Following the WannaCry ransomware attack last month, the world - and more specifically, Europe - was shaken by yet another similar attack a couple of days ago. The new malware is called "Petya"; it locks the files on the computer and demands a payment from victims to get their files unlocked.
While the true extent of the attack was unknown, Microsoft's telemetry data has now shed some light on the scale of the worm-able ransomware attack which has been infecting computers worldwide.
According to Microsoft's telemetry data, even though the Petya ransomware attack is more sophisticated with its worm-like capabilities, it has managed to infect fewer than 20,000 machines, which is considerably less than what the company anticipated. Furthermore, the attack started in Ukraine, with more than 70% of the affected machines situated in the country. Although Petya spread to other countries as well, it affected machines elsewhere in "significantly lower volumes". Microsoft also noted that the majority of the infected PCs were running Windows 7.
The company has illustrated Petya's kill-chain diagram below, which outlines Windows 10's mitigation techniques (in blue boxes) as well.
Microsoft also pointed out that network administrators who have machines running older operating systems such as Windows 7 do not have the advantage of modern hardware and software. As such, they should utilize hardened security configurations, which slow down the spread of ransomware such as Petya. These techniques include blocking or restricting access to specific IPs for file-sharing services (SMB) and blocking remote execution through PSEXEC.
Microsoft explained that Petya's worm-like behavior is limited by its design. Upon execution, it is allotted a fixed time to move laterally before the system is rebooted. If an argument isn't passed, the default value passed is 60 minutes. The company's telemetry data indicated that this significantly reduced the spread of the ransomware. Moreover, if an infected machine is rebooted, the worm cannot execute again.
Microsoft has also noted that Petya attempts to modify the Master Boot Record (MBR) and also overwrites the second sector of the C: partition with an uninitialized buffer, essentially destroying the Volume Boot Record (VBR) for the partition.
However, the company says that it's unclear what the purpose of this move is, keeping in mind that the VBR in the C: partition is not used to boot the machine, and that on machines running Windows 7 or later, this modification is unlikely to have an impact. Additionally, the code for this appears to be buggy as well, as it allocates ten times the amount of memory it actually requires.
Another interesting observation that Microsoft highlighted is that if Petya identifies that Kaspersky Antivirus is found on the machine or if the MBR infection is unsuccessful, it destroys the first ten sectors of the hard drive. On the other hand, if it detects Symantec Antivirus, it does not perform the SMB exploitation.
Microsoft stated that the new ransomware and the old Petya are functionally similar. In fact, it also boasts similarities with WannaCrypt in terms of the text in the ransom demand.
The company has also outlined a couple of cases in which recovering an infected machine is possible. One of these includes having a machine equipped with Secure Boot and UEFI. In this case, the victim can boot off a clean installation and perform Startup Recovery. Another involves having a machine that is non-UEFI, has Kaspersky Antivirus installed, but in a state where boot fails. In this case, a fix is possible by booting the victim machine from clean installation media, navigating to the recovery console, and running the following commands:
<recovery_console> bootrec /fixmbr
<recovery_console> bootrec /fixboot
That said, the company notes that if the following ransom note is shown, recovery is impossible:
In this situation, the victim's best bet is to take the hard drive to a clean system, and attempt to salvage any recoverable personal files using disk recovery tools, followed by reimaging the system.
Lastly, Microsoft cautioned that Petya is more sophisticated than WannaCrypt, and uses a second exploit to propagate. The modification of the boot sector also indicates that it is more likely to cause damage to PCs. As such, the company has stated that a multi-layer defense, similar to what Windows 10 offers, is the customer's best bet against similar attacks in the future. A deep analysis of Petya has enabled Microsoft to gauge the security of Windows 10, and it aims to enhance it further, with new tools in the Windows 10 Fall Creators Update and beyond.
Source and images: Microsoft