www.bleepingcomputer.com/news/security/v...ransomware-outbreak/
In the first hours of the attack, researchers believed this new ransomware was a new version of an older threat called Petya, but they later discovered that this was a new strain altogether, which borrowed some code from Petya, hence the reason why they recently started it calling it NotPetya, Petna, or as we like to call it SortaPetya.
www.csa.gov.sg/singcert/news/advisories-...tya-petna-ransomware
SingCERT recommends taking the following steps to secure your system
- Ensure that your Windows-based systems are fully patched. In particular, security update (MS17-010) should be applied.
- Ensure that your anti-virus software is updated with the latest malware definitions
- Perform file backups and store them offline so that it can be used to restore your systems if an attack occurs
- Block inbound connections on TCP Port 445
- Disable all unrequired services
- Monitor your systems for privilege escalation
Lateral Movement
Petya/Petna uses the Management Instrumentation Command-line(WMIC) tool, establishing connections to hosts on the local subnet and attempts to execute itself remotely on these hosts.
Petya/Petna uses ETERNALBLUE exploit tool on the local subnet to spread to additional hosts. The vulnerability exists because of the SMB version 1 server in various versions of Microsoft Windows accepting specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.
Petya/Petna scans the local network to discover enumerate ADMIN$ shares on other systems. If the infected system has sufficient rights to write and execute files, it then copies itself and executes the malware using PSEXEC.
Not Petya
Countries affected by it are all scrambling, some has to rely on manual work as a consequence.
