The new modification of Petya, which we named EternalPetya (because of using EternalBlue and EternalRomance exploits), caused surprisingly big infection outbreak in Ukraine and Russia.
This can be explained by using several attack vectors:
- In a local network, using EternalBlue and EternalRomance exploits targeting SMB services running on 139 and 445 ports. Both vulnerabilities were fixed in March 2017: CVE-2017-0144/MS17-010).
- In a local network, EternalPetya leverage Microsoft’s PSExec and WMIC tools that are used to connect to a remote computer with user’s credentials to start a new process remotely.
- Similar to Mimikatz tool embedded into the ransomware DLL harvests on a host user logins and passwords, which PsExec and WMIC tools require.
- X-Factor - delivery through a fake update for M.E.Doc program used by many accountants in Ukraine to submit tax e-reports. Probably, social engineering techniques were used tricking a user to execute malware, for example, delivered as an email attachment or downloaded by the link provided in a spear phishing email.
- Install MS17-010 Windows security patch.
- Close 139 and 445 ports
- Block PSExec and WMIC traffic with IPS in local networks, if possible.
- Use advanced tools for deep traffic inspection tools: IDS/IPS and malware sandbox. We do not recommend relying on antiviruses as many of them do not detect new threats.
- Backup your data regularly .
- Keep up your security tools (firewalls, IDS/IPS) with the latest threat intelligence data.
Once you are infected, your computer is locked, and data are encrypted by EternalPetya, there is no way to decrypt your data and unlock your system other than restoring it from backup.
Contact us if you need to protect your cloud or enterprise network against ransomware and targeted attacks.
Article Link: http://nioguard.blogspot.com/2017/06/eternalpetya-ransomware-analysis.html