santiago silver - Fotolia

Victims of latest global ransomware attack urged not to pay

Victims of the latest global ransomware attack are urged not to pay, while some researchers claim to have found a local kill switch or vaccine

Ransomware that appears to be related to the Petya family and uses the same EternalBlue exploit as WannaCry has hit organisations in the US, following attacks in Ukraine, Russia and across Europe.

The new ransomware, dubbed ExPetr by Kaspersky Lab, has been linked to Petya, because, like that family of ransomware, it also attempts to encrypt the hard drive’s master boot record (MBR), locking victims out of their computer – not just files.

Security researchers have also highlighted that for propagation the ExPetr is not relying only on the EternaBlue exploit that targets a known vulnerability in the server message block protocol in Microsoft Windows.

ExPetr is also being spread using the EternalRomance exploit targeting Windows XP to 2008 systems over TCP port 445 and through abuse of legitimate command line tools PsExec and Windows Management Instrumentation Command-line (WMIC).

The ransomware also uses the publically available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users.

This means computers may still be vulnerable even if Micrososf patches issued by have been applied for the EternalBlue and EternalRomance expoits that are believed to have been developed by the NSA and subsequently stolen and leaked by the ShadowBrokers hacking group.

However, the immediate application of the Microsoft patches is still advised for any unpatched machines.

Read more about ransomware

In light of the fact that the attackers’ email account for accepting ransom payments has been shut down, victims are also advised not to pay the $300 ransom as it is unlikely they will receive a key for decrypting affected files.

Security researchers monitoring the bitcoin wallet associated with the ransomware report that a few hours after the attack began, the wallet began receiving funds, indicating some victims were willing to pay almost immediately. However, only about 26 victims are believed to have paid on the first day.

To prevent the ransomware from spreading in the network, security firm Positive Technologies recommends turning off computers that have not been infected, disconnecting the infected hosts from the network, and making images of compromised systems.

This approach could be useful for restoring data, the firm said, if researchers find a way to decrypt the files. In addition, these images can be used to analyse the ransomware.

Researchers at the firm also claim to have found a kill switch to disable the ransomware locally, and have provided the details in a blog post.

The researchers found that the ransomware checks if the perfc file is present in the C:\Windows\ folder before executing. They suggest creating a file with the correct name in this folder can prevent the substitution of the MBR and further encryption. Similarly, other researchers have suggested that blocking C:\Windows\perfc.dat from writing or executing could halt the ransomware.

Anti-ransomware recommendation for businesses

  • Use the Windows AppLocker feature to disable the execution of any files that carry the name “perfc.dat” as well as the PSExec utility from the Sysinternals Suite.
  • Isolate infected endpoints as soon as possible.
  • Use the indicators of compromise to update security systems.
  • Develop a system of regular training courses for employees to increase their awareness of information security issues by demonstrating practical examples of potential attacks on the company's infrastructure.
  • Install antimalware software with self-protection that requires a special password for disabling or changing its settings.
  • Ensure regular updates of software and operating systems on all hosts of the corporate infrastructure, as well as an effective process of managing vulnerabilities and updates.
  • Conduct regular information security audits and penetration testing will allow timely detection of existing deficiencies in protection and vulnerabilities.
  • Monitor the corporate network perimeter to control network service interfaces accessible from the internet and correct the configuration of firewalls in a timely manner.
  • Monitor the internal network to detect and eliminate an attack that has already occurred.

To apply this local kill switch or vaccine, administrators need to locate the C:\Windows\ folder and create a file named perfc, with no extension name.

According to Kaspesky Lab, around 2,000 machines had been hit by the ransomware by the end of the first day of attacks, which appears to indicate ExPetr is spreading much more slowly than WannaCry.

Code analysis showed that the new ransomware does not attempt to spread itself beyond the network it is placed on, leading several experts to predict the attack will not spread significantly further than it did on the first day unless it is modified, according to the BBC.

Amichai Shulman, co-founder and chief technology officer of security firm Imperva, said that like WannaCry, this latest attack shows rapidly replicating ransomware is not a viable financial model.

“This data supports the argument that this malware is nation state driven and only aimed at disrupting operations rather than monetising on the ransom,” he said.

Known victims of the ransomware include Ukraine’s central bank, Ukraine’s Ukrenego electricity supplier, the Chernobyl nuclear power plant, airport and metro services throughout the Ukraine, UK advertising firm WPP, US-based pharmaceutical company Merck, multinational law firm DLA Piper, Danish shipping company A.P. Moller-Maersk, Russian oil company Rosneft, Pennsylvania hospital operator Heritage Valley Health System, Netherlands-based shipping company TNT and French construction materials company Saint-Gobain.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close