Security Alert: New ransomware outbreak combines attack vectors, delivers malware cocktail

Share and earn Cybytes
Facebook Twitter LinkedIn Email

These last hours have been crucial in the Internet landscape with a new ransomware outbreak starting to propagate and impacting many large companies from all over the globe.

Cyber security researchers from our team and various others (Kaspersky, Palo Alto Networks, Malwarebytes, McAfee) have reported that this ransomware strain, suspected to be Petya (Petya.A, Petya.D, or PetrWrap), is spreading fast, generating an outbreak similar to WannaCry. The resemblance is also based on the fact that this strain uses the EternalBlue exploit to infect computers and also has self-replicating abilities.

But there’s also something different about this ransomware epidemic: it uses multiple attack vectors and drops a malware cocktail meant to encrypt and then harvest and exfiltrate as much confidential data as possible.

How the attack happens

Petya ransomware made its appearance in 2016 and, unlike a typical ransomware, it doesn’t just encrypt files, but also overwrites and encrypts the master boot record (MBR).

One of the methods used for distribution is exploiting the MS17-010 vulnerability, also known and EternalBlue, which was developed by the United States’ National Security Agency. This requires no user input to get infected. If you have an Internet-connected computer and your operating system is outdated, you can be the next victim.

This ransomware strain also targets Internet users through spam emails (which still work – here’s why), which include a malicious zip archive, called “inmyguy.xls.hta“.

If the victim opens the archive, the malicious code is automatically activated, which triggers the main component of the infection to be downloaded:

[% APPDATA%] 10807.exe

The binary code is signed with a fake Microsoft certificate name.

A second spam wave comes through a different malicious attachment, called “Order-20062017.doc“, which abuses the CVE-2017-0199 (CVSS score: 9.3) and downloads the file from the http://84.200.16 [.] 242 / myguy.xls (sanitized for your protection).

This attack vector injects itself into several system processes and triggers the data encryption stage locally. However, at the same time, it also spreads to other computers connected in the local network.

This ransomware infection does not come alone, unfortunately. LokiBOT is also dropped on the infected computers from this domain. Here’s what it does:

Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.

The domains that trigger this infection are blocked in Heimdal PRO and Heimdal CORP.

Antivirus detection has steadily increased since yesterday afternoon, when the ransomware outbreak started, reaching 48/61 at the moment when we published this post.

Those who’ve been already infected with this ransomware strain received a ransom message displayed on their computers (see the image below) demanding for $300 to be paid in Bitcoins.

Petya RansomWare


Who’s been affected?

The bad news is that it has caused a lot of damage so far, as many important companies and organizations have had their computers and sensitive data encrypted.

The main epicenter is in Europe and Ukraine has been the most affected country, including the Government, banks, hospitals, metro system or Kiev’s airport. Petya has also “succeeded” to take down the monitoring system at Chernobyl, and other large firms such as Maersk, the Danish giant shipping company, as well as the Russian oil firms, Evraz and Rosneft.

Chernobyl nuclear power plant’s radiation monitoring system hit by global cyber attack

— CNN (@CNN) June 27, 2017

Other victims include the advertising firm, WPP, the food company Mondelez, or the french construction materials company Saint-Gobain and many other private and public firms across Europe and the rest of the globe.

You can read more news on the “Petya Ransomware” topic on Twitter:

What you can do right now

First of all, don’t panic! It might look like a nightmare scenario, but you need to stay calm, be proactive and take all the measures needed to stay safe and protect your important data.

Here’s what we recommend users to do:

  • Don’t store your sensitive data exclusively on your PC and make sure you have at least  2 backups of your data on external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.). Read this useful guide on how to do it.
  •  Update, update and update again! It is mandatory to install all the latest updates for all your apps, including the operating system.
  • Try not to use the administrator account every day and remember to disable macros in the Microsoft Office Package.
  •  NEVER open (spam) or download email (messages) from untrusted or unknown sources that could infect your device. Moreover, don’t click suspicious links.
  • Make sure you have a paid antivirus product which is up to date, or consider using a proactive security product (you can check what Heimdal PRO can do for you).
  • Learn how to detect cyber criminals’ phishing attacks and our article can be really helpful on this topic.
  • It might be useful to remove risky plugins from the browsers you are using: Adobe Flash, Adobe Reader, Java and Silverlight.

your anti-ransomware checklist petya

Should you want to understand what ransomware is all about, this dedicated guide will help you do just that.

If you are a company – whether is large or small – you may realize how important is to keep your sensitive data safe. Sadly, cyber attacks happen too frequently these days and being proactive and keeping your company safe on the Internet is vital.

So, remember to take all the needed security measures to help you protect your business. A top priority would be to make sure your servers run an antivirus program to avoid infection spread and always keep your servers updated.

Please know that another important security tip is to constantly back up your data and use separate passwords for the servers and administrator’s device. We strongly recommend reading our article on how to secure your business endpoints and important information safe.

Users and companies alike need to understand that cyber security isn’t just about big threats happening and taking the first pages on the Internet, but more about WHAT you can do to stay safe and be proactive right now.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?