How to protect PC or server from Ramsomware Attack .

Ransomware is a form of malicious software (or malware) that, once it’s taken over your computer, threatens you with harm, usually by denying you access to your data. The attacker demands a ransom from the victim, promising — not always truthfully — to restore access to the data upon payment. 

Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.

Infection Flow

As previously mentioned, this ransomware’s initial entry into the system involves the use of the PsExec tool, an official Microsoft utility used to run processes on remote systems. It also uses the EternalBlue exploit–previously used in the WannaCry attack–that targets a vulnerability in Server Message Block (SMB) v1. Once on a system, this Petya variant uses the rundll32.exe process to run itself. The actual encryption is then carried out by a file named perfc.dat, located in the Windows folder.

This ransomware then adds a scheduled task, which reboots the system after at least an hour. Meanwhile, the Master Boot Record (MBR) is also modified so that the encryptor will carry out the encryption and the appropriate ransom note will be displayed. A fake CHKDSK notice is initially displayed; this is when the encryption is actually carried out. Unusually for ransomware, it does not change the extensions of any encrypted files. More than 60+ file extensions are targeted for encryption; it is worth noting that the file extensions targeted are focused on file types used in enterprise settings; images and video files (targeted by other ransomware attacks) are notably absent.

Aside from the use of the EternalBlue exploit, there are other similarities to WannaCry. Like that attack, this Petya variant’s ransom process is relatively simple: it also uses a hardcoded Bitcoin address, making decryption a much more labor-intensive process on the part of the attackers. This is in contrast to earlier Petya attacks, which had a more developed UI for this process. Each user is asked to pay US$300. As of this time, approximately US$7,500 had been paid into the Bitcoin address. As in all ransomware attacks, we advice against paying the ransom–this is particularly true in this case, as the email account mentioned in the ransom note is no longer active.

PsExec and Windows Management Information Command-line (WMIC)

Petya cleverly uses legitimate Windows processes PsExec and Windows Management Information Command-line, which is an interface that simplifies the use of Windows Management Instrumentation (WMI).

Once Petya is dropped, it will drop psexec.exe as dllhost.dat on the target machine. The malware also drops a copy of itself to \\remote machine name\admin$\malware filename. It then executes the dropped copy by using dllhost.dat locally (which is the file name of the PSExec tool) with the following parameters:

dllhost.dat \\remote machine name -accepteula -s -d C:\Windows\System32\rundll32 “C:\Windows\malware filename”,#1 random number minimum 10 enumerated credentials

The format of enumerated credentials is as follows:

“un1:pw1” “un2:pw2” “un3:pw3” … “unN:pwN”

If this is unsuccessful, Petya will then use WMIC.EXE to execute the file in the remote machine:

%System%\wbem\wmic.exe /node:”node” /user:”user name” /password:”password” process call create “C:\Windows\System32\rundll32 \”C:\Windows\malware filename\” #1 random number minimum 10enumerated credentials”

Petya will use PSExec or WMIC to spread the malware to other systems within the local network. If this portion of the infection chain does not work, only then will Petya exploit the EternalBlue vulnerability.

Information Extraction Method

We discovered that this Petya variant uses an advanced method to extract information from the infected system. It makes use of a customized Mimikatz—a legitimate security tool—to extract usernames and passwords. The 32-bit and 64-bit Mimikatz executables are encrypted and stored in the resource section of the ransomware. The extraction method runs when the main malware process opens a pipe, which is used by the custom Mimikatz to write its results. These results are then read by the main malware process. As mentioned earlier, Petya is able to spread to other systems within the local network by using this extracted information.

Disk Modification Procedure

Before encryption, Petya will first modify the MBR as part of its process. Initially, the sector after the Volume Boot Record (VBR) is written with code (0xBAADF00D), rendering the system unbootable.

It also accesses the following sectors:

Sectors 0 to 18 (disk offset 0 to 25FFh) are overwritten with its own boot program. 
Sector 32 (disk offset 4000h to 41FFh) is written with some structured random data. 
Sector 33 (disk offset 4200h to 43FFh) is filled with 07h.

The original MBR is encrypted:

Sector 34 (disk offset 4400h to 45FFh) is written with the XOR-encrypted original MBR.

If the above process fails, it will overwrite sectors 0-9 with code (0xBAADF00D),

How to prevent ransomware

  • Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit and Patch with MS17-10

 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

  • Don’t install software or give it administrative privileges unless you know exactly what it is and what it does.
  • Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
  • And, of course, back up your files, frequently and automatically! That won’t stop a malware attack, but it can make the damage caused by one much less significant.
  • Disable or Block SMBv1 – this is a temporary measure to stop the propagation, but does not remediate the threat. If is needed to enable SMBv1 than always enable SMBv2.
  • Block Port 445 and 139 from Firewall.
  • Restrict accounts with administrator group access.
  • Disable remote desktop access. If it is needed than select different user which is not easily guess with strong password.

Best Windows 11 antivirus tools

  1. Avast Antivirus Business 18.6 and 18.8
  2. Bitdefender Endpoint Security 6.6
  3. Bitdefender Endpoint Security Elite 6.6
  4. F-Secure PSB Computer Protection 18.14 and 18.17
  5. Kaspersky Endpoint Security 11.0
  6. Kaspersky Small Office Security 6
  7. McAfee Endpoint Security 10.6
  8. Microsoft Windows Defender Antivirus 4.18
  9. Symantec Endpoint Protection 14.2
  10. Symantec Endpoint Protection Cloud 22.15
  11. Trend Micro Office Scan 12.0

10 comments

  1. I would like to voice my love for your kindness in support of individuals that really need help on this concept. Your very own commitment to passing the solution across had become wonderfully invaluable and has encouraged professionals like me to attain their targets. This warm and friendly guidelines indicates a lot to me and especially to my fellow workers. Many thanks; from everyone of us.

  2. I must show my appreciation for your generosity in support of those people that really want assistance with this important idea. Your very own dedication to passing the solution up and down appears to be especially interesting and has specifically made most people just like me to achieve their desired goals. The informative information means a whole lot to me and further more to my office workers. Thanks a lot; from everyone of us.

  3. I wanted to post you one bit of word in order to say thank you as before for the magnificent ideas you have provided on this site. It was quite extremely open-handed with you to allow unhampered what a lot of folks would’ve sold as an e book in order to make some dough for their own end, and in particular now that you could possibly have tried it if you decided. Those principles likewise worked as the great way to be sure that most people have similar zeal the same as my personal own to grasp many more in regard to this matter. Certainly there are some more enjoyable situations in the future for individuals that start reading your site.

  4. I intended to create you that little bit of observation so as to give many thanks the moment again for the superb techniques you have shared on this site. This is really shockingly open-handed with people like you in giving freely all that many of us would have distributed for an electronic book to make some dough for their own end, most notably considering that you could possibly have done it if you desired. These creative ideas also acted to be a good way to fully grasp other people have similar passion just as my own to know more concerning this issue. I am sure there are a lot more pleasurable times in the future for individuals who look into your blog.

  5. Ransomware is a problem that has ruined millions of devices across the globe. There are still millions infected with ransomware and are used as bots for DDoS attacks. Learn how to protect yourself from ransomware by following the tips given below.

  6. I precisely needed to thank you so much once again. I do not know the things that I might have sorted out in the absence of these ideas contributed by you concerning such situation. Completely was a very frightful setting in my opinion, nevertheless taking note of the very skilled manner you managed the issue took me to weep over happiness. I am happy for your information as well as sincerely hope you are aware of a great job you have been carrying out educating people today through the use of a blog. I am sure you haven’t encountered any of us.

  7. When Qin Hengtian missed it and didn’t have to reissue it, he still had to wait for the spree to support himself. So he hurriedly said: “Receive, get it right away!!!” “嘻嘻… The host wants, the novice gift package is proud to deliver! “Small fairy hand waving a cane.

  8. Later, Qin Hengtian officially announced to the courtiers: “So, we will announce the world from now on, officially establish the name of the four offerings. This is the first happy event, and the second happy event is that my brother Qin Dingtian is my country. Prepared Dingzhou’s advanced kingdom system, and some important technologies, and most importantly, under the repeated requests of the eldest brother, Jiuding Wang Zongte gave a large number of soldiers, spiritual skills, beasts and other resources to support me. Reform in the wild.”

  9. Are we not going to fight because we’re afraid?” she asked. “Are we going to show up for people that we didn’t actually believe in, because we were afraid to do anything else? That’s not who we are. We’ve got a room full of people here who weren’t given anything.

  10. tazzdkianzt,Definitely believe that which you said. Your favourite justification appeared to be on the net the simplest thing to remember of.

Leave a Reply

Your email address will not be published. Required fields are marked *