Thanks to the recent WannaCry ransomware that attracted wide attention, security professionals seem to have moved fast and identified what is claimed as a “Vaccine” for the Petya (a new version which some have called NotPetya) ransomware which is on the prowl. So far a couple of Indian companies seem to have been affected. May be we are not aware of more.
This ransomware appears with the following note on the affected desktops.
Just before the encryption, the following screen shot will appear.
When this alert appears, if the machine is powered off, the encryption would be stopped and the files may be preserved.
It can then be recovered by connecting it as an external hard disk to a secure system under a forensic supervision without booting from the disk. It should however be taken care that there is no reverse infection from the affected disk to the healthy system.
It may be better if the observation computer is first vaccinated as suggested subsequently here and even prudent if it is a clean machine with no other data to avoid any adverse effect of reverse infection if it occurs.
Also since the ransomware first delets the files before encryption and the proccess has been stopped in between, if the files have already been deleted, one may need to use a deleted data recovery software before the sectors are over written.
It appears that this cyberattack appears to be an “updated variant” of the Petya malware virus. It uses the SMB (Server Message Block) vulnerability that WannaCry did, however in the case of Petya it encrypts, among other files,the master boot file. These messages recommend conduct a system reboot, after which the system is inaccessible. This basically means the operating system won’t be able to locate files.
Also Bleeping computer.com has suggested a simple vaccine which is available here:
The suggested kill switch is creating a file titled “perfc” as a read only file in the Windows folder for which step by step guideline is provided in the article available here:
I hope with the vaccine, the damage will be contained.
A reminder however is due that the attack again under scores the need for proper back ups in an off Network system and employees being vigilant in not downloading the ransomware through attachments in e-mails etc.
One of the suggestions made by experts is to block an e-mail and several IP addresses and domains as listed below.
Actions to be taken:
1. Block source E-mail address
wowsmith123456@posteo.net
2. Block domains:
http://mischapuk6hyrn72.onion/
http://petya3jxfp2f7g3i.onion/
http://petya3sen7dyko2n.onion/
http://mischa5xyix2mrhd.onion/MZ2MMJ
http://mischapuk6hyrn72.onion/MZ2MMJ
http://petya3jxfp2f7g3i.onion/MZ2MMJ
http://petya3sen7dyko2n.onion/MZ2MMJ
http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
COFFEINOFFICE.XYZ
http://french-cooking.com/
3. Block IPs:
95.141.115.108
185.165.29.78
84.200.16.242
111.90.139.247
I urge ISPs and MSPs to accomplish this at their end so that individuals are not required to do it at their end.
Naavi
Reference:
Cert-In recommendation is available here
Bitdefender vaccine is available here;
Also read:
Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software
Petya cyber attack: Everything to know about the global ransomware outbreak
WORLD CYBER ATTACK: How to unlock computers hacked by Petya virus
Kasparesky: Petya ransomware eats your hard drives
Update:
Posteo.net has blocked the email accounts used in the Petya attack.
……..The action initiated by Posteo.net needs to be appreciated.
Naavi