• Grab A Quote

    Grab A Quote


    Services Required
     Security Posture Assessment
     Penetration Testing
     Vulnerability Assessment
     Architecture Review
     Source Code Review
     Other Services Required

    Disclaimer: We require this information to understand your needs and provide you with a better service. Your privacy is important to us. We will not disclose your personal information to any third party.
  • Got Hacked? Get Instant Help 24/7

    Got hacked ? Let Us Help You




    Disclaimer: We require this information to understand your needs and provide you with a better service. Your privacy is important to us. We will not disclose your personal information to any third party.

Jun 2017: And Now It's #GoldenEye ?

goldeneyeblog.png#asset:2779

Dear All,

Over the last 24 hours a new strain of ransomware has infected close to 3000 machines across the globe. Many news sites speculate that this is infact GoldenEye or Petya Ransomware… but in reality, it is a new strain of malware which is now aptly codenamed “NotPetya”.
 
Some interesting facts :
1. The “Petya” ransomware similar to this attack was first spotted in 2016, It doesn’t just encrypt files but it also overwrites and encrypts the master boot record (MBR)
2. The Attack First Struck Government & Business Computers in Ukraine Before Spreading to Major European Firms Like Maersk, over 3000 computers are currently infected
3. A Pennsylvania hospital system - Heritage Valley Health System, Pharmaceutical Company Merck Are Among the Victims in the U.S.

Is there a Vaccine / Kill switch ?
Create a file "C:\Windows\perfc" and make it readonly  ( only works if the malware has SEDebug Privilege)

 
What does the Ransomware do ?  
Upon infection, the NoPetya ransomware waits for up to 45 minutes to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools.

Once it reboots, encryption process starts by targeting the MFT table in NTFS partitions, and overwriting the MBR loader with a ransom note.

NoPetya Ransomware uses custom tools  similar to Mimikatz to capture credentials for spreading through the network. These credentials are extracted from the lsass.exe process and passed to PsExec or WMIC for distribution inside a network.

This ransomware also uses the following vectors:

The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP (Patched with MS17-010).
A modified EternalBlue exploit, also used by WannaCry.

An attack against the update component of a 3rd party Ukrainian accounting software product called MeDoc.

It is important to note that a single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

For those having utilizing our iSOC Managed Services, do not worry as we would have already detected and responded.
 
For those having their own SOC, you could utilize the following Indicators from this link :
https://secure.akati.cloud/dl/...
 
For those needing a YARA IOC , you can download them here :
https://secure.akati.cloud/dl/...

Those needing a batch script for the vaccine / killswitch  you can download them here :
https://secure.akati.cloud/dl/...


Additional Information:

(a) Listen to Krishna Rajagopal as he explains PETYA to BFM89.9FM here.

(b) AKATI Consulting Speaks to Computerworld Malaysia on PETYA. Read Here.



RETURN TO WARLOCK