcc434d7c58ebf64052329a60fc2

aba7aa41057c8a6b184ba5776c20f7e8fc97c657

0ff07caedad54c9b65e5873ac2d81b3126754aac

51eafbb626103765d3aedfd098b94d0e77de1196

078de2dc59ce59f503c63bd61f1ef8353dc7cf5f

7ca37b86f4acc702f108449c391dd2485b5ca18c

2bc182f04b935c7e358ed9c9e6df09ae6af47168

1b83c00143a1bb2bf16b46c01f36d53fb66f82b5

82920a2ad0138a2a8efc744ae5849c6dde6b435d

myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6

BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

Future 

As told at the time of WannaCry these type of Ransomeware will keep spreading and causing damage until people are fully aware about their IT security. No should take light even if you are a personal user and not part of a organization network and this is the reason some giants like Apple and Google 

One Reply to “Ransomware Pentya”

Leave a Reply