Updated on July 07, 2017, 2:30 AM PDT to add more details on the disk modification procedures.

Updated on July 06, 2017, 12:55 AM PDT to add more details on Petya's interaction with various antivirus processes.

Updated on June 29, 2017, 2:09 AM PDT to add more details on the infection flow, disk modification procedures and update the infection diagram.



Updated on June 28, 2017, 1:22 PM PDT to add more details on the disk modification procedures and include an additional SHA256 hash.

Updated on June 27, 2017, 9:50 PM PDT to add more technical information.

A large-scale ransomware attack reported to be caused by a variant of the Petya ransomware is currently hitting various users, particularly in Europe. This variant, which Trend Micro already detects as RANSOM_PETYA.SMA, is known to use both the EternalBlue exploit and the PsExec tool as infection vectors. Users and organizations are thus advised to perform the following mitigation steps immediately in order to prevent and avoid infection:

Apply the security patch MS17-010

Disable TCP port 445

Restrict accounts with administrator group access

We are currently analyzing this threat and will update this post as more details become available.

[RELATED: The most frequently asked questions that dispel and clarify misconceptions and comparisons about this threat]

Infection Flow

As previously mentioned, this ransomware’s initial entry into the system is through the “admin$” share, after which it is executed by PsExec, a Microsoft utility used to run processes on remote systems, or Windows Management Information Command-line (WMIC), which is an interface that simplifies the use of Windows Management Instrumentation (WMI). It also uses the EternalBlue exploit—also used by WannaCry—that targets a vulnerability in Server Message Block (SMB) v1. This Petya variant is dropped into a system as perfc.dat, after which it uses the rundll32.exe process to run and carry out its file encryption routine. Unusually for ransomware, it does not change the extensions of any encrypted files. It targets more than 60+ file extensions to encrypt; it is worth noting that the file types it targets are typically used in enterprise settings; images and video files, which are usually targeted by other ransomware, are notably absent.

This ransomware then adds a scheduled task that reboots the system after at least an hour. Meanwhile, the Master Boot Record (MBR) is also modified so that the MFT encryption routine will display the ransom note upon reboot. A fake CHKDSK notice is initially displayed; this is when the MFT encryption happens.

Figure 1. Infection diagram

Figure 2. Ransomware notices displayed after reboot

Figure 3. Ransomware notices displayed after reboot

Aside from the use of the EternalBlue exploit, there are other similarities to WannaCry. Like that attack, this Petya variant's ransom process is relatively simple: it also uses a hardcoded Bitcoin address, making decryption a much more labor-intensive process on the part of the attackers. This is in contrast to earlier Petya attacks, which had a more developed UI for this process. Each user is asked to pay US$300. As of this time, approximately US$7,500 had been paid into the Bitcoin address. As in all ransomware attacks, we advice against paying the ransom–this is particularly true in this case, as the email account mentioned in the ransom note is no longer active.

PsExec and Windows Management Information Command-line (WMIC)

Petya cleverly uses legitimate Windows processes PsExec and Windows Management Information Command-line, which is an interface that simplifies the use of Windows Management Instrumentation (WMI).

Once Petya is dropped, it will drop psexec.exe as dllhost.dat on the target machine. The malware also drops a copy of itself to \\{remote machine name}\admin$\{malware filename}. It then executes the dropped copy by using dllhost.dat locally (which is the file name of the PSExec tool) with the following parameters:

dllhost.dat \\{remote machine name} -accepteula -s -d C:\Windows\System32\rundll32 "C:\Windows\{malware filename}",#1 {random number minimum 10} {enumerated credentials}

The format of {enumerated credentials} is as follows:

"un1:pw1" "un2:pw2" "un3:pw3" ... "unN:pwN"

If this is unsuccessful, Petya will then use WMIC.EXE to execute the file in the remote machine:

%System%\wbem\wmic.exe /node:"{node}" /user:"{user name}" /password:"{password}" process call create "C:\Windows\System32\rundll32 \C:\Windows\{malware filename}\" #1 {random number minimum 10} {enumerated credentials}""

Petya will use PSExec or WMIC to spread the malware to other systems within the local network. As previously mentioned, it also uses the EternalBlue exploit to propagate; however, if EternalBlue exploit fail, this variant then attempts to use EternalRomance, another SMBv1 exploit.

Information Extraction Method

We discovered that this Petya variant uses an advanced method to extract information from the infected system. It makes use of a customized Mimikatz—a legitimate security tool—to extract usernames and passwords. The 32-bit and 64-bit Mimikatz executables are encrypted and stored in the resource section of the ransomware. The extraction method runs when the main malware process opens a pipe, which is used by the custom Mimikatz to write its results. These results are then read by the main malware process. As mentioned earlier, Petya is able to spread to other systems within the local network by using this extracted information.

Disk Modification Procedure

Before encryption, Petya will first modify the MBR as part of its process.

The malware has two conditions for disk modification. First, it will detect whether or not AVP.exe is running. If it detects that it is running, it will write code (0xBAADF00D) to the system’s MBR making the system unbootable.

If AVP.exe is not running, it will proceed to do the following routine:

It will access the following sectors:

Sectors 0 to 18 (disk offset 0 to 25FFh) are overwritten with its own boot program.

Sector 32 (disk offset 4000h to 41FFh) is written with structured data containing MFT encryption state, key and nonce pair for Master File Table (MFT) encryption, Bitcoin Wallet and Personal Installation Key (encrypted File Encryption Key).

Sector 33 (disk offset 4200h to 43FFh) is filled with 07h.

The original MBR is encrypted:

Sector 34 (disk offset 4400h to 45FFh) is written with the XOR-encrypted original MBR.

If the above process fails, it will overwrite sectors 0-9 with code (0xBAADF00D).

Administrator rights are needed to write to the MBR. If a direct execution of the malware is done without administrator rights, it won’t write to MBR. However, given its arrival method, system user rights will be inherited, resulting in both MBR and file encryption.

Like previous Petya variants, this variant also encrypts the infected system’s MFT. The main DLL first generates a key and nonce pair using the CryptGenRandom API. The generated key is then written to the disk, so that when the infected system restarts, the malware boot code will use the saved key to start the MFT encryption using Salsa20 algorithm. It is during this process that the fake CHKDSK screen (as shown in Figure 2 above) is displayed.

By using the CryptGenRandom API to generate the encryption key, this Petya variant fixes a flaw in the older versions’ encryption routine, making this variant more difficult to decrypt. It is worth noting, though, that based on our analysis of its code, this Petya variant actually deletes the encryption key it used. This makes decryption not just difficult, but virtually impossible even for malware author.

The MBR is recoverable since it is saved and is only encrypted by XOR with a fixed key. However, the encrypted MFT does not seem to be decryptable. The summarized steps for MFT encryption is as follows:

As stated earlier, Petya will first modify the MBR It then encrypts its target files After rebooting, the modified MBR code will run and encrypt the MFT via a fake CHKDSK routine

Take note that systems are supposed to have a backup, or second MFT, which the malware does not touch. However, this backup MFT comes with certain limitations—specifically, it can only mirror the first four file record entries. As such, the backup MFT cannot be used for recovery beyond the 16th file record entry, nor is it a reliable method for recovering the encrypted MFT.

Petya’s Behavior with Antivirus Processes

In addition to its main processes, Petya also exhibits behavioral changes when it detects certain AV-related processes running in the system.

Specifically, Petya will check if the following processes are running:

avp.exe

NS.exe

ccSvcHst.exe

If avp.exe is found running, Petya will proceed with both MBR overwriting and file encryption. However, after rebooting the infected machine, it will not perform MFT encryption. In this case, if the user has somehow managed to back up their MBR, they can theoretically restore the system since the MFT was not encrypted. Despite this, the affected files will still be encrypted.

If the processes NS.exe or ccSvcHst.exe are found running, Petya will refrain from propagating using the SMB exploits EternalBlue and EternalRomance. The ransomware will still attempt to spread via other methods.

Trend Micro Solutions

Further information about Trend Micro solutions may be located within this article.

The following SHA256 hashes are related to this threat:

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1

752e5cf9e47509ce51382c88fc4d7e53b5ca44ba22a94063f95222634b362ca5

[RELATED: Learn who is most at risk from this Petya outbreak, as well as mitigation best practices for enterprises]