Petya ransomware preventive and after attack tips

Discussion in 'CYBER SECURITY awareness!' started by Dhruv Gupta, Jun 28, 2017.

  1. Dhruv Gupta

    Dhruv Gupta Member

    Quick Heal Security Labs has come across a new strain of Petya Ransomware that is affecting users globally. This clearly looks like early signs of a new ransomware attack that is spreading fast across the globe. Currently we have seen multiple reports of this ransomware attack from several countries.

    Quick Heal Security Labs Analysis Shows

    Petya delivery mechanism is by scam emails or phishing emails. Once the email attachment is executed on the computer it shows the prompt of User Access Control. However, after executing the program it encrypts the Master Boot Record (MBR) and replaces it with a custom boot loader with a code to encrypt the full disk starting with MFT (Master File Tree) and leaves a ransom note to users. Upon successfully encrypting the whole disk of the computer it shows ransom prompt.

    Are we (Quick Heal users) protected from this ransomware?

    All Quick Heal and Seqrite EPS users are protected from this ransomware infection attempt by exploiting eternal blue vulnerability. This is the same vulnerability which WannaCry Ransomware has been exploiting to spread. Quick Heal IDS successfully blocks Eternal Blue exploit attempts. Quick Heal’s Behavior Based Detection (BDS) also blocks and warns user of a potential attack under way. Just make sure all the security mechanism of Quick Heal are switched ON.

    Quick Heal Security Labs is continuously monitoring the threat and working on releasing updates to protect the threat at different layers. So please keep your Quick Heal up-to-date with all the current updates that are regularly released.

    Preventive steps and recommendations

    1. Avoid clicking on links in email received from unknown sender
    2. Apply all Microsoft Windows patches including MS17-010 that patches the Eternal Blue Vulnerability
    3. Make sure your Quick Heal’s auto update is ON and is updated to latest.
    4. Ensure you take a backup of your data to some external disk regularly.
    5. Avoid login to computer with Administrative privileges. Work with user account that has standard user privileges and not administrative privileges.
    If a threat is executed in my computer, can I still prevent my data?

    If by mistake someone executes the threat on an unprotected computer by clicking on the link in the email and downloading the attachment, and if you see a BSOD (blue screen) that restarts your computer, you can still save your data by not restarting the computer. Just keep it switched off. When you see the BSOD screen and the system re-starts only the MBR is replaced and your data on the disk is still intact and it can be accessed by mounting the hard disk on some other clean system. Make sure you do not boot with the infected computer hard disk at that stage. Once mounted the data can be accessed and copied.

    Source HERE

    Related News HERE
    revC0de, LowcyGier, kram7750 and 3 others like this.
  2. Google Adsense

  3. kram7750

    kram7750 Member Known Member

    I am a bit startled as to why popular AV companies seem to not currently have protection against Master Boot Record modifications; of course, bootkits are not as prevalent as they were around 7 years ago, but with a threat like Petya being spread round like a free bag of sweets it would only be logical for the vendor to have protection for the MBR integrated into the product - they don't even need to make it a constant feature within the product, alternatively they could only push out the availability of the feature when a threat like Petya has become prevalent and then disable it afterwards.

    Its no myth that popular AV firms already rely on device drivers for a lot of functionality within their product/s. I am sure they would be capable of restricting access to the MBR for writing - it doesn't have to cover ring 1/2 code execution since once malware has a device driver loaded then it is already game over (in theory), but as long as user-mode applications are restricted then the problem is resolved since Petya is just an elevated user-mode program. In fact, Petya itself will be outsmarted by ring 3 (user-mode) hooking (I've tested it out myself so I know this is true).

    I think that there are many more bootkit threats to come in the future and the security solutions that people use (and/or even on an enterprise environment) require good protection against MBR attacks. Personally, I think that malware in the wild is not usually "that good" anymore because we went from prevalent kernel-mode rootkits patching the SSDT to broken samples evolving around the .NET Framework in the wild, but malware authors are becoming smarter as they study the Windows Internals with native languages and we need to be prepared to fight back and win.
    revC0de, LowcyGier, wwd and 2 others like this.
  4. kram7750

    kram7750 Member Known Member

    I assume they use ntdll.dll!NtRaiseHardError for causing the BSOD crash.

    I think the main interesting part about Petya for me would be how the developers are capable of developing their own custom boot loader (which would have been written in 16-bit Assembly since it loads up before Windows does which means 32-bit support is not yet active due to the A20 line not being enabled, GDT not being set-up, etc.), but are not capable of actually deploying the MBR attack in a more "sophisticated" way.

    For example, I believe the loader will use use the Win32 API... Which is quite simple. It could have just literally been a copy-paste job for the MBR overwrite with the custom *.bin bytes; overwrite 512 bytes after acquiring a handle to the PhysicalDrive0 via CreateFile & WriteFile (Ascii/Unicode versions). I would have expected the developer/s, capable of writing their own 16-bit ASM boot loader, to have at least put in a bit more effort into their launcher to do something like... Direct NTAPI system calls, or even patch another Windows driver which is not in use and have the patched DriverEntry function overwrite the MBR with the custom bytes.
    revC0de, Trim, LowcyGier and 3 others like this.

Share This Page