'Re: [patchmanagement] Petya Malware'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       patchmanagement
Subject:    Re: [patchmanagement] Petya Malware
From:       William Frogge <william.frogge () gmail ! com>
Date:       2017-06-27 19:04:36
Message-ID: CAAFe+1JB_h74CFfZmNXbdDL_t8e5AbCN9NGf+H-OPLyFmwE2aQ () mail ! gmail ! com
[Download RAW message or body]

http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html?m=1

https://www.reddit.com/r/sysadmin/comments/6jsnex/new_ransomeware_attacks_holland_ukraine/


https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759

https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/



On Tue, Jun 27, 2017 at 12:09 PM, Alistair Whitford <
Alistair.Whitford@ntt.eu> wrote:

> Guys..
> 
> First time poster here..
> 
> 
> 
> 
> 
> Reports are emerging of another ‘Huge cyber-attack cripples firms,
> airports, banks and government departments in Ukraine, Denmark, Russia,
> India etc….'. There are also indications that Spanish & British companies
> may have been affected.
> 
> Initial diagnosis is that the attacker is another form of ransomware
> (similar to the WannaCry attack), this time known as ‘Petya'. If you have
> successfully patched against WannaCry & have installed the April 2017
> Security update from Microsoft, it would appear they should be relatively
> safe.
> 
> The Petya ransomware has been successful in spreading because it combines
> both a client-side attack (CVE-2017-0199 ___ attack vector to infect via an
> modified Excel or Word/RTF doc).  Both tools formed part of the
> Shadowbroker leak earlier in the year.
> 
> Partial analysis of the malware signature indicates that there is lateral
> movement using WMIC, so disabling it will slow the movement if infected.
> 
> The other positive news is that it doesn't actually encrypt the drives
> until the machine is rebooted; which leaves a window of opportunity to
> rectify/remediate.
> 
> AV companies have been scrambling to push out updates to detect the attack
> and as of 16:25 on 2017-06-27 16 out of 61
> <https://virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/>
>  major suppliers were detecting it.
> 
> *Link to Detailed analysis
> <https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100>
>                 
> *
> 
> 
> 
> AW
> 
> ------------------------------
> 
> Please consider the environment before printing this e-mail or its
> attachments.
> 
> This e-mail (and any attachments) contains information, which is
> confidential and intended solely for the attention and use of the named
> addressee(s). If you are not the intended recipient you must not copy,
> distribute or use it for any purpose or disclose the contents to any
> person. If you have received this e-mail in error, please notify us
> immediately at enquiry.uk@ntt.eu. The information contained in this
> e-mail (and any attachments) is supplied in good faith, but the sender
> shall not be under any liability in damages or otherwise for any reliance
> that may be placed upon it by the recipient. Any comments or opinions
> expressed are those of the originator not of NTT Europe Ltd. unless
> otherwise expressly stated.
> 
> NTT Europe Limited is a company registered in England and Wales with
> company number 2307625. Registered Address: NTT Europe Ltd., 1 King William
> Street, London EC4N 7AR, UK. Telephone +44-20-7977-1000. Facsimile
> +44-20-7977-1001. Website Link: http://www.eu.ntt.com
> 

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators.  If you would \
like to use any of this content in a blog or media publication, please contact the \
owners of the list for approval.

To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org


[Attachment #3 (text/html)]

<div dir="ltr"><a href="http://blog.talosintelligence.com/2017/06/worldwide-ransomware \
-variant.html?m=1">http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html?m=1</a><br><div><br></div><div><a \
href="https://www.reddit.com/r/sysadmin/comments/6jsnex/new_ransomeware_attacks_hollan \
d_ukraine/">https://www.reddit.com/r/sysadmin/comments/6jsnex/new_ransomeware_attacks_holland_ukraine/</a><br></div><div><br></div><div><a \
href="https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759">https://gis \
t.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759</a><br></div><div><br></div><div><a \
href="https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/">htt \
ps://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/</a><br></div><div><br></div><div><br></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 27, 2017 at 12:09 PM, \
Alistair Whitford <span dir="ltr">&lt;<a href="mailto:Alistair.Whitford@ntt.eu" \
target="_blank">Alistair.Whitford@ntt.eu</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">





<div lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="m_197481932704303631WordSection1">
<p class="MsoNormal">Guys..<u></u><u></u></p>
<p class="MsoNormal">First time poster here..<u></u><u></u></p>
<p class="MsoNormal"><u></u>  <u></u></p>
<p class="MsoNormal"><u></u>  <u></u></p>
<p class="MsoNormal">Reports are emerging of another ‘Huge cyber-attack cripples \
firms, airports, banks and government departments in Ukraine, Denmark, Russia, India \
etc….'. There are also indications that Spanish &amp; British companies may have \
been affected.<u></u><u></u></p> <p class="MsoNormal">Initial diagnosis is that the \
attacker is another form of ransomware (similar to the WannaCry attack), this time \
known as ‘Petya'. If you have successfully patched against WannaCry &amp; have \
installed the April 2017 Security update from Microsoft,  it would appear they should \
be relatively safe.<u></u><u></u></p> <p class="MsoNormal">The Petya ransomware has \
been successful in spreading because it combines both a client-side attack \
(CVE-2017-0199 ___ attack vector to infect via an modified Excel or Word/RTF doc).   \
Both tools formed part of the Shadowbroker leak earlier  in the \
year.<u></u><u></u></p> <p class="MsoNormal">Partial analysis of the malware \
signature indicates that there is lateral movement using WMIC, so disabling it will \
slow the movement if infected.<u></u><u></u></p> <p class="MsoNormal">The other \
positive news is that it doesn't actually encrypt the drives until the machine is \
rebooted; which leaves a window of opportunity to \
rectify/remediate.<u></u><u></u></p> <p class="MsoNormal">AV companies have been \
scrambling to push out updates to detect the attack and as of 16:25 on 2017-06-27 <a \
href="https://virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/" \
target="_blank"> 16 out of 61</a> major suppliers were detecting \
it.<u></u><u></u></p> <p class="MsoNormal"><b><u><a \
href="https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100" \
target="_blank">Link to Detailed analysis</a> <u></u><u></u></u></b></p>
<p class="MsoNormal"><u></u>  <u></u></p>
<p class="MsoNormal">AW<u></u><u></u></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
Please consider the environment before printing this e-mail or its attachments.<br>
<br>
This e-mail (and any attachments) contains information, which is confidential and \
intended solely for the attention and use of the named addressee(s). If you are not \
the intended recipient you must not copy, distribute or use it for any purpose or \
disclose  the contents to any person. If you have received this e-mail in error, \
please notify us immediately at <a href="mailto:enquiry.uk@ntt.eu" \
target="_blank">enquiry.uk@ntt.eu</a>. The information contained in this e-mail (and \
any attachments) is supplied in good faith, but the sender shall not be under any \
liability  in damages or otherwise for any reliance that may be placed upon it by the \
recipient. Any comments or opinions expressed are those of the originator not of NTT \
Europe Ltd. unless otherwise expressly stated.<br> <br>
NTT Europe Limited is a company registered in England and Wales with company number \
2307625. Registered Address: NTT Europe Ltd., 1 King William Street, London EC4N 7AR, \
UK. Telephone +44-20-7977-1000. Facsimile +44-20-7977-1001. Website Link: <a \
href="http://www.eu.ntt.com" target="_blank">http://www.eu.ntt.com</a><br> </font>
</div>

</blockquote></div><br></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic