A MONTH after the WannaCry ransomware attack paralysed connected systems worldwide, the Nigerian Communications Commission has alerted Nigerians about a new ransomware ‘Petya’ that is spreading around the globe speedily. Like WannaCry, ‘Petya’ ransomware takes over computers and demands $300, paid in Bitcoin.
The malicious software spreads rapidly across an organisation once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone would have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry.
Petya uses three mechanisms to spread to additional hosts. Petya scans the local system 24/7 to discover enumerate ADMINS shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on system hosting the share.
It also uses the Windows Management Instrumentation Command-line, WMIC, tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
Petya finally attempts to use the ETERNALBLUE exploit tool against hosts on the local subnet. This will only be successful if the targeted host does not have the MS17-010 patches deployed.
According to NCC, “The general public is advised not to panic as demonstrated during the WannaCry attacks in May 2017. Windows systems should be patched for this vulnerability by competent personnel. Organisations should take necessary precautions because the spread of Petya using this vulnerability indicates that many organisations may still be vulnerable, despite the attention WannaCry received,” NCC said.
“Importantly, please note and observe the following: do not click on any suspicious or unknown links; protect yourself when using public Wi-Fi; do not visit unsafe and unreliable sites; avoid clicking on links that leads to websites such as Facebook, Instagram, WhatsApp etc. Instead it is much safer to visit the site directly through their URL, and If you receive a message or email with an attachment, try to verify authenticity of the sender before opening.”
It also cautions against opening attachments from suspicious senders, advising that all documents should be stored in ‘my document folder’ and files updated regularly.
— Jul 3, 2017 @ 12:45 GMT