News of a new global ransomware attack began to emerge this morning (6-27-2017). Companies in Ukraine, Spain, the Netherlands, Denmark and the United Kingdom have already been impacted and some have determined the interruption of their operations.
The new threat is a variant of the ransomware known as Petya, called Petwrap, that behaves differently from traditional threats of this type. Instead of encrypting files one by one, the malware totally denies access to the system by attacking the boot sector of hard disks on infected devices.
To do this, attackers created a boot loader and a small kernel that rewrites the master boot record on disks, this sector registers which files should be executed to start the computer, which totally blocks access to operating system and files. The Master File Table is also encrypted, rendering data inaccessible.
According to the VirusTotal portal, only 13 of the 61 antivirus software available on the market are able to detect and block the threat and there are already reports of users paying for the ransom demanded by the attackers.
Malware analysis indicates that it is delivered through phishing-type emails, which contain a Zip file stored in Dropbox. Once the user runs this file, the system crashes and restarts automatically allowing boot sectors to be corrupted.
After restarting the machine, an imitation of the Check Disk application (CHKDSK) is loaded and initiates the encryption process, showing a screen with ransom details to be paid by the user in Bitcoins after the process is completed.
What is most noticeable is that, despite all the damage caused by WannaCry that exploited the SMBv1 vulnerability on Windows operating systems, the new threat is apparently also using the same exploit to infect systems. Even more surprising is that Microsoft has released a patch to correct this security breach months ago.
While Petya requires administrative permissions to function, this variant also includes a second ransomware payload named Mischa that does not require admin perms. Mischa encrypts files themselves, both data files and executables.
CIPHER recommendations are:
- Do not open, download, or run files on suspicious e-mail messages and links;
- Use VirusTotal portal (virustotal.com) to scan suspicious files, the tool is free and uses the best antivirus engines available to create an infection report on files;
- Keep operating systems up to date;
- Use a paid antivirus and make sure its vaccines are up-to-date as well.