Xylos brands

Being attacked by supervillain Peyta? Xylos to the rescue!

Enter Peyta (aka Petya or Petrwrap), the new ransomware variant that is spreading. She has many similarities to Wannacry. They both use an NSA exploit known as EternalBlue that targets a SMB vulnerability (CVE-2017-0144), for which Microsoft released a patch in March. Unfortunately, Petya has a few more tricks up her sleeve.

What makes Peyta more malicious?

Cyber-criminals have learned from the weaknesses in Wannacry. When the machine reboots it shows a fake "CheckDisk Repairing file system" message. This is the encryption process, so power off immediately. But Peyta doesn't solely rely on one vulnerability, so even if you have applied the Microsoft security update above, you can still get hit. She also spreads in networks using PSEXEC and WMIC.

Since her initial attack, a "kill switch" has been found thanks to @PTsecurity: create file "C:\Windows\perfc". This is a mechanism that virus authors build in to centrally disable the distribution mechanism.

How can you evade Peyta?

As always: don't pay the ransom money. The ransomware authors’ e-mail account is already blocked, so you will not get a decryption key. A few easy things you can do:

  • update your antivirus signatures
  • install the Microsoft MS17-010 patch for EternalBlue ... and all other patches while you're at it
  • be extra vigilant for phishing e-mails
  • monitor TCP/445 network traffic, SMB and other command and control behaviour.

Need additional help avoiding Peyta? Make an appointment with our security expert: johan.celis@xylos.com.

 

Techterms explained:

  • NSA: National Security Agency
  • EternalBlue: an exploit (piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability) generally believed to have been developed by the NSA.
  • SMB: Server Message Block, mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network.
  • PSEXEC: a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.
  • WMIC: Windows Management Instrumentation Command-line is a command-line and scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through WMI.

Share this blogpost

Also interesting for you

Leave a reply

Your email address will not be published. Required fields are marked.