Microsoft Outlined Steps To Detect and Prevent Petya Ransomware Via Microsoft Azure

Petya (or NotPetya) Ransomware (Or not ransomware) – it is the second major global Ransomware attack incident in the past two months. Petya, began in Ukraine and then it quickly spread further across Europe and the rest of the world. This Ransomware encrypts a hard drive’s index page until the victim pays the ransom of $300 in Bitcoins. Microsoft in a blog post shared the procedure to prevent and detect Petya through Azure Security Center for its customers.

Petya Ransomware Cyber Attack

Petya ransomware is very similar to the Wannacry attack, in fact, it follows the same pattern. The ransomware locks up a computer’s files and demands $300 Bitcoins as ransom to unlock the data. So far it has hit over 12,000 machines in around 65 countries. Once a system has been compromised, the ransomware takes the following steps:

• Pens a message to the raw disk partition.
• Clears the Windows Event log using Wevtutil
• Restarts the machine
• Encrypts files matching a list of file extensions (including .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf .ppt, .pptx, .pst, .pvi, .py .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, and .zip)
• Leverages WMI or PsExec to spread
• Presents a text message on the screen of the user, demanding ransom for files recovery.

Prevention Of Petya In Microsoft Azure Security Center

• Deploy Endpoint Protection

Azure Security Center runs a scan against the virtual machines across an Azure subscription. It then makes a recommendation to deploy endpoint protection where an existing solution is not detected, this can be accessed via Prevention section.

• Compute pane

The Compute pane displays the endpoint protection status in detail. This include recommendation for installing Endpoint Protection.

• Selection Of And Installation

Upon clicking on the recommendations on Compute Pane, the user leads to a dialog that allows the selection and installation of an endpoint protection solutions, including Microsoft’s own antimalware solution.

• Availability

Azure Security Center Free tier customers have access to these recommendations and connected mitigation steps.

Detection Of Petya In Microsoft Azure Security Center

• Detection Feature For Standard-Tier Azure Security Center

Standard-Tier Azure Security Center customers can reap the benefits of a recently added new detection feature. This feature specifically alerts on specific indicators related to the Petya ransomware running on an infected host. The security alerts can be accessed by the users through the Detection pane.

• Alert For Petya Ransomware

Alert for Petya ransomware displays as shown in the picture. To view the details of the impacted VM and suspicious process or commandline user needs to click on the alert.

Apply Remediation Steps To All

While the detection alert relates to a specific host, Microsoft advices to apply remediation steps to all on all hosts on the network. This is Petya attempt to spread to other nearby machines.

Microsoft Azure Security Center customers can follow the remediation steps from Microsoft Malware Protection Center (MMPC) blog.

NotPetya Ransomware Kill Switch That Can Stop Ransomware In It Tracks Has Been Release

A Kill Switch or Vaccination for the Petrwrap or NoPetya or NotPetya Ransomware has been found that can stop the ransomware in its tracks and save your computer from being infected. The NotPetya Ransomware has already created havoc in most parts of the world.

NotPetya uses the EternalBlue vulnerability (WannaCry technique) that infects computers using SMBv1. It also uses Windows WMIC and PSExec processes. If the WannaCry vulnerability is patched on your system, it uses PsExec or LSADUMP and the Windows Management Interface to spread. 

The ransomware is capable of attacking and infecting all Windows systems. It overwrites the Master Boot Record and on reboot, infects the computer blocking access to it. Once it hacks your computer, it demands a ransom amount of $300 in Bitcoin.

If your computer reboots and you see this ‘false check disk’ message, power off immediately!

This is the NotPetya encryption process taking place. If you power off immediately or do not power on, your data will remain safe.

If the encryption process is allowed to continue, you will lose your data to this ransomware!

There are however some basic precautions you can take, and they are:

1. Install all Windows patches
2. Block SMB1 across your network
3. Disable default ADMIN$ accounts and communication to Admin$ shares
4. Use a tool like MBR filter to block write access to the Master Boot Record

More details about how this ransomware operates can be found on Cybereason.com.

NotPetya Ransomware Vaccination

Cybereason Principal Security Researcher Amit Serper tweeted that he has discovered a vaccination that stops NotPetya ransomware in its tracks.

To activate the vaccination mechanism you have to create a file named perfc, with no extension and place it in the C:\Windows\ folder.

When NotPetya ransomware runs, it searches for this file in the C:\Windows\ folder, and if it is found, it ceases its operation.

UPDATE: Eset recommends that you create three blank files with the following filenames and extensions:

1. C:\Windows\perfc
2. C:\Windows\perfc.dat
3. C:\Windows\perfc.dll

Ransomware attacks are on the rise, and all computers users need to take some basic precautions to secure their systems. One can also consider some free anti-ransomware software like RansomFree as an additional security layer.