The Petya ransomware attack that crippled computers in 64 countries worldwide was spread by accounting software, according to Microsoft, highlighting the dangers posed by compromised third-party apps.
The outbreak started in Ukraine, where more than 12,500 machines were infected, and there is now evidence this new Petya malware variant was initially spread via an updater for the tax accounting software MEDoc.
“We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern,” wrote Microsoft’s Windows Defender Research team, adding the command was executed at 10.30am GMT yesterday.
Microsoft says the attack underlines the growing dangers of hackers exploiting third-party software to infect large numbers of organizations.
“As we highlighted previously, software supply chain attacks are a recent dangerous trend with attackers which requires advanced defense.”
Another software supply chain attack earlier this year compromised an updater for a third-party editing tool used across multiple firms, Microsoft said, describing this approach as “a silent yet effective attack vector”.
A large number of organizations were infected, many in Ukraine, including Danish transport company Maersk, Russian oil firm Rosneft, the Kiev metro system, National Bank of Ukraine, the law firm DLA Piper, US pharmaceutical company Merck and many others.
How to protect yourself
Once the ransomware infects a machine, it then attempts to spread itself to other PCs on the network. To propagate itself, it will try to steal credentials to gain local admin privileges, attempt to use file-shares to transfer the malicious file between PCs, and then remotely execute the file. The ransomware encrypts entire hard drives and demands a Bitcoin payment of $300 to release them.
The malware can also spread itself using the EternalBlue exploit for an SMB vulnerability, which was used by WannaCry to spread between machines. The vulnerability was patched by Microsoft in March this year.
Microsoft recommends applying this security update, but for those who aren’t able to, it suggests firms “disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547” and “consider adding a rule on your router or firewall to block incoming SMB traffic on port 445”.
Another workaround for blocking infection by Petya is to create an extensionless, read-only file called perfc in the C:\Windows folder, using the steps outlined here.
Microsoft also provides a detailed a breakdown of commands and network activity that indicate a Petya infection.
Read more on ransomware
- Cybercrime industry growing rapidly, cybersecurity can’t keep up (TechRepublic)
- Ransomware: Now cybercriminals are stealing code from each other, say researchers (ZDNet)
- Ransomware: The smart person’s guide (TechRepublic)
- Ransomware: More and smarter scams coming soon (ZDNet)
- Petya ransomware slams Windows PCs shut in massive attack (CNET)