Update: Indicators of Compromise and new information added.
The latest ransomware attack in a recent swell of incidents following the latest Shadow Broker’s release of NSA malware tools first struck in Ukraine, Europe, and has been seen affecting energy companies, banks, government bodies, and even critical systems such as the airport and metro services in Kiev. Now the ransomware has spread globally, hitting major international businesses and key infrastructure for a number of countries across the globe.
“It has affected all branches of our business, at home and abroad.”
Anders Rosendahl, spokesman for the Copenhagen-based shipping giant A.P. Moller-Maersk
We are seeing widespread reports of ransomware infections globally with initial investigation suggesting it to be a new strain of a ransomware known previously as Petya, and Petrwrap, whilst none of our customers have been effected, the threat is severe enough to trigger our notice procedure.
Petya is a ransomware strain that pivots through the ETERNALBLUE exploit (CVE-2017-144 – patched by MS017-10), admin SMB share access and email. On execution it encrypts files
locally, and on connected shares. Unlike many other ransomwares, it also encrypts the hard drive’s master file table (MFT), corrupting the MBR and replacing it with custom code which is loaded instead of the operating system, following a reboot scheduled an hour after the infection.
The ransomware then demands that a ransom be paid to decrypt the affected files, reported to be $300 USD (~ £234.72 GBP / €265.62 EUR at the time of writing).
In the event of an infection, do not pay the ransom – the email address is blocked and cannot be accessed.
This blockchain wallet has been attributed and can be observed receiving what are assumed to be ransom payments from victims around the world.
This malware spreads through three known vectors:
- EternalBlue – CVE-2017-144 – Patch By MS-2017-10
- SMB Admin Share Access From Infected Machines
- Lateral movement with WMIC and PSEXEC
- A waterhole attack on site bahmut.com[.]ua/news/ (Credit to @craiu)
E-mail attachments *historical vector – unverified currently*
Further analyses have revealed that Ukrainian made accounting software MeDoc may be involved. It appears that an update to their software was responsible for distributing the ransomware, and some evidence correlates this claim. Regardless of this initial vector, the ransomware is capable of highly efficient lateral movement within networks and the appropriate security signatures should be implemented to prevent any infections.
Once installed, the malware encrypts files and demands a BitCoin ransom to decrypt files, payment of this ransom is not advised as there is no guarantee files will be restored.
An interesting aspect of this attack is the targeted filetypes. The intended victims are rather different from Petya or ‘normal’ ransomware. pic.twitter.com/mTRcPTHbpF
— Yonathan Klijnsma (@ydklijnsma) June 27, 2017
Windows SMB Version 1 – CVE
Solution / Prevention
If you haven’t already, patch Windows systems up to MS017-10, and ensure external access to SMB is blocked or restricted; the command below will disable SMB on a Windows operating system (requires Administrator privileges).
Dism /Online /Disable-Feature /FeatureName:SMB1Protocol /Quiet /NoRestart
For any machines suspected of infection, disconnect them from the network and power them off. For Zepko CERT customers, please call the SOC if you suspect infection that we haven’t yet alerted on.
Ensure backups are kept offline in the short term to prevent corruption via network share access.
Further details can be found further on in the article concerning decryption and mitigation techniques.
Indicators of compromise link to increased volume of SMB traffic on the network. The following STIX2 patterns will detect large volumes of SMB traffic for a single host, which could be an indication of an infected machine. Values should be modified to suit your network baselines.
[ipv4-addr:value = '10.0.0.0/8' AND [network-traffic:dst_port = '139' OR networktraffic:dst_port = '445']] REPEATS 100 TIMES WITHIN 120 SECONDS [ipv4-addr:value = '172.16.0.0/12' AND [network-traffic:dst_port = '139' OR networktraffic:dst_port = '445']] REPEATS 100 TIMES WITHIN 120 SECONDS [ipv4-addr:value = '192.168.0.0/16' AND [network-traffic:dst_port = '139' OR networktraffic:dst_port = '445']] REPEATS 100 TIMES WITHIN 120 SECONDS
Unconfirmed IOCs (Indicators of Compromise)
Initial Infection Vector
It appears the initial vector was a poisoned update for the MeDoc (A financial Technology Organisation) software suite, which is used extensively in the Ukrainian Government.
myguy.xls.hta myguy.exe Order-20062017.doc BCA9D6.exe 10807.exe
rundll32.exe (this process is not always malicious)
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739 fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206 ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6 17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5
a809a63bc5e31670ff117d838522dec433f74bee d5bf3f100e7dbcc434d7c58ebf64052329a60fc2 aba7aa41057c8a6b184ba5776c20f7e8fc97c657 bec678164cedea578a7aff4589018fa41551c27f 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f 0ff07caedad54c9b65e5873ac2d81b3126754aac 51eafbb626103765d3aedfd098b94d0e77de1196 82920a2ad0138a2a8efc744ae5849c6dde6b435d 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5 7ca37b86f4acc702f108449c391dd2485b5ca18c 2bc182f04b935c7e358ed9c9e6df09ae6af47168 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d 101cc1cb56c407d5b9149f2c3b8523350d23ba84 9288fb8e96d419586fc8c595dd95353d48e8a060 736752744122a0b5ee4b95ddad634dd225dc0f73 dd52fcc042a44a2af9e43c15a8e520b54128cdc8
71b6a493388e7d0b40c83ce903bc6b04 af2379cc4d607a45ac44d62135fb7015 d0a0e16f1f85db5dfac6969562923576 415fe69bf32634ca98fa07633f4118e1 0487382a4daf8eb9660f1c67e30f8b25 a1d5895f85751dfe67d19cccb51b051a d2ec63b63e88ece47fbaab1ca22da1ef
firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com
french-cooking.com coffeinoffice.xyz sundanders.online tapodhan.de
126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11
Targeted File Extensions
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
The following Snort rules also will detect the EternalBlue vector. These have already been deployed to all Zepko IDS/IPS/ZIDS and ThreatProtect customers.
alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;) alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;) alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)
Unlike WannaCry, Petya has several predecessors, a large amount of which can be decrypted with publicly available tools. The Zepko CERT team will liaise with affected customers should the need for decryption become necessary and a viable decrypter is confirmed.
An unconfirmed antidote mechanism may be able to prevent the encryption process: Create the file C:\Windows\perfc.dat and set it to read-only, which will prevent the encryption process from executing successfully. Credit: HackingDave
Initial research has confirmed that with early detection, the encryption process can be averted. Upon first infection, the ransomware creates a scheduled task set between 1-2 hours later. Once it restarts, the id value is encrypted and cannot be decrypted again.
If you have detected early infection (after infection but before machine restart), check for the presence of a scheduled task like the one shown below and disable it. After this ensure that the machine is not restarted, and our CERT team can help remove the infection and restore the machine.
Image credit: @0x09AL
Once the infected machine reboots, the encryption process is started, which appears to be an innocuous CHKDSK process repairing the filesystem.
If you see this screen, power off the machine immediately to interrupt the encryption process!
Once this process has finished, the machine will reboot again and the ransom screen – shown below – will appear.
Image credit: Kaspersky
I can confirm 100% that so long as you do not go past the CHKDSK message, your files are safe and you can recover from a LiveCD. #Petya
— Hacker Fantastic (@hackerfantastic) June 27, 2017
Our thanks to all the members of the security industry – including those credited here – for their hard work. If you believe we have not given you credit where credit is due, please get in touch.