6 min read

A new ransomware variant is sweeping across the globe known as Petya. It is currently having an impact on a wide range of industries and organizations, including critical infrastructure such as energy, banking, and transportation systems. While it was first observed in 2016, it contained notable differences in operation that caused it to be “immediately flagged as the next step in ransomware evolution.”

What is it?

This is a new generation of ransomware designed to take timely advantage of recent exploits. This current version is targeting the same vulnerabilities (ETERNALBLUE) that were exploited during the recent Wannacry attack. In this variant, rather than targeting a single organization, it uses a broad-brush approach that targets any device it can find that its attached worm is able to exploit.

The gravity of this attack is multiplied by the fact that even servers patched against the SMBv1 vulnerability exploited by EternalBlue can be successfully attacked, provided there is at least one Windows server on the network vulnerable to the flaw patched in March.

How it spreads?

Early reports also suspected that some infections were spread via phishing emails with infected Excel documents exploiting a CVE-2017-0199, a Microsoft Office/WordPad remote code execution vulnerability.

The attackers have built in the capability to infect patched local machines using the PSEXEC Windows SysInternals utility to carry out a pass-the-hash attack. Some researchers have also documented usage of the Windows Management Instrumentation (WMIC) command line scripting interface to spread the ransomware locally.

Unlike WannaCry, this attack does not have an internet-facing worming component, and only scans internal subnets looking for other machines to infect. Once a server is compromised by EternalBlue, the attacker is in as a system user.

What it does

The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools. Once it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note.

The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above.

The criminals behind this attack are asking for $300 in Bitcoins to deliver the key that decrypts the ransomed data, payable to a unified Bitcoin account. Unlike Wannacry, this technique would work because the attackers are asking the victims to send their wallet numbers by e-mail to “wowsmith123456@posteo.net,” thus confirming the transactions.

There is no kill-switch as of yet, and reports say the ransom email is invalid, so paying up is not recommended.

Technical Details

Talos observed that compromised systems have a file named “Perfc.dat” dropped on them. Perfc.dat contains the functionality needed to further compromise the system and contains a single unnamed export function referred to as #1. The library attempts to obtain administrative privileges (SeShutdowPrivilege and SeDebugPrivilege) for the current user through the Windows API AdjustTokenPrivileges. If successful, the ransomware will overwrite the master boot record (MBR) on the disk drive referred to as PhysicalDrive 0 within Windows. Regardless of whether the malware is successful in overwriting the MBR or not, it will then proceed to create a scheduled task via schtasks to reboot the system one hour after infection.

As part of the propagation process, the malware enumerates all visible machines on the network via the NetServerEnum and then scans for an open TCP 139 port. This is done to compile a list of devices that expose this port and may possibly be susceptible to compromise.

The malware has three mechanisms used to propagate once a device is infected:

EternalBlue – the same exploit used by WannaCry. Psexec – a legitimate Windows administration tool. WMI – Windows Management Instrumentation, a legitimate Windows component.

These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally.

For systems that have not had MS17-010 applied, the EternalBlue exploit is leveraged to compromise systems.

Psexec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user’s windows token to install the malware on the networked device. Talos is still investigating the methods in which the “current user’s windows token” is retrieved from the machine.

C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1

WMI is used to execute the following command which performs the same function as above, but using the current user’s username and password (as username and password).

Wbem\wmic.exe /node:”w.x.y.z” /user:”username” /password:”password” “process call create “C:\Windows\System32\rundll32.exe \”C:\Windows\perfc.dat\” #1″

Once a system is successfully compromised, the malware encrypts files on the host using 2048-bit RSA encryption. Additionally, the malware cleans event logs on the compromised device using the following command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

What steps has EventTracker Enterprise taken?

Closely monitoring announcements and details provided by industry experts including US CERT, SANS, Microsoft, etc. Reviewed the latest vulnerability scan results from your network (if subscribed to ETVAS service) for vulnerable machines. ETVAS service subscribers who would like us to scan your network again can request us at ecc@eventtracker.com and we will perform a scan at your convenience. Updated the Active Watch List in your instance of EventTracker with the latest Indicators of Compromise (IOCs). This includes MD5 hashes of the malware variants, IP addresses of C&C servers, the email address wowsmith123456@posteo.net Monitoring system reboots and additions to the Scheduled Tasks list Watching Change Audit snapshots in your network for changes to registry (RunOnce) Updated ETIDS with snort signatures as described by Cisco Talos Performing log searches using known IOCs

Recommendations