Comments (70)

  1. Simon says:

    Thanks for sharing. Very informative

  2. Aurelien Desseaux says:

    Thanks for this article. Could you confirm that System center endpoint protection is aware of this processes and block them effitiently please ?

    1. Aurelien Desseaux says:

      I got the Tam info, thanks MS Av detect and block this threat with definition 1.247.197.0 from 27 juin 2017 at 12:04:25

  3. Yoshihiro Kawabata says:

    Thank you, detail information about this malware

  4. Max says:

    > Only if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite the MBR code.
    so what's going on if the malware is not running with the SeDebugPrivilege enabled (cannot write to MBR) will it still encrypt the files ?

    1. Andras says:

      Yep, it stills encrypts them but allows you to boot instead of displaying the fake CHKDSK.

  5. David says:

    Page above states: "We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible."
    When I look at my windows 10 update page it makes no mention of MS17-010

    I just see things like: "Microsoft .NET Framework 4.7 for Windows 10 Version 1607 and Windows Server 2016 for x64 (KB3186568)" and further down "2017-06 Update for Windows 10 Version 1607 for x64-based Systems (KB4023834)"

    You would have thought Microsoft would at least use the same language people see in their update page.

    1. Paul Prior says:

      You already have it installed. W10 uses cumulative updates covering multiple exploits and this was included in the March 2017 cumulative update. That said, install all those other patches as one of them is the June cumulative update which closes other possible exploits.

  6. Caleb says:

    Nice job!! Thanks for sharing so important info.

  7. Zer says:

    When the files are crypted ? Before or after reboot ?

    Bitlocker can protect that ?

    1. Natik says:

      2 modes: Encrypt after restart

    2. Kristen says:

      If MBR is altered with Bitlocker enabled it should send the system into Bitlocker Recovery Mode. https://technet.microsoft.com/en-us/library/dn383583(v=ws.11).aspx
      However, in this specific case it would not have mattered because the affected systems were not running Bitlocker supported OS versions.

  8. ltesmh says:

    good job!usefull information

  9. shantanu says:

    Very informative and descriptive.....thank you!

  10. Shine Raj says:

    WannCry/Petya - RansomWare: How to protect Windows 7 Home Premium 64bit? Have already updated Microsoft Security Essentials.
    Is there any port or services to be disabled?

    1. JimmySal says:

      Hi,

      Yes, you can follow this link and check the patch for Win7. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

      Also you can disable port TCP139 and TCP 445 if you suspect network is infected with the ransomware as a last resort. Before that make sure your systems are patched and AV updated.

      Hope this helps.

  11. alex says:

    Hi team, is it possible, that C:\ProgramData should state C:\Windows or are both possible locations?

  12. Дмитрий says:

    On Win7, Win8 and Win10, users had the rights as "Users", blocked ports and installed all the updates.
    And still, all 47 computers were infected with a virus Petya !!!
    What can be done to restore the data?!?!?!

    1. Tom says:

      Try RStudio or similar programm. We got the files from infected disks

    2. Gav says:

      Your only option is to restore from backups. Paying the ransom will not work.

    3. Unfortunately the only opportunity is to restore from backup

    4. Nicho says:

      Could they be using this MEDoc?

    5. Yoshihiro Kawabaa says:

      300 bitcoins!

  13. Guilherme says:

    Thanks for sharing.

    So, I assume that if I have all my computers, servers and W7, 8 and 10 up to date with the Windows Update, the update that fix the bug is installed, right?
    In that case, I don't need to download the update in the internet?

    Thanks!!!

    1. DJ_ZX says:

      Updated Win10 CU with all new cumulative updates and Win10 Insider Fast latest were attacked and affected. Probably used "admin" shares but anyway - Defender from Enterprise just ignored virus shared through network.

  14. Tom says:

    Unfortunately, MS17-010 doesn't prevent OS infection with this virus.

  15. PierreD says:

    I am trying to figure out what would happen if a user without administrator privilege would execute this malware in a terminal server session. Would it infect all other users on the same terminal server?

  16. XiaoKa says:

    Can I have a list of countries which affected?

  17. SKRaigiri says:

    I use Symantec End Point Protection on my servers. How to secure my Windows Server 2008R2 ? Are there any specific KB articles to be installed for this attack?

    Please share me the details.

  18. Maik says:

    Great technical details. Our company is free of "not-petya". So, everyone speak about the "kill switch" or better "pre-vaccination". But unfortunately, for me is still unclear on which code row or how it was found out that the file "perfc" with read-only attribute can prevent the encryption. =)

  19. Brent Jones says:

    Excellent write-up. You are doing great work and communicating well.

  20. chris says:

    What are the 64 countries?

  21. codeman38 says:

    Not surprisingly, those hash codes correspond to process names from Kaspersky and Norton, respectively:

    2e214b44 = avp.exe
    6403527e = ccSvcHst.exe
    651b3005 = NS.exe

    1. Jacob says:

      And since their homebrewed hash function is not collision resistant, here are some other processes that generate the same hashes:

      G6b_9.exe
      J6b_6.exe
      K6b_5.exe
      N6b_2.exe
      O6b_1.exe
      RhFjz.exe
      26b_N.exe
      36b_M.exe
      66b_J.exe
      76b_I.exe
      _iyLdA.exe
      _qcqu6.exe
      _yyLdQ.exe
      _IyLda.exe
      _YyLdq.exe
      _1cquv.exe
      avks6L.exe
      cn9d08.exe
      cqcqI6.exe
      c1cqIv.exe
      dwoqL0.exe
      d7oqLp.exe
      epoqK5.exe
      etoqK1.exe
      e4oqKq.exe

    2. Ankit says:

      But it does nothing after checking avp.exe (not sure why)

  22. Yevgeniy says:

    Thanks a lot.Very helpful

  23. yannara says:

    2 files in C:\Windows and 2 files on C:\Users (C:\Programdata)). Could we rely on Applocker here, if user has no Admin rights? (lets imagine we don´t wait for AV definitions).

    1. Henning says:

      If user has admin rights, I'd say all bets are off.

  24. Why does Windows allow modification of system drive's MBR? Are GPT disks affected by the virus too?

    1. Darren Starr says:

      Read the article. MBR overwrite requires SeDebugPrivilege. Same as fdisk and diskpart.

  25. MP says:

    No mention of Credential Guard as another layer of defense?

  26. Dianne Blo says:

    We have been attacked. The phone no. given is 844-438-0289. Is this a Microsoft help message?

  27. Javier Mariani says:

    Thanks for the information
    Please, could you confirm if Office versions affected with CVE-2017-0199 are vulnerables too?

  28. Suman Rai says:

    Is there any Microsoft Updates available ?

  29. Damian Menscher says:

    The RSA key appears to be 2048 bits, not 800 bits as the article claims. The author appears to have read 0x101 as a decimal number of bytes, rather than correctly interpreting it in hex as 256 bytes. (This is relevant because an 800-bit RSA key is plausibly crackable, while a 2048-bit key is not.)

    1. Blazej Miga says:

      0x800 bits = 2048 🙂

    2. neox says:

      thanks, fixed.

    3. msft-mmpc says:

      Thanks for pointing out. We've fixed this.

  30. Teus Renes says:

    Clear and Concise post, really helpfull

  31. Darren Starr says:

    Which decompiler/disassembler are you using? IDAPro?

  32. Archana Sinha says:

    Thank you for deep analysis and process deciding details!!!

  33. Llallum Victoria says:

    Good job!

  34. Michael Nielsen says:

    Great info, Thank you

  35. Michael Ukolov says:

    Oh my god..
    Enough to blame already another soft, which is not involved in all this.
    It would be better to take care of security in your OS. Why OS X with M.E.Doc is not suffer?

  36. anon says:

    does Microsoft have a comment on the "vaccine" found involving the creation of a file named perfc (with no extension) in the C:\Windows\ folder?

  37. Santosh says:

    Thank you for the detailed Analysis.
    what are all the mandatory patches we need to look for to ensure the Windows 7/Windows 10 systems are secure from these attacks.

  38. Kalina says:

    Thanks for posting ! Very helpful indeed !

    1. onur says:

      very informative. thanks!

  39. Sandy says:

    This is one of the best analysis I have seen yet. Well Done !

  40. mrhutch says:

    What is Microsoft's stance on the killswitch of placing a perfc file in C:\Windows\System? It only prevents the encryption but does not prevent the system from propagating lateral infections or even creating a DDOS situation on the system in question.

    Would it be more prudent to enact a GPO containing a Sofware Restriction policy to disallow this file from executing in the case that it is present?

    1. mrhutch says:

      In the absence of updates and local protection tools of course which should serve as the first line of defense.

  41. flash says:

    MS17-010 patches doesn’t works, all computers W7. W2k8 with MS17-010 updates was infected.

  42. Jim Clausing says:

    Are you sure you have the functionality correct if the processes are present? My analysis shows the other way around, that is, if 0x6403572E or 0x651B3005 are present, it won't try to do network propagation and if 0x2E214B44 is present it won't attempt to encrypt MBR/VBR.

  43. Deborah D. Pipes, CPA says:

    I'm about to the point of buying a MAC. My Outlook quit working (Office 2010) @ 7 months ago. I'm a disabled senior. Can't afford a "team" to keep me running.

  44. Jim says:

    maybe MS should have been more proactive handling the reports of these when they were first found back in 2011 instead of saying 'eh, we don't care' The Shadow broker security research group informed MS of the exploit.

  45. Shane Creamer says:

    Possible suggestion on the wording around blocking ports 139 and 445. If those ports are blocked (as a last minute act of desperation) then those reading the article should know that no-one can use file sharing (no DFS-R, No home drives, no network drives. etc.) Essentially no access for a user to their data.

    The primary vector for these attacks are machines that are not patched, and that have SMB 1.0 enabled. If you disable SMB 1.0 the primary vector for spreading the virus through the network is stopped. The problem is that most companies are unwilling to disable SMB 1.0 because of some old, creaky iSCSI or NetApp filer device that is still on the network that they won't pay to upgrade to SMB 2.x or higher capability.

    SMB 1.0 code is standard from Windows 95/NT 3.51 days and the lead developer for that code has gone on record multiple times to say that SMB 1.0 is an architecture created before the age of sophisticated Pass-the-Hash or Pass the Kerberos token attacks. If you want to see these kinds of issues stop, please DISABLE SMB 1.0 on your Windows Systems. Windows 7/Server 2008 and newer use SMB 2.x or SMB 3.x code.

    To disable SMBv1 on the SMB server, run the following PowerShell cmdlet:
    Set-SmbServerConfiguration -EnableSMB1Protocol $false

    https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

    Hope this helps,
    ShaneC

  46. Navin Rai says:

    Thanks for sharing this article. I got to learn more new things. I`m glad to have this informative article.

  47. sunilkatariya says:

    Thank you, detail information about this malware

  48. Cyril Tan says:

    "This ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using NetEnum/NetAdd) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools)."

    I notice the above statement and would like to check on the fact that if a patched machine is connected to an unpatched machine, what will the implications be?

    Secondly, how does using either a duplicate token of the current user (for existing connections), or a username/password combination work? I don't understand. Please educate me on this sentence as I would like to know if the current Microsoft patches are sufficient?

  49. Jianjun Yang says:

    My countries' local MS Skype update newly use port 445 as main port a few days ago. I dare not use Skype any more.

Skip to main content