Hello!

You’re about to visit our web page in English
Would you like to continue?

Yes, I want to visit the web page in English No, I want to visit the web page in

If this is not what you’re looking for,

Visit our Welcome Page!

My Account

Technical Support

Need help?

 

Information on the ransomware Petya cyberattack

On June 27, 2017, a large-scale attack using a variant of the ransomware family known as GoldenEye/Petya or Petya affected much of the world.

In addition to encrypting files on the computer, this ransomware family is characterized by encrypting the MBR when it has permissions, thus blocking full access to the computer. This version of the malware is distributed as a DLL with an EXPORT, which is named with a parameter that changes with each sample to begin the encryption process on the computer. When it runs, it encrypts certain files on compromised system drives.

In turn, if it has administrator permissions, it also encrypts the system boot sector by preventing access to the computer unless an access key that decrypts the system is entered. That key is assumed to be delivered once payment of the ransom has been made.

The sample creates a scheduled task to shut down the computer afterwards. Upon restarting the computer, Petya displays a fake window indicating that a disk problem is being solved.



Afterwards, it shows the window seeking the ransom:



Infection vectors

These are the various methods of entry and propagation on compromised networks we have identified:

  • An attack against the update mechanism of a third-party Ukrainian document management software product called MeDoc.
  • ETERNALBLUE: This malware variant uses code that exploits the vulnerability published by Microsoft on March 14, described in the bulletin MS17-010 https://technet.microsoft.com/library/security/ms17-010.
  • PSEXEC: Incorporates remote execution on the system using the PSEXEC command.

    v8 = wsprintfW(a2, L"%s \\\\%s -accepteula -s ", v3, a3);
    v9 = wsprintfW(&a2[v8], L"-d C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1 ", &v14) + v8;
  • WMI: Incorporates remote execution on the system using the WMI command.

    wbem\wmic.exe %s /node:"%ws" /user:"%ws" /password:"%ws" process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1

Tips and Recommendations

All our customers are protected against this attack. However, please ensure the following:

  • Be cautious of documents contained in emails from untrusted senders.
  • Keep your operating system up to date with the latest Microsoft updates available.
  • In this case, as we have detected the use of ETERNALBLUE, we recommend that you make sure the following patch is installed on all computers across your network: https://technet.microsoft.com/en-us/ library / security / ms17-010.aspx
  • Install a Panda security product and keep it up to date.
  • Keep a backup of your files.
Help nº- 20190925 1690 EN
ALWAYS ONLINE TO HELP YOU TWITTER FORUM

Contact our technicians:

1-844-956-2648 1-866-748-2157x2 PREMIUM1-844-255-7356 Email us
ALWAYS ONLINE TO HELP YOU TWITTER FORUM
logo
About Panda
Company Info
Panda Security Technology
Support for Innovation
Panda Worldwide
Support
Blog
Security Info
Home Users
Products
Downloads
Free Antivirus
Free VPN
Online Antivirus
Reviews
Already a Customer
Business - WatchGuard Technologies
WatchGuard
Endpoint Security
Network Security
AuthPoint MFA
Secure Wi-Fi
Partners
Privacy Policy
Legal Notice
Cookie Policy
Return Policy