New Ransomware "NotPetya"
Yesterday (June 28, 2017) a new ransomware was widely spread in Ukraine and several European and American regions. The name of the ransomware included Petwrap / Petrwrap / Petya / NotPetya / Nyetya / GoldenEye, etc. So far, there are two identified sources of infection:
- A popular software in Ukraine called M.E.Doc had its software update process compromised, to direct execute a malicious DLL file to infect computers that performed software update.
- By phishing e-mail which contained an attachment. When user opened the attachment, the CVE-017-0199 (Microsoft Office / WordPad Remote Code Execution Vulnerability w / Windows API) vulnerability was exploited and download a malware which eventually executed a malicious DLL file.
Regardless of the source of infection, the ransomware scanned victim's home or the office network. If it found other computers, will try to use the EternalBlue exploit tool to attack SMB vulnerability. The ransomware also tried to use PSExec and WMI management tools to command other managed computers to directly install the ransomware.
Following are the SHA256 hash values of the malicious DLL file:
<Source: Payload Security>
HKCERT has perpared a short movie to help you understand the threat of NotPetya ransomware and how to mitigate the risks:
If you want to protect yourself from this threat, follow these steps:
- Apply latest security updates to Windows and other applications, especially MS17-010;
- Minimize the number of users who have domain administrative rights to confine the scope and impacts of attacks, and use normal privilege account in daily operation;
- Ensure the installation of anti-virus or Internet security software, and keep its signature updated;
- Ensure personal firewall is turned on to block incoming SMB connections;
- Regularly backup data and keep an offline copy; and
- Do not open links and attachment in any suspicious emails.