What we know so far?

UPDATE: We have a local vaccine

New ransomware start spreading in Ukraine and shutdown a lot of critical infrastructures (hospitals, airport, banks and power plants).
Some report coming also from Italy, Germany and Spain.

Early comments on VirusTotal indicate the usage of the EternalBlue exploit:

[embed]https://virustotal.com/it/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/[/embed]

Whe started, the malware clears the windows event log using Wevtutil, writes a message to the raw disk partition and shuts down the machine.

After the restart, the encryption process starts:

And once the encryption is done, the malware display this message:

If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but dont waste your time. Nobody can recover your files without our decryption service.

We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.

Please follow the instructions:
1. Send $300 worth of Bitcoin to following address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

2. Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net.


How does the ransomware spread?

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

Other observed infection vectors include:

  • A modified EternalBlue exploit, also used by WannaCry.

[embed]https://twitter.com/PolarToffee/status/879709615675641856[/embed]

  • The EternalRomance exploit — a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17–010).
  • An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.

IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

https://twitter.com/0x09AL/status/879702450038599681

[embed]https://twitter.com/hackerfantastic/status/879772170817241088[/embed]

The samples

The samples

Some samples has been submitted to HybridAnalysis:

I have extracted a memory dump of a virtual machine running the ransom screen, maybe it can be useful for some researcher:

http://cdn.andreafortuna.org/NotPetyaMemdump.tar.gz

 

[embed]https://www.instagram.com/p/BV4n99RBrJI/[/embed]


The ransom

Some victims already paid the ransom:

However, the email address on posteo has been blocked:

[embed]https://twitter.com/HIBC2017/status/879747282173911040[/embed]

So, do not pay the ransom!

Furthermore, researchers by Kaspersky has revealed that the pseudo-ransomware is in fact a wiper, with no potential for successfully recovering from an attack:

The key material displayed as “installation ID” — necessary for decryption in real ransomware — is just random data. There is no possible way to recover the encrypted files as the key is not preserved and given to the user to request a decryption key.


From Twitter

[embed]https://twitter.com/kafeine/status/879711519038210048[/embed]

 

[embed]https://twitter.com/hackerfantastic/status/879719012929875968[/embed]

 

[embed]https://twitter.com/mikko/status/879713743994748928[/embed]

https://twitter.com/0x09AL/status/879702450038599681

[embed]https://twitter.com/2sec4u/status/879708537827577859[/embed]

 

[embed]https://twitter.com/malwrhunterteam/status/879706266809114625[/embed]

 

[embed]https://twitter.com/TerrorEvents/status/879704320899469312[/embed]

 

[embed]https://twitter.com/BleepinComputer/status/879706016048308224[/embed]

 

[embed]https://twitter.com/mikko/status/879704801117786114[/embed]


From websites

 

 

 


Some IOCs

[embed]http://https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759[/embed]

FileHash-SHA256

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

FileHash-SHA1

34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

FileHash-SHA256

64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1

FileHash-MD5

71b6a493388e7d0b40c83ce903bc6b04

FilePath

dllhost.dat


Yara Rules

Developed by Florian Roth.

[embed]https://gist.github.com/Neo23x0/7ff267390d0670998e9c481c22ab0071[/embed]

[embed]https://twitter.com/cyb3rops/status/879725829978300416[/embed]


The killswitch?

https://twitter.com/0xAmit/status/879778335286452224

copy NUL C:Windowsperfc.dat

https://twitter.com/cyb3rops/status/879810363088404480

Stay tuned!