Hi everyone, long time no see. I was at the prison for a while. Just kidding. :D.
In this post, I’m going to update the information about this cyber attack from everywhere. Just keep following it, you guys could prevent your system out of this attack.
0. Keep Updating …
We are looking for some things new about this attack, and we will update it here.
– Jun 30, 2017: 9 am : A vaccine from Bleeping Computer.
Actually, we just need to create 3 read-only files in “C:\Windows\”. 3 files named: perfc , perfc.dat, perfc.dll.
This script will help us to so. Download it from here.
For now your computer should now be vaccinated against the NotPetya/SortaPetya/Petya Ransomware.
-Jun 29, 2017: 10 am: Kaspersky Lab researchers admit it.
Kaspersky Lab researchers have analyzed the high-level code of the encryption routine and determined that after disk encryption, the threat actor could not decrypt victims’ disks. To decrypt, the threat actors need the installation ID. In previous versions of seemingly similar ransomware such as Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery.
ExPetr (aka NotPetya) does not have that installation ID, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.
-Jun 29, 2017: 9 am: We can’t restore our files anymore with a new variant of Petya – Wiper malware.
This new variant of Petya does not keep a copy of replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if victims get the decryption keys.
-June 28, 2017: 11.30 pm: A confession of MEDoc to their customers.
Уважаемые пользователи программы M.E.Doc!Горячей новостью на сегодня, 27 июня 2017 года, является массовая хакерская ат…
The failure was not theirs. Because their lastest update at June 22, 2017 , but the fake update was on June 27, 2017.
-June 28, 2017: 4 pm: German e-mail provider Posteo has shut down the e-mail address that victims were supposed to use to contact blackmailers and send bitcoins, and from which they would receive decryption keys.
[email protected]: the email has been shut down, we can’t contact with them through this email.
-June 28, 2017: 1 pm
- [email protected] ( the email has been shut down ) By WhiteWolfCyber 3 more: - [email protected] - [email protected] - [email protected]
1. The beginning
June 27th, 2017.
- If you guys have been attacked, your screen looks like this:
This has been focused on bussiness at Ukraine, Russia and Western Europe.
The country’s National Bank was among the first to report a problem. In Russia, the malware hit companies such as Mars, Nivea and Mondelez International, according to the Tass news agency.
- Here is a message demanding money is seen on a terminal monitor at a branch of Ukraine’s state-owned Oschadbank after Ukrainian institutions were hit by a wave of cyberattacks earlier Tuesday in Kiev, Ukraine.
- Maersk IT systems are down.
Energy company Maersk reported a cyberattack on Tuesday, they said on their website:
- According to Anton Gerashchenko, a lawmaker and adviser to** Ukraine’s interior minister**.
The malware was delivered in emails that had been created to resemble business correspondence, Gerashchenko said on his Facebook page. He added that the attack took days and likely weeks to stage before being activated.
2. How about its attack vector ?
- It spreads through a progam named: Me-doc – A Russian Company that has more than 400.000 users.
Here is their English Version.
The program has been updated, and a normal file from a specified URL weighed less kilobytes, and look something like this:
Today, however, in response to said request to the server program ME-Doc has been downloaded more than 300 kilobytes.
Just then the server rebooted and showed a message about encrypted files.
On this day – June 27th, 2017, the manufacturer’s website, it was reported that their server is carried virus attack :
3. How it works inside LAN ?
- They used Mimikatz – the well known tool to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
Then they could find our credentials from the lsass.exe process. After found it, the credentials are passed to PsExec tools or WMIC for attack inside this network.
This attacking vector include:
- A modified EternalBlue exploit, also used by WannaCry.
- The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445
(But we could patched with MS17-010).
- An attack against the update mechanism of a third-party Ukrainian accouting software product named: MeDoc.
PAY ATTENTION: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.
- The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools.
Once it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note. More details on the ransom note below.
The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above.
4. Encrypted Files
Are there any hopes of decrypting files for victims already infected? Unfortunately, the ransomware uses a standard, solid encryption scheme so this appears unlikely unless a subtle implementation mistake has been made. The following specifics apply to the encryption mechanism:
For all files, one AES-128 key is generated. This AES key is encrypted with threat actors’ public RSA-2048 key. Encrypted AES keys are saved to a README file. Keys are securely generated.
- Affected files by the ransomware. 65 different file types are targeted by the ransomware.
.3ds,.7z,.accdb,.ai,.asp,.aspx,.avhd,.back,.bak,.c,.cfg,.conf,.cpp,.cs,.ctl,.dbf,.disk,.djvu,.doc,.docx, .dwg,.eml,.fdb,.gz,.h,.hdd,.kdbx,.mail,.mdb,.msg,.nrg,.ora,.ost,.ova,.ovf,.pdf,.php,.pmf,.ppt,.pptx,.pst, .pvi,.py,.pyc,.rar,.rtf,.sln,.sql,.tar,.vbox,.vbs,.vcb,.vdi,.vfd,.vmc,.vmdk,.vmsd,.vmx,.vsdx,.vsv,.work, .xls,.xlsx,.xvd,.zip
5. Pay to Hacker or not ?
We have to pay $300 in Bitcoins to deliver the key that decrypts the encrypted data, with a unified Bitcoin account. Unlike Wannacry, we need to send an email to “[email protected]” with their wallet numbers to confirm the transactions. ( We have reported that this email account has already been shut down, effectively making the full chain decryption for existing victims impossible at this time. )
At the time of writing, the Bitcoin wallet has accrued 35 transactions totalling 3.516 BTC or just under $9,000 USD.
5. Some recommendations
Here’s our shortlist of recommendations on how to survive ransomware attacks:
- Run a robust anti-malware suite with embedded anti-ransomware protection.
- Make sure you update Microsoft Windows and all third party software. It’s an essential part to apply the MS17-010 bulletin right now.
- Do not run open attachments from some weird sources.
- Backup sensitive data to external storage and keep it offline.