HKCert
  

Petwrap / NotPetya Ransomware Encrypts Victim Data

Release Date: 28 / 06 / 2017
Last Update: 28 / 06 / 2017
Criticality Level:  


A new variant of ransomware known as Petwrap / Petrwrap / Petya / NotPetya / Nyetya is spreading quickly. HKCERT was aware that it is widespread overseas. The different name indicate the industry is debating if the ransomware is directly related to another known ransomware Petya.


It incorporated the attack method from the WannaCry ransomware targeting SMB v1.0 vulnerability. It was reported that the ransomware used phishing email to spread. Once infected, the machine will spread via local network before it encrypts data on local machine.

 

Because the filenames are not changed and it reboots and shows the ransom notice one hour after infection, computers in local LAN might have been attacked when the victim discovered the infection.

 

Attack Vector:

  • EthernalBlue - the same exploit used by WannaCry.
  • Psexec - a legitimate Windows administration tool.
  • WMI - Windows Management Instrumentation, a legitimate Windows component.

 

Note: The vulnerability is being exploited to spread the ransomware attack.

 

Impacts:

  • Encrypt the masterboot record (MBR) on victims’ computers.
  • Infected system will reboot after an hour. Since the MBR has been damaged, the system will display a ransom note instead of booting properly
  • Data will be unrecoverable due to encryption by ransomware.
  • Try to attack other computers in the local network.

 

  • Denial of Service
  • Data Manipulation
  1. Apply latest Windows security update.
    1. Direct links for downloading patch for individual Windows versions are provided (exceptional Windows XP, Windows Server 2003 and Windows 8 patch also released):
      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ (scroll down to the bottom)
  2. Minimize the number of people with domain administrative privilege in your organization and use normal privilege accounts In daily operation,
  3. Ensure the personal firewall is on and blocks incoming SMB traffic (close TCP ports 139 and 445 technically).
  4. Ensure that anti-virus or Internet security application is installed, and have its signature updated.
  5. Perform offline backup (i.e. backup in another storage device, disconnect it after backup).
  6. Do not open links and attachment in any suspicious emails.
  7. Ensure that your computer have baseline protection, i.e. enable and run Windows Update, install anti-virus application with signature updated, enable Windows Firewall.