NEWS

New Ransomware Attack Discovered

By | 2017-10-27T05:24:15+00:00 27 June 2017|

In the last hours a new ransomware attack is targetting companies and governament agencies across Europe, including the Kiev airport, Chernobyl nuclear power plant and many Italian companies.

Once infected, the PC reboots itselfs and gets stuck BEFORE loading the operating system asking for the ransom.
The Segment’s Team analized a sample of the malware and it realized that (probably) only the first few bytes of the disk gets encrypted. Hence it could be possible to recover some of the locked files without paying the ransom.

It seems that with common “file rescue” programs (such as photorec or authopsy) it’s possible to read the unencrypted data on the disk and try to restore the files.

Latest updates

Behavior:
Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) 
with a custom bootloader that shows a ransom note and prevents victims from booting their computer.


Actions to be taken:
1. Block source E-mail address
wowsmith123456@posteo.net

2. Block domains:
http://mischapuk6hyrn72.onion/
http://petya3jxfp2f7g3i.onion/
http://petya3sen7dyko2n.onion/
http://mischa5xyix2mrhd.onion/MZ2MMJ
http://mischapuk6hyrn72.onion/MZ2MMJ
http://petya3jxfp2f7g3i.onion/MZ2MMJ
http://petya3sen7dyko2n.onion/MZ2MMJ
http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin 
COFFEINOFFICE.XYZ
http://french-cooking.com/

3. Block IPs:
95.141.115.108
185.165.29.78
84.200.16.242
111.90.139.247
  
4. Apply patches:
Refer(in Russian): https://habrahabr.ru/post/331762/

5. Disable SMBv1

6. Update Anti-Virus hashes
a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d

myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

source: https://pastebin.com/EB2Qg81X

BACK TO NEWS