More on Petya/NotPetya/PetrWrap Ransomware

The Webroot Threat Research Team has classified all known variants of the Petya/NotPetya/PetrWrap ransomware. A Ukrainian software developer named “MeDoc” was allegedly the cause of this outbreak according to Ukrainian Cyber Police and other security researchers. MeDoc’s accounting software sent a file containing the Petya installer through their update system on June 27th. If this software is not used in your environment, you are not at risk of this delivery method.

Once downloaded, Petya contains SMB exploit code allowing it to spread from computer to computer. This targets CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147 and CVE-2017-0148. A patch from Microsoft named “MS17-010” addresses these vulnerabilities. To ensure “MS17-010” has been installed from Microsoft, Webroot has created a utility to check systems.  Please download it using the link below:

https://download.webroot.com/SMBCheck.exe

If the utility finds the system has not yet been patched, it will open a link for the proper patch.

For a list of all available patches, please visit the link below:

https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed

This ransomware variant contains the ability to dump Windows account credentials in order for use in a SysInternels utility named “PSEXEC”. This utility allows the ransomware to download and execute on all systems in the network remotely, if administrator credentials are supplied. If this software is not used in your environment, we recommend blocking it via Group Policy. To block executables, you may use AppLocker and create an executable rule to block all executables named “psexec.exe”.

We also highly recommend following our best practices within our Ransomware Prevention Guide
 http://answers.webroot.com/Webroot/Loginr.aspx?pid=4&login=1&app=vw&solutionid=2637

We really hope that you find this information helpful.

Team Webroot – South Africa

Leave a Comment