MENU

 

The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

The “Petya” ransomware was named after an older piece of ransomware called “Petya” for it appears to have a significant amount of code from the older version. But hours after the outbreak, security researchers noticed that there is too little resemblance to that of the older version. One of the known anti-virus vendors in Russia renamed the malware as NotPetya. It was also known as Petna, Pneytna and Goldeneye.

It started from the software update mechanism built into an accounting program that companies working in the Ukranian government need to use. This explains why so many Ukrainian organizations were affected including government, banks, power plants, airport and the metro system. Based on the reports, the radiation monitoring system at Chernobyl power plant was also taken offline, forcing employees to use handheld counters to measure levels at the former nuclear plant’s exclusion zone. The second wave of infection was spawned by a phising campaign featuring malware-laden attachments.

Unlike the WannaCry ransomware, “Petya” tries to spread internally within networks. Once one computer in a network is compromised, the whole network will be affected. This was designed to spread fast and to cause damage.

“Petya” variants spread using the Server Message Block (SMB) exploit as described in MS17-010 and by stealing the user’s Windows credentials. This variant of ransomware is notable for installing a modified version of the Mimikatz tool, which can be used to obtain the user’s credential. The stolen credential can be used to access other systems on the network. Also, it may attempt to identify other hosts on the network by checking the compromised system’s IP physical address mapping table then it can scan for other systems that are vulnerable to the SMB exploit and installs the malicious payload. This malware writes a text file on the “C:\” drive with the Bitcoin wallet information and RSA keys for the ransom payment. It modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR and then reboots the system. Based on the encryption methods used, it appears unlikely that the files can be restored even if the attacker received the victim’s unique ID.

RECOMMENDATION

PNP personnel and the public are advised to follow the best practices listed below for security purposes in order to avoid being infected by the “Petya” Ransomware:

• Always patch and update your operating system as well as your anti-virus and anti-malware software;
• Ensure that anti-virus solutions are set to automatically conduct scanning;
• If you cannot patch your systems, make sure that you disable Windows SMBv1 and SMBv2;
• Ensure that endpoints are patched, isolate those computers who are not up to date and restrict access to SMB;
• Enable your firewalls as well as intrusion detection and prevention systems;
• Be aware that this malware infects computers and then waits for about an hour before rebooting the machine. While rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine; and
• If the system reboots, don’t pay for the ransom, there is no way to get the decryption key to unlock your files.


For additional information, please refer to the following websites:

https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-
cyber-attack-who-what-why-how
https://www.us-cert.gov/ncas/alerts/TA17-181A
Petya Ransomware Attack – What's Known | MalwareTech

POINT OF CONTACT

Please contact PCINSP ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru email address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.