• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Petya 2.0 Ransomware

June 27, 2017 By Marc Laliberte

petya 2.0 ransomware
If you’ve followed the news today, you’ve likely already seen reports of a new virulent ransomware variant spreading across the globe. Petya 2.0 (also called NotPetya by some researchers) has already claimed victims across Europe, Russia and the US. Known victims include Maersk, healthcare facilities in Pittsburgh, and several banks in Ukraine.

Petya 2.0 works similarly to its cousin, the original Petya seen last year, by encrypting the Master Boot Record (MBR) on the victim’s computer rather than individual files. Encrypting the MBR effectively locks the victim out of their computer entirely until the ransom is paid and a decryption key is entered. Instead of booting into Windows, the computer boots to a ransom note instructing the victim to send $300 in Bitcoin to a wallet address and then email a unique ID to the attacker to receive a decryption key.

By following the transaction’s on attacker’s bitcoin wallet address, we see several thousand dollars in ransom already paid by victims hoping to recover access to their computers. Unfortunately, the email hosting provider for the email address used in the ransom note has locked the attacker’s account which means even if a victim pays the ransom, there is no way for them to receive their decryption key.

Petya 2.0 is primarily distributed using a fake order confirmation attachment on a phishing email. After it infects the initial victim but before encryption, Petya 2.0 exploits the same EternalBlue (MS17-010) vulnerabilities as the WannaCry ransomware variant to move laterally through the victim’s network and infect other systems. Petya 2.0 also appears to leverage legitimate Windows tools PSExec and WMIC to infect Windows machines that are already patched for the EternalBlue vulnerabilities.

Researchers have discovered several ways to potentially halt the MBR encryption process on an infected system. Upon initial execution, Petya 2.0 schedules a system reboot after 1 hour. After the reboot, Petya 2.0 halts the Windows boot process and instead loads its own code to encrypt the MBR. If the victim powers off an infected computer before the encryption process completes, they can potentially save the MBR, allowing them to back up files to a different system before wiping the infected computer.

Additionally, researchers have discovered a potential kill switch within Petya 2.0. During Petya 2.0’s execution, it checks for the existence of a file “C:\Windows\perfc” (no file extension). If the file exists, execution is halted. An administrator can create a file at that location to prevent Petya 2.0 from executing and encrypting their system.

Petya 2.0 further highlights the need for keeping systems patched with the latest security updates. Furthermore, businesses should ensure their employees are educated on spotting phishing emails to prevent Petya 2.0 and other ransomware from gaining a foothold in their networks.

The recent string of ransomware attacks, including Petya 2.0 and WannaCry, brings to light just how critical adoption of a layered approach to security is. For example, as our Q1 Internet Security Report pointed out, 38% of malware gets past legacy AV, this is why services like IPS, sandboxing, and detection and response are so critical. No single solution is going to provide 100% coverage. As evidenced, WatchGuard customers leveraging Total Security Suite were protected from both WannaCry and Petya 2.0, but both attacks were blocked using a different combination of services.

For more information on how WatchGuard blocked this attack and for further tips on preventing Petya 2.0 infections. WatchGuard customers should see our Petya 2.0 Knowledge Base article.

—Marc Laliberte

Share This:

Related

Filed Under: Editorial Articles Tagged With: Infosec news, Malware

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use