12-Sep-2019
New vicious ransomware attack: You are NOT safe…let me repeat, this threat is looming over this country!
Well the “bad guys” are at it again, and frankly there is no end in sight to threats putting our critical IT systems and infrastructure at risk. The Petya, or as some call it the Petwrap, ransomware virus is spreading at lightning speed across the globe. So far (and there is no sign of stopping), Petya has now struck systems in 65 countries. It seemed to impact the Ukraine first infecting more than 125,000 devices there and may be traced to a tax accounting program used by a company in that country. To make this event even more scary, even the Chernobyl power plant was invaded. Our energy infrastructure may be at risk as well!!!
According to Microsoft, the infections are taking place in countries like Belgium, Germany, Russia, Brazil as well as the US. Here in the USA, even FedEx has been compromised. This has resulted in disruption at their Memphis distribution center. The global pharmaceutical giant Merck has also been compromised. This is an active attack on a worldwide basis.
In theory, this virus is an advanced version of Petya that has been around for a few years but it is far more sinister and destructive. Its advanced capabilities allow it to infect and potentially destroy an entire network buy infecting a single device on a corporate network.
Similar to last month’s Wannacry attack, this invasion is demanding $300 in bitcoins as ransom. To make matters even worse, there are reports that the virus also destroys data making it entirely unrecoverable.
If you are an IT or security professional, please do two things;
1. Follow the instructions below developed by our Cyber Security Team to protect yourself IMMEDIATELY.
2. Call Sattrix USA as soon as that is done to discuss long term strategies. You can call at 313-447-0508 to schedule a free assessment conversation to discuss your vulnerabilities and strategies to protect your systems.
Plan to protect yourself against Petya/Petwrap. Your company cannot afford to be a victim and make the headlines!
RECOMMENDED PROTECTION STRATEGY
Affected countries: UK, Ukraine, India, the Netherlands, Spain, Denmark, the US and others
Behavior:
Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.
IMMEDIATE actions to be taken:
1. Block source E-mail address:
wowsmith123456@posteo.net
2. Block domains:
http://mischapuk6hyrn72.onion/
http://petya3jxfp2f7g3i.onion/
http://petya3sen7dyko2n.onion/
http://mischa5xyix2mrhd.onion/MZ2MMJ
http://mischapuk6hyrn72.onion/MZ2MMJ
http://petya3jxfp2f7g3i.onion/MZ2MMJ
http://petya3sen7dyko2n.onion/MZ2MMJ
http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
http://coffeinoffice.xyz
http://french-cooking.com/
3. Block IPs:
95.141.115.108, 185.165.29.78, 84.200.16.242, 111.90.139.247
4. Apply patches:
Apply all relevant patches
5. Disable SMBv1
6. Update Anti-Virus hashes
To respond to this blog or for your comments/questions on it, please Click here.
Once again, be sure to contact us at Sattrix USA to schedule your free assessment NOW!