Petya… Echoes of WannaCry
By Joseph Salazar
Does this sound familiar? On June 27, news outlets began reporting on a ransomware attack that was spreading like wildfire, infecting thousands of devices across several countries. The attack utilized the EternalBlue exploit that was stolen from the NSA and released by the group Shadowbrokers, targeting SMB vulnerability CVE-2017-0144 to spread across multiple systems.
But in this case, it’s not WannaCry. It’s not even ransomware. The malware has been discovered to be a wiper, called Petya. After it completes executing its payload, it reboots the system. Instead of seeing the Windows login screen, users see a ransom message, instructing them to send $300 in Bitcoins to an address, which, unfortunately for them, has been deactivated, so there is no way to pay the ransom and get their files back. It also does not have a kill switch, like WannaCry did, and uses a variety of methods to spread.
While the malware can spread via the typical malicious attachment in a phishing email, the primary infection vector is via software from MeDoc, a financial software firm out of the Ukraine. The MeDoc software update feature appears to have been hijacked to spread the malware. The early reports of infection came from the Ukraine and Russia.
This strain of malware is much more sophisticated and much more destructive than WannaCry. After it gets onto a system, it checks for sandbox or VM capabilities to foil analysis. Then it extracts credentials from memory as part of its lateral movement mechanism. It then uses those credentials to spread locally to other systems by first trying PSEXEC, then WMI, and then EternalBlue. Once the malware spreads, it encrypts the Master Boot Record, the information in the first sector of any hard disk or diskette that identifies how and where an operating system is located so that it can be booted (loaded) into the computer’s main storage or memory. Once it finishes encrypting the MBR, it deletes all Windows event logs and the NTFS journal, which is a record of changes made to the file system of modern Windows computers. It then schedules a reboot for 1 hour after initial infection, to give it time to spread to other systems on the local network. Once the system reboots, the user sees the ransom message. Because the malware infects the MBR, there is no way to recover the system without losing all data on the hard disk.
As I mentioned in a previous ransomware blog post, the past success of ransomware is going to generate a host of new malware, and this is yet another escalation in the never-ending parade of malware variants. As outbreaks go, this one is bad, and the next one may be even worse. It is incumbent for organizations to maintain a good social engineering awareness program, and to stay up to date on all patches and security updates, as well as having a mechanism that can identify emerging attacks. The Attivo ThreatDefend Platform is well suited for such a task and through Attivo Labs has demonstrated its ability to detect Petya through the ways it is spreading now, regardless of whether it is using PSEXEC, WMI, or EternalBlue. For more information, go here or request a consultation here.