Petya malware detected as Win32/Diskcoder.C spreading rapidly

[ESET Security Forum 39]

ESET is tracking an outbreak of malware detected as the Diskcoder.C Trojan that has been referred to as a Petya variant in some previous communications. ESET LiveGrid has blocked the threat since ~13:30 CEST 6/27.

Solution

Best practices against Diskcoder.C | If a fake CheckDisk scan is displayed | If your files are already encrypted

All ESET Users—best practices to defend against this infection 

1. If you do not have an existing SysRescue Live CD/DVD or USB medium for your system, download ESET SysRescue Live and create a rescue disc.
    
2. Turn off all computers in your network.
    
3. Boot individual systems from a SysRescue Live medium and scan each computer for malware with detection of potentially unwanted and unsafe applications enabled. How do I use ESET SysRescue Live to clean my computer?
    
4. If Diskcoder.C is detected, skip to step 3 of If a fake CheckDisk scan is displayed.
   
   If the scan completes without detecting a threat, exit SysRescue and boot into Windows.
    
5. Open an administrative command prompt (right-click the CMD application and select 'run as administrator') and run the following commands:
   • echo.>%windir%\perfc
   • echo.>%windir%\perfc.dat
   • echo.>%windir%\perfc.dll
   • attrib +r %windir%\perfc
   • attrib +r %windir%\perfc.dat
   • attrib +r %windir%\perfc.dll

6. If possible, disable SMB version 1.
   • Disable SMBv1 via Group Policy 
   • Disable SMBv1 on a single server
      
7. If a local administrator account exists on a computer, change the password to a more sophisticated one. Use at least 10 characters, 2 uppercase, 2 lowercase, 2 numbers, 2 symbols. Do not use conventional words from the dictionary.
   1. If your computers belong to a domain, change the domain admin passwords to more sophisticated ones.
       
   2. Avoid using the same administrator credentials on workstations and servers.
       
8. Disable default ADMIN$ accounts and/or communication to Admin$ shares.
    
9. Make sure that all hotfixes available for the OS are installed and that your system is patched against EternalBlue. If you are not sure of this, use our free tool to scan your system.
    
10. If you are using an older OS which is no longer supported by Microsoft, consider upgrading to the latest version.
     
11. Make sure that the latest version of your ESET product is installed and modules are updated.
     
12. If you are using ESET Endpoint Antivirus or ESET NOD32 Antivirus, we recommend you to swich to ESET Security product version. ESET Security products contain firewall with the Network protection module capable of blocking EternalBlue exploit in SMBv1.
     
13. Make sure that only 100% clean and patched computers are connected back to network.
     
14. For best practices to protect your computers against  ransomware continue here.

 

If a fake CheckDisk scan is displayed

1. Turn off your computer.
    
2. Boot the system from a SysRescue Live medium and scan it for malware with detection of potentially unwanted and unsafe applications enabled. How do I use ESET SysRescue Live to clean my computer?
    
3. Check if the disk has not been encrypted. There are multiple ways to do this:
   • Using Windows
     1.  Boot your computer to the Windows Recovery Console from a Windows installation CD.
         
     2. Restore MBR by running fixmbr command.
         
   • Using Linux
     1. Boot your computer from a Linux Live CD/USB.
         
     2. Use TestDisk to fix MBR.

 

If your files have already been encrypted:

If you do not have any important data on your discs:

1. Re-image the system.
2. Follow the best practices.      

If you have important data on your disk that is already encrypted:

1.  Use ESET Sysrecue Live to create a 1:1 copy of the disk.
2. Re-image the system.
3. Follow the best practices.
4. Check this alert regularly for more information.