Petya //NotPetya Su...
 
Notifications
Clear all

Petya //NotPetya Survival Guide

19 Posts
5 Users
0 Likes
2,414 Views
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
Topic starter
 

1. To prevent the initial infection, patch against EternalBlue (the WannaCry hole). This should have been done in March already…

2. If ONE client in your network gets compromised (because it was forgotten for patching…) , a "Killswitch" prevents the spreading of malicious code via WMI and psexec. Create a file called C\Windows\perfc (no extension with any content or size).

3. If you are hit, power off immediatly. The CheckDisc screen is a fake. You can still recover files from a booted CD or USB thumb drive.

Good night.

 
Posted : 28/06/2017 2:43 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Thank you. Probably the Ukranian MeDoc customers are affected after MeDoc self was breached.

 
Posted : 28/06/2017 3:21 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Create a file called C\Windows\perfc (no extension with any content or size).

Are you sure?
Some sources talk about a perfc.dat set to Read Only
https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/

Creating the read-only file C\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.

jaclaz

 
Posted : 28/06/2017 1:04 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
Topic starter
 

Create a file called C\Windows\perfc (no extension with any content or size).

Are you sure?
Some sources talk about a perfc.dat set to Read Only
https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/

Creating the read-only file C\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.

jaclaz

Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.

best regards,
Robin

 
Posted : 28/06/2017 2:21 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.

best regards,
Robin

Good ) , thanks.
For the "better be safe than sorry series", possibly one can use both, they don't seem like being mutually exclusive …

jaclaz

 
Posted : 28/06/2017 4:14 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
Topic starter
 

Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.

Good ) , thanks.
For the "better be safe than sorry series", possibly one can use both, they don't seem like being mutually exclusive …

jaclaz

This is what i suggested to my client and was done this morning. I am currently working for one of the major banks in Frankfurt and we started an emergency software rollout just for these two files. And we have patched (long ago), updated all antivirus products via push notice and blocked the four known C+C IP adresses tonight….and a lot of other measures.

Since psexec from Sysinternals/ Microsoft was abused so often, we deployed a Software Restriction Policy for all Windows OS to prevent any execution of psexec.exe (by name and hash value). The next steps will be a very strict Execution Policy for Powershell and WMI(C), but this needs some testing and might break some legitimate applications. Kicking Powershell and WMI completly is the target.

best regards,
Robin

 
Posted : 28/06/2017 5:36 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Comae & Kasp webinar about PetrWrap/NotPetya wiper not ransomware

https://www.brighttalk.com/webcast/15591/268285?utm_source=Kaspersky+Lab&utm_medium=brighttalk&utm_campaign=268285

Yara rules

https://cdn.securelist.com/files/2017/06/expetr_yara.zip

Make sure to close SMB port 445

 
Posted : 30/06/2017 2:53 am
kacos
(@kacos)
Posts: 93
Trusted Member
 

FYI

The following files are dropped by the malware

Ransomware DLL
C\windows\pef_c.dat
The malware decompresses its resource named 0x3 of type RT_RCDATA, and writes the contents to C\Windows\dllhost.dat. Analysis of dllhost.dat shows that it is a copy of the PsExec utility, which is a telnet replacement that allows execution of processes on other systems.

C\windows\dllhost.dat
Credential theft module
Written as a .tmp file to the temp directory
Ransomware splash and warning files

Command Line Execution

The malware is a DLL that is launched using rundll32.exe

“C\Windows\perfc.dat”,#1 18 “usernamepass” “usernamepass”

Perfc.dat is the malware name. It is executed with the following arguments

#1 → This is the ordinal number of the exported function
18 → Minutes used to determine how long to wait for the scheduled shutdown
“usernamepass” → Credentials to be used to propagate the malware on the network.

https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/

The execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that EzVit.exe process from MEDoc, for unknown reasons, at some moment executed the following command-line

C\\Windows\\system32\\rundll32.exe\” \”C\\ProgramData\\perfc.dat\”,#1 30

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

 
Posted : 30/06/2017 9:20 am
(@p38cyq)
Posts: 44
Trusted Member
 

"You can still recover files from a booted CD or USB thumb drive."

Do you mean that the files or the extensions are still as they were; ie. not changed nor crypted?

 
Posted : 30/06/2017 5:25 pm
kacos
(@kacos)
Posts: 93
Trusted Member
 

"You can still recover files from a booted CD or USB thumb drive."

Do you mean that the files or the extensions are still as they were; ie. not changed nor crypted?

If you shut down immediately when you see the CheckDisc screen, yes it's possible, as while you see this the screen, Petya encrypts the files in the background. Check the following blog post by MS under the "Boot recovery options"

https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/

 
Posted : 30/06/2017 5:49 pm
Page 1 / 2
Share: