As has been widely reported, a new ransomware known as ‘petya’ (also being referred to as `notpetya` or `petwrap` in the research community) started circulating on the internet earlier this week. It appears the attacks started in Eastern Europe and caused widespread damage around the globe.
This new attack uses an upgraded version of the earlier `petya` ransomware which encrypts files – and if the user runs under ‘admin,’ it also overwrites the master boot record (MBR). The latter is more serious: if MBR is overwritten, the computer can’t load the operating system. Some security researchers reported the malware spread through a supply chain compromise of a Ukrainian company. Some reports also indicated data on affected systems was permanently lost due to the way the malware destroyed critical control information needed to recover the encrypted data. However, since the email the attackers set up to collect payments and remit decryption keys was taken down by the security community, data recovery is not an option anyway.
Nominum Data Science showed this newest version of petya follows the old petya method which doesn’t use Command & Control (C&C) for getting encryption keys. Instead it spreads using a vulnerability `WanaCry` used one month ago (Windows vulnerability ‘MS17-010’ for which a patch was released in March). Microsoft also reports the malware uses two other methods to spread laterally within enterprise networks, which has caused concern.
Nominum algorithms processing our worldwide real-time DNS data stream took less than a second to determine 4 suspicious domains, which were ultimately determined to be download payloads used by this ransomware. These domains were subsequently placed on a Nominum block list as ‘ransomware’ to prevent these payloads from being downloaded:
Our Data Science team will continue to update this list of payload sites as new ones are found, and update our block lists accordingly.
For more information, this blog post from GitHub provides useful information on the ransomware.