Analysis of the wave of PetrWrap/NoPetya/GoldenEye attacks

As of Wednesday June 28, the IT systems of many companies worldwide have been infected by a wave of ransomware identified in the press under the names “PetrWrap”, “NoPetya” and “GoldenEye”.

Ukraine, Russia, Denmark, the UK, Norway and the Netherlands in particular have been affected by the ransomware.

According to initial analyses, 60% of the infected machines are in Ukraine and 30% in Russia.

The American pharmaceutical group Merck, the Russian petrochemical company Rosneft and the British advertising agency WPP have been affected.

 

What we know so far about this attack

Early yesterday afternoon, we announced that we had no definite information confirming that the attack was spreading via email.

Compared with the WannaCry outbreak last month, the wave we will call “Petya” has been faster but more targeted.

According to initial international feedback, the first victim in Ukraine was infected through a contaminated software update from the Ukrainian publisher MeDoc.

Following an internal investigation, Microsoft confirmed this hypothesis this morning: “Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process.

 

How does Petya spread?

Once the first machine in a company’s network is infected, Petya uses three propagation methods.

  • EternalBlue: A module that was already present in the WannaCry ransomware. This module targets the SMBv1 protocol through a memory overflow.
  • PsExec: Windows administration tool. In the same way as the Telnet utility, PsExec enables commands and programs to be executed on remote systems.
  • WMI: Windows Management Instrumentation. WMI is a tool for managing a set of Windows operating systems remotely. WMI is used to supervise systems via scripts. WMI is preinstalled on almost all Windows operating systems.

 

Not to be confused with the Jaff, Trickbot and other waves

Alongside this Petya wave, a cumulative volume of about 1,221,790 emails has been detected by our filter.

Three distinct waves have been detected, the first containing the Jaff ransomware (docm file attachment) and then two waves containing the Trickbot banking Trojan (zip file containing an invoice) and the Cerber and Hancitor ransomware.

The Petya wave should thus not be confused with the different Jaff and Trickbot waves already present.

 

Recommendation

It is still too early for a detailed analysis of how this ransomware works.

However, a few recommendations should be taken into account:

  • Update your operating systems.
  • Deactivate or restrict the permissions of remote administration tools.
  • If a machine is infected, do not pay the ransom. Use backup software to reinstall the machine.
Sharing is caring:

By Sébastien GEST

Sébastien GEST
Tech evangelist VadeSecure