Petya ransomware – Cyberattack on European businesses and infrastructure

Update: Indicators of Compromise and new information added.

Summary

The latest ransomware attack in a recent swell of incidents following the latest Shadow Broker’s release of NSA malware tools first struck in Ukraine, Europe, and has been seen affecting energy companies, banks, government bodies, and even critical systems such as the airport and metro services in Kiev. Now the ransomware has spread globally, hitting major international businesses and key infrastructure for a number of countries across the globe.

“It has affected all branches of our business, at home and abroad.”

Anders Rosendahl, spokesman for the Copenhagen-based shipping giant A.P. Moller-Maersk

We are seeing widespread reports of ransomware infections globally with initial investigation suggesting it to be a new strain of a ransomware known previously as Petya, and Petrwrap, whilst none of our customers have been effected, the threat is severe enough to trigger our notice procedure.

Petya is a ransomware strain that pivots through the ETERNALBLUE exploit (CVE-2017-144 – patched by MS017-10), admin SMB share access and email. On execution it encrypts files
locally, and on connected shares. Unlike many other ransomwares, it also encrypts the hard drive’s master file table (MFT), corrupting the MBR and replacing it with custom code which is loaded instead of the operating system, following a reboot scheduled an hour after the infection.

The ransomware then demands a that a ransom be paid to decrypt the affected files, which has been reported to be $300 USD (~ £234.72 GBP  /  €265.62 EUR at the time of writing).

In the event of an infection, do not pay the ransom – the email address is blocked and cannot be accessed.

This blockchain wallet has been attributed and can be observed receiving what are assumed to be ransom payments from victims around the world.

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Detail

This malware spreads through three known vectors:

  • EternalBlue – CVE-2017-144 – Patch By MS-2017-10
  • SMB Admin Share Access From Infected Machines
  • Lateral movement with WMIC and PSEXEC
  • A waterhole attack on site bahmut.com[.]ua/news/ (Credit to 
  • E-mail attachments *historical vector – unverified currently*

Further analyses have revealed that Ukrainian made accounting software MeDoc may be involved. It appears that an update to their software was responsible for distributing the ransomware, and some evidence correlates this claim. Regardless of this initial vector, the ransomware is capable of highly efficient lateral movement within networks and the appropriate security signatures should be implemented to prevent any infections.

Once installed, the malware encrypts files and demands a BitCoin ransom to decrypt files, payment of this ransom is not advised as there is no guarantee files will be restored.

Affected Services

Windows SMB Version 1 – CVE

Solution / Prevention

If you haven’t already, patch Windows systems up to MS017-10, and ensure external access to SMB is blocked or restricted; the command below will disable SMB on a Windows operating system (requires Administrator privileges).

Dism /Online /Disable-Feature /FeatureName:SMB1Protocol /Quiet /NoRestart

For any machines suspected of infection, disconnect them from the network and power them off. For Zepko CERT customers, please call the SOC if you suspect infection that we haven’t yet alerted on.

Ensure backups are kept offline in the short term to prevent corruption via network share access.

Further details can be found further on in the article concerning decryption and mitigation techniques.

Indicators

Indicators of compromise link to increased volume of SMB traffic on the network. The following STIX2 patterns will detect large volumes of SMB traffic for a single host, which could be an indication of an infected machine. Values should be modified to suit your network baselines.

[ipv4-addr:value = '10.0.0.0/8' AND [network-traffic:dst_port = '139' OR networktraffic:dst_port = '445']] REPEATS 100 TIMES WITHIN 120 SECONDS

[ipv4-addr:value = '172.16.0.0/12' AND [network-traffic:dst_port = '139' OR networktraffic:dst_port = '445']] REPEATS 100 TIMES WITHIN 120 SECONDS

[ipv4-addr:value = '192.168.0.0/16' AND [network-traffic:dst_port = '139' OR networktraffic:dst_port = '445']] REPEATS 100 TIMES WITHIN 120 SECONDS

Unconfirmed IOCs (Indicators of Compromise)

Initial Infection Vector
It appears the initial vector was a poisoned update for the MeDoc (A financial Technology Organisation) software suite, which is used extensively in the Ukrainian Government.
Malicious Files
myguy.xls.hta

myguy.exe

Order-20062017.doc

BCA9D6.exe

10807.exe
Processes (Windows)
rundll32.exe   (this process is not always malicious)
FileHashes (SHA256)
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd
e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5
FileHashes (SHA1)
a809a63bc5e31670ff117d838522dec433f74bee
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
bec678164cedea578a7aff4589018fa41551c27f
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
82920a2ad0138a2a8efc744ae5849c6dde6b435d
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
101cc1cb56c407d5b9149f2c3b8523350d23ba84
9288fb8e96d419586fc8c595dd95353d48e8a060
736752744122a0b5ee4b95ddad634dd225dc0f73
dd52fcc042a44a2af9e43c15a8e520b54128cdc8
FileHashes (MD5)
71b6a493388e7d0b40c83ce903bc6b04
af2379cc4d607a45ac44d62135fb7015
d0a0e16f1f85db5dfac6969562923576
415fe69bf32634ca98fa07633f4118e1
0487382a4daf8eb9660f1c67e30f8b25
a1d5895f85751dfe67d19cccb51b051a
d2ec63b63e88ece47fbaab1ca22da1ef
Email Addresses
wowsmith123456@posteo.net
amanda44i8sq@outlook.com
carmellar4hegp@outlook.com
iva76y3pr@outlook.com
Domain Names
french-cooking.com
coffeinoffice.xyz
sundanders.online
tapodhan.de
IP Addresses
95.141.115.108
84.200.16.242
111.90.139.247
185.165.29.78
Targeted File Extensions
.3ds
.7z
.accdb
.ai
.asp
.aspx
.avhd
.back
.bak
.c
.cfg
.conf
.cpp
.cs
.ctl
.dbf
.disk
.djvu
.doc
.docx
.dwg
.eml
.fdb
.gz
.h
.hdd
.kdbx
.mail
.mdb
.msg
.nrg
.ora
.ost
.ova
.ovf
.pdf
.php
.pmf
.ppt
.pptx
.pst
.pvi
.py
.pyc
.rar
.rtf
.sln
.sql
.tar
.vbox
.vbs
.vcb
.vdi
.vfd
.vmc
.vmdk
.vmsd
.vmx
.vsdx
.vsv
.work
.xls
.xlsx
.xvd
.zip

Alert Rules

The following Snort rules also will detect the EternalBlue vector. These have already been deployed to all Zepko IDS/IPS/ZIDS and ThreatProtect customers.

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo
 Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07
 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0;
 flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo
 Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07
 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0;
 flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo
 Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07
 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0;
 flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

Decryption

Unlike WannaCry, Petya has several predecessors, a large amount of which can be decrypted with publicly available tools. The Zepko CERT team will liaise with affected customers should the need for decryption become necessary and a viable decrypter is confirmed.

Mitigation

An unconfirmed antidote mechanism may be able to prevent the encryption process: Create the file C:\Windows\perfc.dat and set it to read-only, which will prevent the encryption process from executing successfully. Credit: HackingDave

Initial research has confirmed that with early detection, the encryption process can be averted. Upon first infection, the ransomware creates a scheduled task set between 1-2 hours later. Once it restarts, the id value is encrypted and cannot be decrypted again.

If you have detected early infection (after infection but before machine restart), check for the presence of a scheduled task like the one shown below and disable it. After this ensure that the machine is not restarted, and our CERT team can help remove the infection and restore the machine.

Image credit: @0x09AL

Once the infected machine reboots, the encryption process is started, which appears to be an innocuous CHKDSK process repairing the filesystem.

If you see this screen, power off the machine immediately to interrupt the encryption process!

 

Once this process has finished, the machine will reboot again and the ransom screen – shown below – will appear.

Image credit: Kaspersky

 

Our thanks to all the members of the security industry – including those credited here – for their hard work. If you believe we have not given you credit where credit is due, please get in touch.