Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Worldwide Outbreak of Petya Ransomware

A massive attack erupted today (June 27) worldwide, with a high concentration of hits in Ukraine – including the Ukrainian central bank, government offices and private companies.

While the malware used is yet undetermined, some researchers are speculating it to be a variant of Petya, a ransomware that encrypts the entire hard-drive rather than each file individually. Check Point analysis also shows involvement of Loki Bot for credential theft. Our analysis shows that the ransomware spreads laterally, exploiting SMB vulnerabilities.

Check Point is closely following the attack and we will keep this thread updated with any new facts as well as the following blog post: Global Ransomware Attack is Spreading Fast | Check Point Blog 

Feel free to share any facts/observations in the discussion below.

Check Point customers using the following are protected: 

  • Check Point SandBlast, SandBlast Agent and Anti-Bot protects against Petya ransomware and Loki Bot
  • Check Point IPS protects against the relevant SMB vulnerabilities

 

From the research lab:

  • Infection chain for the Loki-Bot malware is :  RTF file  downloads corrupted xls which contains malicious js script, which in turn  pulls an executable from another drop zone. The executable is Loki Bot.
  • The Petya ransomware exploits an SMB vulnerability for lateral movement, which is a bit different from the exploit used in WannaCry. We will update with the specifics.
5 Replies
PhoneBoy
Admin
Admin

The following video demonstrates Check Point Anti-Ransomware blocking the Petya Ransomware that's making the rounds.

Video Link : 5446  

0 Kudos
PhoneBoy
Admin
Admin

More updates from the blog:

  • Loki Bot’s infection vector is as following: Malicious email containing RTF file. The RTF exploits CVE-2017-0199 to downloads an xlsx decoy file. The binary of the “xlsx” file includes a js script, which is executed by the RTF file. When it runs, the script downloads Loki’s exe file and executes it.
  • Still no confirmation that the Loki-Bot is related to the ransomware attack
  • Petya’s lateral movement leverages both SMB protocol and HTTP traffic; an infected machine scans the internal network by sending ARP requests. It will then start SMB communication with machines that answer, later adding HTTP communication. Eventually, both machines are encrypted and communication stops.
0 Kudos
PhoneBoy
Admin
Admin

There are mixed reports as to whether or not this particular killswitch works. If it does (or doesn't), please respond in comments: Amit Serper on Twitter: "100% certainty! Create a file called perfc with no extension in %windir%. A... 

Moti
Admin
Admin

0 Kudos
Moti
Admin
Admin

IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC. Meaning fully patched windows 10 can be infected 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events