was successfully added to your cart.

Important information regarding the Petya ransomware outbreak

By | Uncategorized | No Comments

Incident overview

On June, 27 – Petya encryption malware was used in a large-scale attack primarily on companies with operations in the Russian Federation and Ukraine. Other organisations were also infected on a global scale.

The malware was distributed using phishing emails. There are currently rumors that a third party Ukrainian document management company, Me-Doc, was compromised to spread the malware but these reports are yet to be confirmed.

The attachment then infected other machines in the network with the Petya malware. For decryption, hackers demand 300 USD in bitcoin.

Malware analysis

When the malicious attachment is opened, it employs a recent vulnerability: CVE-2017-0199. This has previously been used in attacks by other criminal groups and is currently employed in a range of malicious builders on sale on underground forums.

After deployment it starts two threads:

  • In first, the malware tries to infect other network computers by exploiting the EternalBlue vulnerability (CVE-2017-0144). As with WannaCry.
  • In second thread, the malware uses an LSA Dump to get network/local admin passwords (similar to mimicatz x86, x64), and after that it infects other computers with PsExec or WMI commands.

In short, there is no need for all computers to be vulnerable to EternalBlue. You need only
one infected computer with admin credentials in LSA to compromise the network.

The malware executes the following commands to clear OS System Logs and NTFS journal logs
(wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil
usn deletejournal /D %c:)

The malware waits around 30-40 minutes after infecting the endpoint (presumably to
spread itself), then encrypts files with following extensions:


Then changes MBR and MFT on localhost. And Reboot

After encryption the following screen is displayed:

KillSwitch: On launch, the malware checks if a file with its own name exists in Windows
directory, without an extension. For example, if malware body has name perfc.dat (internal PE
name), in the event it finds the file «%WINDOWS%/perfc», the program will exit.

However, Group-IB specialists could not confirm, that the next “Petya” campaign will use this
same file name. Therefore, it depends on specific exploit that creates this file in the system.
Considering this, this protection method cannot be used as a universal KillSwitch.

The malware was compiled on June 18:

What should I do to be protected against attacks like this?

1. Take technical steps to prevent mimikatz and different privilege escalation techniques in Windows:
2. Install Patch KB2871997
3. Regedit: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/WDigest/UseLogonCredential – set to 0;
4. Make sure that passwords of Local Admins accounts on workstations differ;
5. Change ALL passwords of Domain privileged users and Domain Admins;
6. Install patches, that mitigate CVE-2017-0199 and EternalBlue (МS17-010);
7. Revoke all admin accounts if they are not needed. (According to LSA dumps, there often too many admin accounts in a network)
8. Unless you have patched all PCs in your corporate network, don’t allow your employees to connect their laptops to corporate LAN.
9. Back up your systems regularly. Ideally if you use both – cloud and drives that aren’t constantly connected to the network.
10. Implement Zero Trust policy and arrange a Security Awareness training course for your employees
11. Consider disabling SMBv1 in your network.
12. Subscribe to Microsoft Technical Security Notifications

Group-IB Threat Intelligence customers already received IOCs on Petya outbreak.
Group-IB TDS installed in customers’ infrastructure detected this malware outbreak.

Cognosec completes A-TEK DISTRIBUTION acquisition

By | Uncategorized | No Comments

  • COGNOSEC acquires 100% of the issued share capital of A-TEK – 12th June 2017
  • A-TEK is EBITDA positive with extensive cyber-specific distribution expertise

Cognosec AB (publ) (“Cognosec” or “The Company”), (Nasdaq: COGS), a leading supplier of cyber security solutions with operations in Europe, Africa and the Middle East, has completed its acquisition of UK-based A-TEK DISTRIBUTION LIMITED. The acquisition is in line with Cognosec’s strategy to expand business areas to cover the sale and distribution of software technologies over the internet.


Cognosec AB today announces the completion of the acquisition of A-TEK DISTRIBUTION pursuant to previous directives and as at 12th June 2017, the acquisition of 100% of the issued share capital of A-TEK.


A-TEK DISTRIBUTION is a UK registered company with offices in Manchester and Johannesburg. The transaction has completed by Cognosec AB and will be injected into subsidiary, Credence Security.


A-TEK DISTRIBUTION is a specialist Digital Software Distribution Business, speciailising in cyber solutions by portal and established by pioneers of digital software distribution. The business is positioned as a New Age Distribution Business, enabling global access to the vast Enterprise & SME markets with Pay-as-you-Use and Software-as-a-Service cyber-specific solutions. The technology platform provides significant scalability and global advantages through innovative distribution methodologies.


The acquisition of A-TEK improves Cognosec’s competitive advantage for both vendors and customers alike. This addition also expands Credence Security’s current product portfolio to incorporate cyber security solutions for secure operation centers, network operation centers, datacenters, mobile platforms, virtualized environments as well as providing critical fraud prevention solutions into the technology, media, telecommunications, financial and public sectors.


Commenting on the acquisition of the business by Cognosec AB, Simon Campbell- Young, A-TEK’s Co-founder & CEO, says that – “This will provide us with the traction that is required in this heavily fragmented market, to move quickly and expeditiously towards solving our communities’ needs with rapid supply solutions to ever increasing demands, internationally.”


Patrick Boylan, Group MD of Cognosec AB commented – “The acquisition of A-TEK gives us the further strength and security of building upon man-years within the cyber industries from a hugely diversified group of existing and potential vendor offerings.”


The transaction included the acquisition of 100% of outstanding shares. The acquisition has been funded from internal resources. No external debt has been required to complete this transaction. There will be no other impact on Cognosec AB’s balance sheet.

Certified Adviser
Mangold Fondkommission AB is the Company’s Certified Adviser. Telephone: +46 (0)8 5030 1550
E-mail: info@mangold.se

Magnus Stuart

IR-contact, Cognosec AB
Email: magnus.stuart@cognosec.com

This information is information that Cognosec AB is obliged to make public, pursuant to the EU Market Abuse Regulation. The information was submitted for publication, through the agency of the contact person set out above, on 12th June, 2017, at 15.00 CET.


Cognosec AB (publ) is engaged in providing cyber resilience solutions and in cyber-attack prevention. The business conducts international operations from offices in Sweden, South Africa, the UK, Kenya, Germany, Austria and the United Arab Emirates. Listed on Nasdaq First North (Nasdaq:COGS), Cognosec delivers services and bespoke technologies to enhance public and private sector organisations’ protections against unwanted intrusions and designs holistic, organisation-wide solutions to prevent diverse and increasing forms of information and identity theft. Cognosec had revenues of EUR14.64m in 2016 and employed 136 personnel at the end of Q1 2017. For further information, please visit www.cognosec.se