Security check

     
Ringing in with echoes of WannaCry, Petya (or Petrwrap, NotPetya), is a new ransomware strain outbreak affecting many users around the world.

Bạn đang xem: Security check


https://twitter.com/thedefensedude/status/879764193913716737

At this point, it would be a good idea (if you are running any Me Doc software) to lớn not update said software until they have announced that their servers are clean.

Ringing with echoes of WanaCrypt0r, a new strain of ransomware being called Petya/NotPetya is impacting users around the world, shutting down firms in Ukraine, Britain, and Spain.

Background

Petya, created in July 2016, started off as one of the next-generation ransomware strains that utilizes a Master Boot Record (MBR) locker. In the early days of ransomware, strains that modified the startup of a system were popular, but they had died off for many years. Today, not long after its one year anniversary, Petya has come back with a vengeance và a nasty new distribution method.

As to lớn whether or not this malware is the same Petya that we have dealt with in the past, many other researchers, including our own, claim that the malware is heavily influenced and likely developed by the creators of Petya. This malware has indicators và code that matches previous versions of Petya, but with additional functionality.

https://twitter.com/HowellONeill/status/879743360906350592

We are not going lớn claim attribution or even confirm what family we are dealing with until more analysis has been completed and more evidence is available. What we can say for sure is that this ransomware uses tactics rarely seen in the wild.

Xem thêm: How To Create Facebook Live Videos That People Actually Want To Watch

Infection vector

Taking a page out of WannaCry’s book, this new ransomware utilizes the same EternalBlue SMB exploit that was used in the outbreak that occurred more than a month ago. There are also currently reports that this attack uses thư điện tử spam to lớn distribute infected Office documents in efforts lớn rapidly spread and distribute the ransomware. This malware also includes the ability khổng lồ use PSExec on a system it has administrative credentials on, allowing it to execute duplicates of the malware on any system on the network.

However, not all of these reports have been confirmed by zerovn.net staff, so its true original infection vector beyond SMB exploitation is up in the air. But the combination of the PSExec method with the EternalBlue exploit gives this malware a lot of nguồn in its ability to spread across a network.

Execution

After execution, the ransomware infects the system at a low level, modifying the MBR & presenting the user with the following prompt:

*

After a reboot, instead of loading into the operating system installed on the computer, the user is faced with a faux kiểm tra Disk operation that, instead of actually checking your hard disk for issues, is actually encrypting files! We know this is a nhái screen based on strings found within the malware itself:

*

This is done lớn buy the ransomware more time khổng lồ encrypt all the relevant files on the system without being stopped by the user.

*

The MFT (Master tệp tin Table) và the MBR are also encrypted. The MBR is overwritten khổng lồ display the ransom note, which makes it impossible khổng lồ boot the system without remediation—meaning users must either pay the culprit or be unable to access their system. The computer will then display a menacing black screen with red lettering listing the ransomware"s purpose & its demands. The attack affects users by encrypting anywhere from a single tệp tin to the entire system.

Xem thêm: Hướng dẫn cách cá nhân hóa chiến dịch Email Marketing hiệu quả

*

While this situation could have been easily avoided by simply keeping all antivirus database và operating system updates current, the now-infected users must pay $300 in Bitcoins to regain access lớn their files.