TTCSIRT-017.062717: TT-CSIRT Advisory – Petya Ransomware

TTCSIRT-017.062717: TT-CSIRT Advisory – Petya Ransomware

Date First published: 27/6/2017

1.0 Introduction

Discovered: June 27, 2017
Updated: June 27, 2017 12:30pm
Type: Ransomware
Infection Length: Varies
Systems Affected: Client Computers, Servers, Websites

This is an alert from TTCSIRT that there are early signs of a new ransomware outbreak currently affecting a large number of countries across the globe such as the United Kingdom, Ukraine, India, Netherlands, Spain, Denmark, and United States along with several others.

The culprit is a new version of Petya, a ransomware that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.

2.0 Delivery/Exploitation

We have not yet confirmed the initial infection vector for this new Petya variant. Previous variants were spread through e-mail, but we have not identified this latest sample carried in any e-mail related attacks.

Users may be infected through direct exploitation of CVE-2017-0144 if their host is accessible to the internet on TCP port 445 and has not been updated with the patches included in MS17-010.

Once infected, the virus encrypts each computer to a private key, rendering it unusable until the system is decrypted. The program then instructs the user to pay $300 to a static Bitcoin address, then email the bitcoin wallet and personal ID to a Posteo email address. As of now, block chain records showed eight transactions to the target wallet, totaling roughly $2,300. It’s unclear whether any systems have been successfully decrypted after payment.

3.0 Impact

Currently, there are multiple reports from several countries about the ransomware’s impact. The most affected country seems to be the Ukraine, where government agencies have reported “cyber-attacks” caused by a mysterious virus that affected the country’s largest banks, airports, and utility providers.

Similarly, in Spain, local media is reporting ransomware attacks at a large number of companies that include food conglomerate Mondelez and law firm giant DLA Piper.

In the UK, marketing firm WPP was affected, along with many other. The US didn’t escape the Petya outbreak, and the first major victim to surface was pharma giant Merck.

The attack has even affected operations at the Chernobyl nuclear power plant, which has switched to manual radiation monitoring as a result of the attack. Infections have also been reported in more isolated devices like point-of-sale terminals and ATMs.

For further information on the Petya Ransomware and recommendations on how to avoid being infected, view the TTCSIRT Petya Ransomware Advisory