Join Us!

Petya //NotPetya Su...
 
Notifications
Clear all

Petya //NotPetya Survival Guide  

Page 1 / 2
  RSS
Bunnysniper
(@bunnysniper)
Active Member

1. To prevent the initial infection, patch against EternalBlue (the WannaCry hole). This should have been done in March already…

2. If ONE client in your network gets compromised (because it was forgotten for patching…) , a "Killswitch" prevents the spreading of malicious code via WMI and psexec. Create a file called C\Windows\perfc (no extension with any content or size).

3. If you are hit, power off immediatly. The CheckDisc screen is a fake. You can still recover files from a booted CD or USB thumb drive.

Good night.

Quote
Posted : 28/06/2017 3:43 am
RolfGutmann
(@rolfgutmann)
Community Legend

Thank you. Probably the Ukranian MeDoc customers are affected after MeDoc self was breached.

ReplyQuote
Posted : 28/06/2017 4:21 am
jaclaz
(@jaclaz)
Community Legend

Create a file called C\Windows\perfc (no extension with any content or size).

Are you sure?
Some sources talk about a perfc.dat set to Read Only
https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/

Creating the read-only file C\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.

jaclaz

ReplyQuote
Posted : 28/06/2017 2:04 pm
Bunnysniper
(@bunnysniper)
Active Member

Create a file called C\Windows\perfc (no extension with any content or size).

Are you sure?
Some sources talk about a perfc.dat set to Read Only
https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/

Creating the read-only file C\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.

jaclaz

Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.

best regards,
Robin

ReplyQuote
Posted : 28/06/2017 3:21 pm
jaclaz
(@jaclaz)
Community Legend

Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.

best regards,
Robin

Good ) , thanks.
For the "better be safe than sorry series", possibly one can use both, they don't seem like being mutually exclusive …

jaclaz

ReplyQuote
Posted : 28/06/2017 5:14 pm
Bunnysniper
(@bunnysniper)
Active Member

Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.

Good ) , thanks.
For the "better be safe than sorry series", possibly one can use both, they don't seem like being mutually exclusive …

jaclaz

This is what i suggested to my client and was done this morning. I am currently working for one of the major banks in Frankfurt and we started an emergency software rollout just for these two files. And we have patched (long ago), updated all antivirus products via push notice and blocked the four known C+C IP adresses tonight….and a lot of other measures.

Since psexec from Sysinternals/ Microsoft was abused so often, we deployed a Software Restriction Policy for all Windows OS to prevent any execution of psexec.exe (by name and hash value). The next steps will be a very strict Execution Policy for Powershell and WMI(C), but this needs some testing and might break some legitimate applications. Kicking Powershell and WMI completly is the target.

best regards,
Robin

ReplyQuote
Posted : 28/06/2017 6:36 pm
RolfGutmann
(@rolfgutmann)
Community Legend

Comae & Kasp webinar about PetrWrap/NotPetya wiper not ransomware

https://www.brighttalk.com/webcast/15591/268285?utm_source=Kaspersky+Lab&utm_medium=brighttalk&utm_campaign=268285

Yara rules

https://cdn.securelist.com/files/2017/06/expetr_yara.zip

Make sure to close SMB port 445

ReplyQuote
Posted : 30/06/2017 3:53 am
kacos
(@kacos)
Member

FYI

The following files are dropped by the malware

Ransomware DLL
C\windows\pef_c.dat
The malware decompresses its resource named 0x3 of type RT_RCDATA, and writes the contents to C\Windows\dllhost.dat. Analysis of dllhost.dat shows that it is a copy of the PsExec utility, which is a telnet replacement that allows execution of processes on other systems.

C\windows\dllhost.dat
Credential theft module
Written as a .tmp file to the temp directory
Ransomware splash and warning files

Command Line Execution

The malware is a DLL that is launched using rundll32.exe

“C\Windows\perfc.dat”,#1 18 “usernamepass” “usernamepass”

Perfc.dat is the malware name. It is executed with the following arguments

#1 → This is the ordinal number of the exported function
18 → Minutes used to determine how long to wait for the scheduled shutdown
“usernamepass” → Credentials to be used to propagate the malware on the network.

https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/

The execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that EzVit.exe process from MEDoc, for unknown reasons, at some moment executed the following command-line

C\\Windows\\system32\\rundll32.exe\” \”C\\ProgramData\\perfc.dat\”,#1 30

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

ReplyQuote
Posted : 30/06/2017 10:20 am
p38cyq
(@p38cyq)
Junior Member

"You can still recover files from a booted CD or USB thumb drive."

Do you mean that the files or the extensions are still as they were; ie. not changed nor crypted?

ReplyQuote
Posted : 30/06/2017 6:25 pm
kacos
(@kacos)
Member

"You can still recover files from a booted CD or USB thumb drive."

Do you mean that the files or the extensions are still as they were; ie. not changed nor crypted?

If you shut down immediately when you see the CheckDisc screen, yes it's possible, as while you see this the screen, Petya encrypts the files in the background. Check the following blog post by MS under the "Boot recovery options"

https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/

ReplyQuote
Posted : 30/06/2017 6:49 pm
p38cyq
(@p38cyq)
Junior Member

Thank you cakos.

Normally I would assume that the "victim" tries to reboot several times.

Suppose that he finds then a friendly IT'er (with some forensics insight) my PC is infected! We all know that.

- He brings his system in; already rebooted several times for sure -yes, we know.
- We remove the HDD from the customers' machine;
- We attach this HDD to a clean PC, making sure that the new drive gets checked for viruses before accessing it.
- This avoids rebooting the customers' HDD.

Now that we have a "clean" HDD, what might we discover with regards to file extensions and/or encrypted files?

ReplyQuote
Posted : 30/06/2017 10:20 pm
kacos
(@kacos)
Member

Suppose that he finds then a friendly IT'er (with some forensics insight) my PC is infected! We all know that…

From what I read, I suppose you can either boot the system with a Windows recovery disk and try to fix the MBR with the recovery console (cmd) if you are lucky, and see if it boots

bootrec /fixmbr
bootrec /fixboot

or plug it in another machine and start carving for files / partitions etc..

ReplyQuote
Posted : 30/06/2017 10:25 pm
jaclaz
(@jaclaz)
Community Legend

… I suppose you can either boot the system with a Windows recovery disk and try to fix the MBR with the recovery console (cmd) if you are lucky, and see if it boots

bootrec /fixmbr
….

No, that surely won't work, not without rebuilding the partition entries data.
The /fixmbr only writes the MBR CODE, not the DATA.
The MBR is overwritten by either the fake ransomware screen or by "junk" in case of Kaspersky files found, according to
https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/

In both cases both CODE and DATA are overwritten, so you have to rebuild the data by rewriting the partition entries (as an example TESTDISK or DMDE can do normally that) or - as you pointed out

or plug it in another machine and start carving for files / partitions etc..

BTW (it depends on the specific systems setup) there might be drive letter assignment issues when booting (after having fixed properly the MBR code and rebuilt the partition table data) because the disk signature will have been changed, so before attempting a reboot it is advised to get it from the Registry (DosDevices) and manually write it in the MBR.

@vdhee
Yep ) ,as we all know the only sensible thing to do in case of any hint of malware infection (which is to physically pull the power plug or physically remove batteries in case of a laptop as soon as possible and NOT reconnect power before having asked for assistance) will not be done by 99.99% of users. (
On the other hand, the above generically valid advice has been partially disproved by the recent WannaCry, in which case if you kept the system on (without rebooting and that malware did not force a reboot - differently from this Petya/Not Petya thingy) you had some (cannot say how many) chances to find the encryption/decryption key in memory.

jaclaz

ReplyQuote
Posted : 30/06/2017 10:49 pm
kacos
(@kacos)
Member

No, that surely won't work, not without rebuilding the partition entries data.
The /fixmbr only writes the MBR CODE, not the DATA.
The MBR is overwritten by either the fake ransomware screen or by "junk" in case of Kaspersky files found, according to
https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/

I was quoting this blog post by MS - the second of the "Boot recovery options" - regarding the recovery console

blogs.technet.microsof...re-attack/.

Otherwise, I agree with you. And for someone who has no idea what hit him/her, its is a gamble how to proceed (keep it on, shut it down? break it? lol )

ReplyQuote
Posted : 30/06/2017 10:56 pm
jaclaz
(@jaclaz)
Community Legend

I was quoting this blog post by MS - the second of the "Boot recovery options" - regarding the recovery console

blogs.technet.microsof...re-attack/.

There is no "recovery console" reference?

You mean this?

Case 2 If system is non-UEFI, installed with Kaspersky Antivirus, and in a state where boot completely fails

The ransomware attempts to destroy the first 10 sectors of the \\\\.\\PhysicalDrive0 if Kaspersky Antivirus is found or if the MBR infection is unsuccessful. Thus, boot process hijack through malicious MBR hasn’t been completed so the MFT (Master File table) contents are intact and not encrypted by the threat. In this case, the partition table information is destroyed by the threat. Given that it stores critical information needed in the booting process, a traditional boot repair process may not work. Rebuilding the partition table may require consultation with an expert.

jaclaz

ReplyQuote
Posted : 30/06/2017 11:28 pm
Page 1 / 2
Share: