Petya Ransomware Advisory

Petya-Advisory

Petya – Dos&Don’ts

Petya Ransomware also known as Petrwrap or GoldenEye affects Microsoft Windows based systems and encrypts the data MBR / NTFS in the system using SMB exploits which are not updated with the latest software patch updates. This ransomware outbreak although is smaller than the previous WannaCry attack, it had a considerable impact in Europe primarily Ukraine, Russia, UK, India etc.

How can it impact you?

The recent attack by Petya ransomware is another warning to enterprises about the possible catastrophe due to vulnerabilities in their networks or IT infrastructure. Petya Ransomware is spreading fast with Ukraine being the worst hit country in last couple of days. It uses the same exploit, which WannaCry had used to propagate itself and has created havoc in the recent past. The exploit has been provided with a patch by Microsoft way back in March 2017, but many organizations missed updating their OS and systems.

Eternal Blue was the exploit which was used by WannaCry and it uses the SMB protocol vulnerability to propagate throughout the network. However, Petya Ransomware not just encrypts the files but after encrypting them, tries to encrypt the MBR too, effectively rendering the infected systems un-bootable.

According to our findings, Petya was pushed through an update for MeDoc a financial software widely used by organizations in Ukraine.

How does eScan protect against Ransomware attacks:

eScan’s Proactive Behavioral Analysis Engine (PBAE) monitors the activity of all processes on the Local Machine and when it encounters any activity or behavior that matches to Ransomware, a red flag is raised and the process is blocked. In case, if an infected system tries to access network share of a protected system and encrypt/modify files residing on that system, PBAE will immediately terminate the network session.

Along with Petya, PBAE technology is also successfully blocking Ransomware attacks such as WannaCry, Locky, Zepto, Crysis, Cerber3 and many more. It does so, by analyzing the data collected through our Cloud (ESN) network, we are able to successfully detect and mitigate thousands of Ransomware attacks on all systems protected by eScan.

eScan’s Active Virus Control (AVC) also proactively protects the system from infection, when it is being executed in real-time. It’s not just the PBAE but also the AVC which identifies and blocks the execution of malware / Trojans, including all types and variants of Ransomware.

Prevention Measures:

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , | Leave a comment

Petya Ransomware Attack and Remediation

Petya Ransomware Attack
The recent attack by Petya ransomware is another warning to organizations about the possible catastrophe of vulnerabilities. Petya Ransomware is spreading fast with Ukraine being the worst hit country in last 24 hours. It uses the same exploit, which WannaCry had used to propagate itself and has created havoc in the recent past. Microsoft patches for Ransomware attacks have been a critical remedy way back in March 2017, but many organizations missed updating their OS and network.

The Exploits and Infection Routines

Eternal Blue was the exploit which was used by WannaCry and uses the SMB protocol vulnerability to propagate throughout the network. However, Petya Ransomware not just encrypts the files but after encrypting them, tries to encrypt the MBR too. Effectively rendering the infected systems un-bootable. According to the findings, Petya was pushed through an update for MeDoc financial software used mostly by organizations in Ukraine.

Its highly unusual for a Ransomware to initiate an infection chain by piggy-backing on a third-party software, rather than initiating its infection via the spam/phishing mails. Throughout the history of Ransomware, we have observed spam mails being the favorite medium for transportation. It is observed that the Petya is more of a targeted attack rather than a ransomware attack.”

The Impact

In India, “The (shipping) ministry has confirmed that one terminal at JNPT has been affected due to the attack at Maersk’s Hague office,” an official said.

Due to this attack, the operations at JNPT’s GTI (Gateway Terminals India) have come to a standstill. However, this seems to be an isolated incident within India and the impact on India seems to be very limited. Last month’s WannaCry’s attack had forced numerous organizations to implement the patches released by Microsoft. Although there might exist some organizations that are still lagging behind.

There have been reports of two more organizations having their presence in India viz. Beiersdorf AG and Reckitt Benckiser were affected by the Ransomware attack.

Monetization

Until now the Bitcoin address which is being used by Petya Ransomware has received 45 transactions worth 3.99009155 BTC equivalents to 10213.12 USD. However, the email-id which is being used to communicate with the criminals has been suspended by the German eMail Service Provider. Hence rendering all the efforts of getting the decryption key futile. Due to this, victims should detest from making any payments to the criminals.

Microsoft Patches for Petya Ransomware – Stay Safe

To stay safe from such attacks, all the organizations and users need to ensure that, the patches released by Microsoft have been updated or patched as per our previous blog-post.

Microsoft releases patches for exploits used by NSA’s hacking tools

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , , , , | Leave a comment

Trickbot – new entrant in the Indian Online Banking Cyberspace

Trickbot-banking-trojan
Ransomware is not the only prevalent threat these days; there are threats too which have been making their foray. We humans tend to forget that security is an on-going process and is not limited to one single threat. We have to be on our toes 24×7 and be alert at all times, ensure that all the SOPs are adhered to and also ensure regular audits of all the security processes and procedures.

For past few weeks, Ransomwares has gained notoriety specifically due to the exploits used by WannaCry Ransomware, however during the same period, TrickBot a banking Trojans too was working towards stealing banking credentials and gaining access to the banking accounts of the victims.

Thanks to the release of the source code of Zeus Bot a couple of years ago, we have observed a rise in Trojans which share the same / similar codebase with that of Zeus. On these similar lines, Trickbot shares many similarities with Dyre yet another banking malware.

Trickbot’s configuration contains the list of Banking URLs which when accessed by the victim would be intercepted and exploited. In recent weeks, Trickbot has expanded its attack vector and has truly gone global and targets numerous banks, payment processors and CMS systems.

Targeting CMS systems, provides Trickbot with the access credentials which can then be further leveraged to carry out targeted attacks which includes spear phishing attacks and up to a certain extent water holing attacks.

Recently, Trickbot added a couple of Indian Banks to its configuration viz. SBI Bank and ICICI considering their huge consumer base, however we are yet to observe any active attack on the consumers.

Moreover, in coming weeks/months we expect much larger campaigns targeting Indian Online Banking Customers and a few more Indian banks to be added by Trickbot into its configuration. Furthermore, based on the success of Trickbot, we may also observe other banking Trojans sneaking into the Indian Cyberspace.

We at eScan believe that it is our duty to be proactive in alerting the users about the potential attacks, which will assist them to take necessary precautions. Moreover, eScan users are protected from the threats posed by Trickbot and all the other Banking Trojans.

Advisory:

1: Net-banking users should implement an Antivirus/Internet Security Suites on all of their devices including their mobile phones.

2: Regularly apply the patches, which have been released by Software Vendors.

3: Implement Email Gateway security solutions to protect your organization from malicious emails.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , | Leave a comment

Web Security: A Major Hurdle for Organizations

web security

Internet being the undeniably biggest growing market in the digitization era, are stressing on the necessity of Online Security. The development of technology happened in such a way that enterprises adopting it are lacking much on the Online Security measures to protect the data and digital identity of their customers/ partners. It is just similar to that of retail stores minimizing the risk of theft or shop-lifting by installation of surveillance cameras. If any organization is looking for online security of their critical data, then related safety measures are very important.
In the age of information, each and everything has its value and can be misused in multiple ways, unless necessary precautions are taken to prevent online attacks, as performed by hackers. We are always in danger to suffer financial losses, integrity and even mental peace. We regret such incidents which might have been easily avoided if we would have invested in Online Security measures.
The first important step to hide information shared in your site from potentially harmful eyes is to ensure SSL certification. The beginning of a URL that starts with https:// instead of http:// is much secured.

ssl certfication

Today encrypted sites are clearly displayed with green padlock signs in the Web browser. This is a signal to the user, that his/ her session with the website is encrypted. This ensures all communication are secured with a key that can not be retrieved easily by third parties and thus communication is secured and cannot be read. In case SSL certificate is unused by a website, the information goes in simple text format that is interrupted easily and is readable for anyone.
The risks of not investing in Online Security are much higher than the owners anticipate. The larger the company and business potential, the risk of attacks and data theft are also high. However, smaller businesses are targeted as well, since they often lack fundamental Online Security measures. As a result, they are easy targets.
Securing your website and its information with the readers establishes a trustworthy environment to conduct daily businesses. Since technology is evolving every day, it is logical to stay updated when it comes to Cyber Security and take necessary precautions. The trust factor is very important in this respect. You need to cross-check if online security is adhered to the system and the organization hardly have resources to migrate to HTTPS. It is advisable to get a specialist on-board to enable to do so by visiting HTTPS.IN.

Extended Validation Certificate

extended validity

This is the newest SSL certificate which gives more confidence to the users and takes the control of any given website. Extended validation certificate reassures the users that they are viewing the authentic website and it is not anything else in disguise. It displays a green address bar while the users log in to the website and on the right side of the address bar there displays a notice space which shows the legal company name and certification authority which authenticated the validation certificate. This helps the organizations to increase credibility and establish online trust in terms of viewership.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , | Comments Off on Web Security: A Major Hurdle for Organizations