Petya starts with Ukraine and then goes global

On June 27, a large-scale cyber attack was recorded in Ukraine using a new modification of the Petya ransomware, which partially affected companies in Russia, the United States, India, and Australia. A preliminary investigation showed that the pro-state Black Energy group that had previously attacked energy and financial organizations in Ukraine was behind the attack.

Initial penetration occurs through updates of MeDoc, accounting software that is very popular in Ukraine. Then the Trojan resets the administrator's password on the computer where it first entered, and tries to connect to all computers on the network, using a legitimate tool PsExec, Wmi and exploits from the NSA set. For decryption, hackers demand 300 USD in bitcoin.
One week later, actors demanded 100 bitcoins (250 000$) for secret key, which is needed to decrypt all encrypted files.

According to preliminary estimates, about 80 companies have been attacked, with the majority of them located in Ukraine. The list of victims includes large Ukrainian banks and enterprises, namely, Oschadbank, Ukrgasbank, Pivdenny Bank, OTP Bank, TASKombank, The Epicenter chain store, Kovalska industrial and construction group. Three major Ukrainian telecom operators, Kyivstar, LifeCell, Ukrtelecom, have also been affected.

State enterprises Ukrtelecom, Ukrzaliznytsia, Ukrposhta, Kievvodokanal, and state-run aircraft manufacturer Antonov informed they had come under a large-scale attack. The Boryspil international airport, Kiev subway, computer networks of the Cabinet of Ministers and the website of the Ukrainian government have also been infected.

In Russia Rosneft and Bashneft oil giants have been hit by a massive attack.

When the malicious attachment is opened, it employs a recent vulnerability: CVE-2017-0199. This has previously been used in attacks by other criminal groups and is currently employed in a range of malicious builders on sale on underground forums.

After deployment it starts two threads:

• In first, the malware tries to infect other network computers by exploiting the
  
  EternalBlue vulnerability (CVE-2017-0144). As with WannaCry.
  
  
• In second thread, the malware uses an LSA Dump to get network/local admin passwords (similar to mimicatz x86, x64), and after that it infects other computers with PsExec or WMI commands.
  
  In short, there is no need for all computers to be vulnerable to EternalBlue. You need only one infected computer with admin credentials in LSA to compromise the network.
  
  The malware executes the following commands to clear OS System Logs and NTFS journal logs (wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:)

The malware waits around 30-40 minutes after infecting the endpoint (presumably to spread itself), then encrypts files with the following extensions:

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fd b.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.s ln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.

Then it changes MBR and MFT on localhost. And Reboot

After encryption the following screen is displayed:

KillSwitch: On launch, the malware checks if a file with its own name exists in Windows directory, without an extension. For example, if malware body has name perfc.dat (internal PE name), in the event it finds the file "%WINDOWS%/perfc", the program will exit.

However, Group-IB specialists could not confirm, that the next "Petya" campaign will use this same file name. Therefore, it depends on specific exploit that creates this file in the system. Considering this, this protection method cannot be used as a universal KillSwitch.

The malware was compiled on June 18:

We don't recommend to pay the ransom, since:

• You sponsor the criminals
• We have no evidence that the data of those who's paid has ever been restored.