Petya Ransomware AttackOrhan Sari
With the #Wannacry attacks last month, in many countries important sectors such as health, finance and energy suffered great losses.  As it has been predicted in our previous writing titled as “New Risks in Corporate Firms towards WannaCry Attacks” that “if the self-renewed subsequent version attacks are not taken seriously, and the indispensable deeds are not taken, the information saved in the first wave can be permanently lost”.  A new pandemic malicious software named Petya ransomware  was released yesterday evening (27 June 2017), and globally began to threaten many institutions and caused great harm to companies across Europe and US. Even if they pay the ransom, victims can no longer unlock their computers 
Petya ransomware is more dangerous and more professional than WannaCry. Analysts are continuing to seek solutions and protect against attacks, especially for attacks that are effective in Russia and Ukraine.
1. What is Petya (# petrWrap)? How Does It damage Systems?The hacker group “TheShadowBrokers” leaked the exploit kit of the National Security Agency (NSA) named FUZZBUNCH in April. There were many exploits in this leaky kit. When the EternalBlue exploit from the relevant exploits is used together with the DOUBLEPULSAR payload in the exploit kit, it is possible to execute commands on the administrator’s rights using the vulnerability of the SMB service in Windows operating systems.
This vulnerability, named MS17-010 (CVE- 2017-0144), has been used by a ransom software called Petya(Win32 / Diskcoder.Petya.C) on June 27, 2017.
This ransomware also scans systems that use the same username and password information in the infected network without requiring any user interaction and affects the systems.
2. How did #Petya Ransomware Spread?
Petya worm has spread mainly using Windows SMB (v1) protocol. An exploit, used by the NSA to infiltrate systems that harbour this vulnerability, began to run on the Internet when it leaked from the NSA. In light of the documents and information disclosed, ransomware exploiting this vulnerability has been developed and presented on the internet.
It has been also revealed by the analysis of many security experts that this malicious software can be spread over local networks using windows username and password information.
If you are using a SIEM solution supported by Cyber Threat Intelligence, you can check back in the past to see if you have access to the following IP addresses.
IP addresses are known to be used by Petya Ransomware
If you are using as an intrusion detection and prevention system Snort or Suricata or an intrusion detection and prevention system that supports their rule set (IDS / IPS), you can download signatures to your system posted by Positive Tech.
If your system is not infected with Petya Ransomware yet, you can scan your internet ip addresses (against SMBv1 support) to see if there is a vulnerability If you are using MEDOC software, you may need to isolate and inspect the relevant systems from the network.
4 . What Should We Do, If We Detect Some Systems Are Contaminated by Petya Ransomware?
The network connection of an infected system should be immediately deactivated and isolated from the network. In this way, it can be prevented to spread to the other systems.
- You can restore the system from your backups and restore it to its original uninfected state.
- Passwords for local admin and for privileged accounts in the upper level of the system must be changed.
- Computer users should be authorized based on a minimum authority principle.
- Tools that can be used to spread to other systems like psexec, wmi over GPOs should be banned.
- Additionally, the creation of the directory “C: \ Windows \ perfc” on uninfected systems also restricts the this ransomware’s domain.
5. Is it possible to retrieve the files in case the ransom is paid?
Ransom payments are collected via bitcoin using an email account at firstname.lastname@example.org. Posteo, the provider of hacking e-mail, announced that crook’s e-mail account spreading Petya ransomware has been closed: email@example.com
It has been recommended not to pay the ransom, as all means of communication are closed. Also, It would be beneficial to take alternative solutions from security consulting companies.
6. What should a Corporate Employee do and how can they take action?
It is necessary to check the updates of the Microsoft Windows operating systems and make sure that the MS17-010 code patch released on March 14, 2017 is loaded.
- If the 445 / TCP ports are open from the systems serving the Internet, they should be turned off.
- Strengthen your antispam service against phishing attacks, and check SPF, DMARC, DKIM.
- Observe user authority and ensure that they work with the lowest authority principle. Avoid using a common account and create an account specific to each system.
- Check file-sharing access and edit permissions on corporate networks, and do not give permission to write files, if users need only read permission.
- Implement a training program to raise employees’ awareness against cyber attacks.
- Be sure to do penetration testing to detect security weaknesses in your network and take precautions early.
- Do not forget to make regular backups.
- Ensure that the local admin passwords used on the network are different on each system
- If you are using MEDOC software, ensure that related systems are isolated and examined from the network.
- pdated enterprise software should be reviewed one by one, and the access of the systems to the internet should be disclosed in control with consultation with the experts on suspicious situations.
7. Which Operating Systems Are Affected by Petya Ransomware?
All active Microsoft Windows operating systems are affected by Petya ransomware.
- Windows XP
- Microsoft Windows Vista SP2
- Windows 7
- Windows 8.1
- Windows RT 8.1
- Windows 10
- Windows Server 2008 SP2 and R2 SP1
- Windows Server 2012 and R2
- Windows Server 2016
8. How Can We Test Systems Against Threats That Can Emerge Over Email?
Cyber attacks coming from e-mail exploits the missing / incorrect configuration of the e-mail server and the lack of information security awareness of people using e-mail.
You can use the free ETS service provided by Keepnet labs to test whether your email server has passed malware or hosted mail, and to fix erroneous configurations. The ETS service is an effective service that reports your e-mail service’s status and improvements against current cyber attacks.
To use the ETS service for free, anyone can register at https://ets.keepnetlabs.com/User/Pregister
9. What should we do to be informed early about Petya Ransomware, Wannacry and other malicious software, and to be protected for the long term?
One can be aware of cyber threats that can target any organization by using software that provides an open source or corporate cyber threat intelligence.
- Increase awareness of your users by regularly doing social engineering experiments.
- Using NormShield Threat Intel’s free service , one can be aware of and block Wannacry, Petya or similar cyber threats that may be directed to systems.
References BGA Security, (June, 2017), Petya Ransomware Hakkında Bilinmesi Gereken 10 Önemli Nokta! Available at http://bit.ly/2tk71lP  Keepnet Labs, (May, 2017), New Risks in Corporate Firms towards WannaCry Attacks. Available at http://www.keepnetlabs.com/  This cyber attack is first “started circulating in 2016, the current attack now appears to be a Petya offshoot, with added refinements such as stronger encryption”. For more details look at https://www.wired.com/story/petya-ransomware-wannacry-mistakes/  The Guardian, (June 2017), ‘Petya’ ransomware attack strikes companies across Europe and US, Available at http://bit.ly/2uec6t0  Those who want to examine the malware can find sample files in the following address.https://yadi.sk/d/QT0l_AYg3KXCqc. Note: The password of the files is “virus”.  https://reputation.normshield.com
Editor’s note: This article is updated on 19 March 2020