Petya Ransomeware Attack : What to Do immediately

in #steemit8 years ago (edited)

ca9ea22510088dcbb21d7c7a8a784bad.jpg
What is Petya Ransomeware do?
Ans:
Ransomware, Petya does not encrypt files on a targeted system one by one.
Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

Why it spreads fast?
Ans : Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)
So patch both first!

Affected countries: UK, Ukraine, India, the Netherlands, Spain, Denmark, and others

Behavior:
Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.

Actions to be taken:

  1. Block source E-mail address
    [email protected]

  2. Block domains:
    http://mischapuk6hyrn72.onion/
    http://petya3jxfp2f7g3i.onion/
    http://petya3sen7dyko2n.onion/
    http://mischa5xyix2mrhd.onion/MZ2MMJ
    http://mischapuk6hyrn72.onion/MZ2MMJ
    http://petya3jxfp2f7g3i.onion/MZ2MMJ
    http://petya3sen7dyko2n.onion/MZ2MMJ
    http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
    COFFEINOFFICE.XYZ
    http://french-cooking.com/

  3. Block IPs:
    95.141.115.108
    185.165.29.78
    84.200.16.242
    111.90.139.247

  4. Apply patches:
    Refer(in Russian): https://habrahabr.ru/post/331762/

  5. Disable SMBv1

  6. Update Anti-Virus hashes
    a809a63bc5e31670ff117d838522dec433f74bee
    bec678164cedea578a7aff4589018fa41551c27f
    d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
    aba7aa41057c8a6b184ba5776c20f7e8fc97c657
    0ff07caedad54c9b65e5873ac2d81b3126754aac
    51eafbb626103765d3aedfd098b94d0e77de1196
    078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
    7ca37b86f4acc702f108449c391dd2485b5ca18c
    2bc182f04b935c7e358ed9c9e6df09ae6af47168
    1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
    82920a2ad0138a2a8efc744ae5849c6dde6b435d

myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

fb6d9409c17d03e1d422ea25db60ea6f.gif

Sort:  

That's informative to all. especially cryptoholders