Not everyone remembers this, but WannaCry still races and attacks unprotected computers. Recently, there was another attack, but this time using a modified version of ransomware Petya. Interestingly, the new virus also uses the EternalBlue exploit, but is also infected with WannaCry-protected computers. This is another lesson that IT security does not recognize any compromises.
What were the most lazy computerises after WannaCry’s attack? They followed the line of least resistance, that is, on the edge of the firewall blocked port 445, and on workstations installed a patch vulnerability CVE-2017-0143, the March security bulletin MS17-010. Well, I would not like to be in the skin of the person who made that decision. WannaCry should give lessons to all who do not care about safety. After all the confusion, all IT departments should implement mechanisms that automatically install updates and extract anti-virus software from the boss.
Petya can be detected by anti-virus programs.
Kaspersky Lab has already announced that their software successfully blocks new ransomware. Other anti-virus should behave similarly to this threat. So far, we do not know too much about this, but on the basis of previous reports it is possible to conclude that the new virus is a modified version of the known ransomware Petya. Criminals have added to this most likely the exploit EternalBlue (known from WannaCry). But that’s not all. They have also used the vulnerability CVE-2017-0199, which was patched by Microsoft in April. But that’s not all.
The new virus uses WMIC and PsExec.
WMIC, the Windows Management Instrumentation Console, is a convenient interface for remote management of Windows computers. PsExec allows for remote execution of commands. This allows Petya to copy itself to other computers on the same local network and then launch a file that infects another machine and encrypts the files. However, to make this possible, the user must have appropriate permissions on the remaining computers. That’s why criminals have thrown the EternalBlue exploit, which allows you to execute arbitrary code without any restrictions.
If your computer is infected, do not pay a ransom. Hackers want $300 in the form of BitCoins, but you must send a confirmation of the transaction to the offending email. However, the company managing the mailbox already blocked it.