Threat Brief – Petya Ransomware

Cogent wish to advise our customers of a new ransomware outbreak that has occurred overnight, which is impacting organizations in the US and Europe. This latest campaign has been portrayed in media reports as “Petya Ransomware”, recently hitting the Ukraine government, banks and critical infrastructure operators the hardest – but increasingly being observed elsewhere around the world at alarming rates. Even the radiation monitors at the ruined Chernobyl nuclear power plant and checkouts at a Dutch supermarket were said to be affected.

While Petya Ransomware has been observed in the wild as early as March 2017 this latest outbreak is possibly a result of its use of the ETERNALBLUE exploit tool to move laterally via the Microsoft SMB protocol. This was the same exploit used by WanaCrypt0r/Wannacry to spread around the world in May 2017. However, Petya also uses two other methods to spread to additional hosts. We have provided more information about its lateral movement below.

We have contacted our clients about this new threat and advised on the steps undertaken to prevent outbreaks and keep their environments secure.  As this particular attack is currently unfolding, we will be updating this blog post as new information becomes available. Cogent will endeavour to keep clients up to date with any changes or discoveries as we progress with our checks and updates over the coming days.

Windows users should take the following steps in general to protect themselves:

  • Apply security updates in MS17-010
  • Block inbound connections on TCP Port 445
  • Create and maintain good back-ups so that if an infection occurs, you can restore your data. Ensure this backup is offline. 

Petya Overview

Petya is a ransomware family that works by modifying the Master Boot Record (MBR) of the Windows operating system, causing the system to crash. When the user reboots, the modified MBR prevents Windows from loading and instead displays an ASCII Ransom note demanding payment from the victim, shown below.

After the system is compromised the victim is asked to send US$300 in Bitcoin to a specific Bitcoin address (the same Bitcoin address for every victim, pointing to the amateur nature of the attackers) and then send an e-mail with the victim’s bitcoin wallet ID to wowsmith123456@posteo[.]net to retrieve their individual decryption key.

As of 14:30 NZST 28 June 2017, 35 payments have already been made to the attackers wallet’, totalling just over NZ$12000 in value.

 

Attack Playbook

We are currently aware of the following details of Petyas’ attack lifecycle.

Delivery/Exploitation

We nor our cyber security partners have yet confirmed the initial infection vector for this new Petya variant. Previous variants were spread through e-mail, but we have not identified this latest sample carried in any e-mail related attacks. The Ukrainian Cyber Police has said the attack appears to have been seeded through a software update mechanism built into M.E.Doc, an accounting program that companies working with the Ukranian government need to use.

Installation

This variant of Petya is spread as a DLL file, which must be executed by another process before it takes action on the system. Once executed, it overwrites the Master Boot Record and creates a scheduled task to reboot the system. Once the system reboots, the malware displays a ransom note which demands a payment of $300 in bitcoin.

Command and Control

Petya contains no Command and Control mechanisms that we know of. After a host is infected, there is no communication from the malware back to the attacker.

Lateral Movement

Petya uses three mechanisms to spread to additional hosts:

  • Petya scans the local /24 subnet to discover enumerate ADMIN$ shares on other systems, then attempts to copy itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on system hosting the share.
  • Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use those credentials to execute itself on the targeted host.
  • Petya finally attempts to use the ETERNALBLUE exploit tool against hosts on the local subnet. This will only be successful if the targeted host does not have the MS17-010 patches deployed.

Conclusion

Ransomware attacks are becoming increasingly pervasive in todays’ world but Petya and WanaCrypt0r are demonstrating the reckless lengths that attackers will go to in order to make financial demands against untargeted victims. The WannaCry attacks in May, 2017 demonstrated that many Windows systems had not been patched for this vulnerability. The spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received.

Please contact Cogent today to show you how our next-generation security platform and managed services provide prevention-based protection for your organisation against this and future cyber attacks.

Credits: Rick Howard, Palo Alto Networks; Krebs on Security;