A Petya ransomware variant (detected by Trend Micro as RANSOM_PETYA.SMA) is spreading across Europe, successfully infecting—and affecting—a number of businesses, government departments, and utility providers. It's success can be attributed to its use of the PsExec tool and Windows Management Information Command-line as infection vectors, along with the EternalBlue exploit—previously used by the WannaCry ransomware and fileless ransomware UIWIX—as a second option. This presents a number of possibilities since the Microsoft tools can be used to carry out actions on other computers—if an infected device has administrator access, then the ransomware could spread to computers connected to the same network.
Similar to WannaCry, Petya uses a hardcoded Bitcoin address. The attackers also validate payments through email, which is particularly problematic now since the email provider has already deactivated the account linked to this ransomware. Our blog post on this new Petya variant discusses the infection flow and provides even more detail.
Figure 1. Petya ransom note
Users and organizations are advised to perform the following mitigation steps immediately in order to prevent and avoid infection:
Apply Microsoft's security patch MS17-010
Disable TCP port 445
Restrict accounts with administrator group access
Mobile ransomware variants resurface
Apart from Petya, even mobile ransomware seems to be taking notes from WannaCry. Early this month, a new variant of SLocker (detected by Trend Micro as ANDROIDOS_SLOCKER.OPST) surfaced mimicking the WannaCry interface. SLocker is an older malware widely regarded as the precursor of Android mobile ransomware, but has been quite active these past few months. It is notable for being one of the few mobile families that actually encrypts files and is not simply a screenlocker.
Koler (detected by Trend Micro as ANDROIDOS_LOCKER.AXBO) is another mobile ransomware that surfaced this week. This particular ransomware uses targeted ads and impersonates a popular porn app to get users to download it.
Once installation is in progress, the app asks users for permissions to finish installing—this just grants admin rights to the ransomware. It then installs an FBI screenlocker and tries to intimidate the victim with a law enforcement scare tactic.
Other ransomware developments
One more ransomware detected this week is RANSOM_CRYPAYSAVE, which is an MSIL-compiled variant that is still in-development. The authors ask for payment using PaySafeCard, which is a service that allows for more secure online payments, and is a much more convenient mode of payment than Bitcoin.
Another ransomware that tries to stand out is GPAA (detected by Trend Micro as RANSOM_GPAA) which capitalizes on the Cerber name by using a .cerber6 extension on affected files to scare victims. This ransomware poses as the Global Poverty Aid Agency (GPAA) and tries to ask victims for Bitcoin donations before reverting back to typical ransomware behavior and demanding payment in exchange for decryption.
Figure 3. GPAA impersonating a charity
As this week surprises us with yet another major ransomware outbreak, users are reminded to always stay vigilant and be mindful of the patches sent out by vendors for their products. Comprehensive and effective solutions are also necessary to protect against this evolving and growing threat.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.