The hottest Huawei comprehensive analysis of petrw

  • Detail

Huawei comprehensively analyzed the petrwrap extortion software and skillfully responded to it quickly, accurately and ruthlessly

in the evening of June 27, Beijing time, a extortion software swept Europe, and other countries and regions also reported infection. According to statistics, more than 2000 computers in Britain, France, the United States and Germany have been infected. The hardest hit area is Ukraine, whose important banks and heads of government computers have been attacked by the blackmail software

many security vendors in the industry believe that this ransomware is a variant of Petya and named it petrwrap, but some security vendors believe that this is a new ransomware. For example, Kaspersky named this ransomware expetr

impact of attack

once attacked, the blackmail software will encrypt the MFT of the hard disk and modify the MBR, and then add the computer restart task to the scheduled task of the system. After a period of time, the system will restart automatically. During the restart process, the blackmail software will fake the disk check and encrypt the disk. Then prompt the user to pay $300 bitcoin, otherwise the system cannot be used normally

attack path

after continuous monitoring and analysis by Huawei Weiran laboratory, it is found that blackmail software first infects internal users through email. The specific method is to send RTF documents containing CVE vulnerabilities through phishing email. When the user accidentally opens the malicious document, the user 3 will automatically execute the malicious code and load the blackmail software if there is no abnormal reason

when the blackmail software logs into the internal host, it spreads horizontally through the following two methods:

it spreads by cracking the weak password of the system

use the eternal blue vulnerability (MS) to spread

schematic diagram of blackmail software dissemination

Huawei teaches you the four step response method

1f do not open suspicious emails

using phishing emails to spread blackmail software infection is a common method. Users should strengthen their security awareness. At any time, do not open emails with unknown origins, or emails with unknown attachments and unknown links

2f change the system password

to prevent the system password from being cracked, users using weak passwords should immediately modify the system password and set high-strength passwords

3f update vulnerability patch

for CVE vulnerability, please update the following patch in time:

for eternal blue (MS) vulnerability, please update the following patch in time:

this technology has been widely used in chemical fiber, film, profile, pipe, plate, cable, composite extrusion, granulation and other production lines y/security/px

4f temporary measures

close 139445 port, and we have provided specific methods for wannacry before

close the WMI service, and the steps are as follows:

stop the corresponding service

3. Set the killswitch

some researchers found that the blackmail software also has a kill switch. When the blackmail software is running, it will first search for a local file. If the file exists, it will exit the encryption process. Users only need to create plaintext perfc files in the c:windows directory and set their permissions to read-only

a security expert has written a script for the user:

https://downlo1 18332.2 (2) 001 "standard puncture test of nickel metal hydride batteries for electric road vehicles" the types of common universal material testing machines

after the event response, it is better to nip in the bud

based on the traditional defense centered security protection system, it can no longer effectively defend against unknown threats, and it is not enough to rely solely on signature updates for blackmail software, Therefore, it is necessary to build a security defense system with unknown threat detection as the core

Huawei security accurately detects unknown threats

Huawei firehunter6000 sandbox provides accurate detection reports based on situation analysis through virus scanning, reputation scanning, static analysis, virtual execution and other technologies, as well as unique behavior pattern library technology, so as to realize the detection of unknown malicious files. Cooperating with other security devices, it can quickly intercept advanced malicious files and effectively avoid unauthorized users

50+ file type detection to comprehensively identify unknown malware

4-fold depth detection, with an accuracy of more than 99.5%

second level linkage response to quickly intercept unknown malware

the blackmail software spread through two important vulnerabilities: cve- and Ms. these two vulnerabilities are known vulnerabilities. Huawei security products can effectively detect malicious documents carrying cve- exploit code and worm infection traffic for MS vulnerability exploitation

by restoring email traffic and sending the extracted email attachments for inspection, Huawei firehunter6000 sandbox can effectively capture malicious RTF documents in email attachments and identify them, such as Petya ransomware and suspicious network communication activities:

How do Huawei users obtain protection capabilities

Huawei intrusion prevention related products can also detect attacks against cve- and MS vulnerabilities. Please upgrade the IPS feature library to obtain protection capabilities:

in addition, we still recommend users to upgrade the system patch according to the recommendations in the previous chapter to repair vulnerabilities and fundamentally eliminate the possibility of being attacked

Copyright © 2011 JIN SHI