Microsoft Windows Telemetry Exposes Nasty Petya Ransomware Spreading Globally In 65 Countries


There are no days off in Redmond, at least not for Microsoft. Hot on the heels of dealing with the WannaCry ransomware outbreak, Microsoft has now addressed reports of a new ransomware making the rounds, one that shares similar code with Petya, a nasty piece of ransomware in and of itself. What makes this new strain so dangerous is that it is capable of spreading across networks like a worm.

This new ransomware is more sophisticated than the original Petya outbreak. According to Microsoft, the initial strain seems to originate from a Ukrainian company that builds a pierce of accounting software called MEDoc. Microsoft says it now has evidence that few active infections of the ransomware started from the legitimate MEDoc updater process. Since then, it has become a global threat by quickly spreading to 65  countries.

"Given this new ransomware’s added lateral movement capabilities it only takes a single infected machine to affect a network," Microsoft said.

The way it works is the ransomware drops a credential dumping tool that shares code similarities with Mimikatz, a hacking tool that is used to crack software. This tool typically comes as a temporary file in the %Temp% folder and can be either 32-bit or 64-bit. Since users frequently log into accounts with local admin privileges and have active sessions open across multiple PCs, stolen credentials are likely to provide the same level of access the user has on other systems.

Ransomware Code
Ransomware code responsible for accessing Admin shares on different machines. Source: Microsoft

This ransomware drops a credential dumping tool (typically as a .tmp file in the %Temp% folder) that shares code similarities with Mimikatz and comes in 32-bit and 64-bit variants. Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.

With stolen credentials in hand, the ransomware gets busy trying to spread across multiple PCs on the network. It has multiple tricks to aid with lateral movement, though the good news for Windows 10 users is that at least one of them has already been patched by Microsoft.

Naturally Microsoft recommends ensuring that your Windows system is fully up-to-date with the latest patches and security fixes. If your system is not fully updated, Microsoft further recommends blocking traffic on ports 139 and 445, which the ransomware targets, and disabling remote WMI and file sharing until have a chance to update your PC.

In addition, a security researcher with Cybereason has found a way to prevent Petya strains from infecting computers. The method is described as being more of vaccine for individual PCs rather than a killswitch. It is a rather simple preventative measure—you just need to create a file called perfc, make it read-only, and place it in the C:\Windows folder. Petya strains look for this file and if found, it exits its encryption routine.

If you don't want to go through the steps of creating a read-only file, you download and execute a batch file that will do it for you. The batch file also creates two other files, perfc.dat and perfc.dll. Bleeping Computer says they're not really needed, but they don't hurt anything, either.