NotPetya

Petya Ransomware is back to cause havoc

The world suffered another wreaking nightmare on Tuesday with the attack of a new NotPetya ransomware. Using the same malicious code as used by Wanna-Cry Ransomware. Researchers are calling it NotPetya, as it is a version of Petya Ransomware but in many ways, can be classified as a different ransomware.

In India companies such as Reckitt Benckiser as well as Beiersdorf, makers of Nivea cream reported compromise. India’s largest port, Jawaharlal Nehru Port Trust (JNPT), is also a victim because AP Moller Maersk a Danish cargo carrier got infected in The Hague office. The cargo containers are being moved manually and without the use of system.

NotPetya is backed up by the same leaked NSA hack called Eternal-Blue used by WannaCry Ransomware a few days back affecting millions of computers. Microsoft had already released a patch (the Eternal-Blue vulnerability MS17-010) after WannaCry Ransomware to avoid any Eternal-Blue hacks, and thus it is an embarrassment for the companies who have not updated their systems with this latest patch.

This is a particularly vicious ransomware attack because it not only encrypts the victim’s files using a highly advanced cryptographic mechanism but also locks the entire hard drive by overwriting the master reboot record and then demands a ransom in the virtual currency bitcoin for its release. It makes the drive total unusable.

The widespread attack affected global and national organisations including many pharmaceutical companies, Chernobyl radiation detection systems, Ukranian National Bank, the Kiev metro, British advertising firm WPP and logistics company Maersk. Major countries affected by this ransomware are Ukraine, UK, Russia, Polland, France, Denmark and Pittsburgh, US and others.

Immediate Call to Action:

  1. Block source E-mail address : wowsmith123456@posteo.net
  2. Block domains:
    http://mischapuk6hyrn72.onion/
    http://petya3jxfp2f7g3i.onion/
    http://petya3sen7dyko2n.onion/
    http://mischa5xyix2mrhd.onion/MZ2MMJ
    http://mischapuk6hyrn72.onion/MZ2MMJ
    http://petya3jxfp2f7g3i.onion/MZ2MMJ
    http://petya3sen7dyko2n.onion/MZ2MMJ
    http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
    COFFEINOFFICE.XYZ
    http://french-cooking.com/
  3. Block IPs:
    95.141.115.108
    185.165.29.78
    84.200.16.242
    111.90.139.247
  4. Apply Patches: Refer(in Russian): https://habrahabr.ru/post/331762/
  5. Disable SMBv1
  6. Update Anti-Virus hashes
    a809a63bc5e31670ff117d838522dec433f74bee
    bec678164cedea578a7aff4589018fa41551c27f
    d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
    aba7aa41057c8a6b184ba5776c20f7e8fc97c657
    0ff07caedad54c9b65e5873ac2d81b3126754aac
    51eafbb626103765d3aedfd098b94d0e77de1196
    078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
    7ca37b86f4acc702f108449c391dd2485b5ca18c
    2bc182f04b935c7e358ed9c9e6df09ae6af47168
    1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
    82920a2ad0138a2a8efc744ae5849c6dde6b435d
    myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
    BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

WannaCry had many bugs and hence had a killswitch to get rid of, whereas NotPetya seems to be a work of professionals and hence stopping it without paying the ransom is going to be a real challenge. David Kennedy (former NSA analyst and cybersecurity entrepreneur) has rightly stated “This is going to be a big one. Real big one”.

Cloud email security and Advanced threat protection should be used immediately to mitigate as well as prevent the situation in future. Prevention is the eternal rule of defence in the cyber world. Logix Infosecurity provides the latest technology to prevent your company from such attacks. Security layers for Sandboxing can be a powerful tool in such situations.

ebook email security

Leave a Reply

Your email address will not be published. Required fields are marked *