Starting Tuesday, June 26, 2017, users and companies around the world, but especially those based in Ukraine, were affected by a new ransomware virus called Petya, also known as Petrwrap, which appears to be a modified form of a type of virus known since 2016. The announcement was made by the Romanian National Computer Security Incident Response Team (CERT-RO).
Initial infection of systems is achieved through documents attached to phishing email messages that users are urged to open. Also, according to information published on social networks by Ukrainian authorities, the virus has spread through the mechanism of updating the MeDoc application (popular in Ukraine), this variant being also confirmed in a post on Kaspersky’s security company blog.
As in the case of WannaCry, once a workstation is infected from a network, the virus uses multiple side spreading techniques, such as exploiting vulnerabilities solved by Microsoft through the MS17-010 bulletin (CVE-2017-0144, CVE-2017-0145) by exploiting tools known as EternalBlue (also used by WannaCry), DoublePulsar and EternalRomance. Also, it captures administrative credentials from the infected system memory and uses them for network spreading through WMIC (Windows Management Instrumentation Command Line) and Psexec.
According to the information currently held by CERT-RO, the virus spreads only on the internal network where the initial infection of the workstation occurred, using the following techniques to identify other target systems: identification of network cards on the infected system, reading the names of other NetBIOS systems and reading information about DHCP (lease time). Also, all systems identified by the virus in the adjacent networks are scanned on the TCP / 445 and TCP / 139 ports (used by the SMB protocol), and if the ports are open they try to exploit the vulnerabilities described above.
Once a workstation is infected, the virus attempts to spread across the network and, after a 10-60 minute wait, it restarts the system, encrypts the NTFS Master File Table, and replaces the code in the MBR area of the storage disk with A proprietary form displaying the ransom note.
This behavior brings a new feature to other versions of ransomware, meaning that, in addition to file encryption, access to the infected system is also blocked.