update 29/6/2017: Wiper instead of ransomware?
What is it?
A new variant of the Petya ransomware (Also named NotPeyta or Nyetya by other companies) is on the loose. It uses a known and legitimate method of spreading on top of exploitation of the EternalBlue exploit.
This makes it different and more dangerous than other malware seen in the wild, like wannacry which only uses the EternalBlue exploit for Windows SMBv1.
The worm collects passwords from the system cache and uses this with methods called PsExec and WMIC to connect to other the hosts in the network. This is an authenticated step via the ADMIN$.
The worm creates a scheduled task to reboot the infected system one hour after the initial infection. When this task is removed, it appears that backups of important files can still be made. The full encryption happens when the system reboots. It is not 100% clear if no encryption happens prior to the reboot.
Where does it come from?
At this point there are no clear indicators where the attack comes from. With information currently available, it is suggested that Petya was deployed onto potentially several millions of computers by hacking Ukrainian accounting software called “MeDoc”. It then used their automatic update feature to download the malware onto all computers using the software. It appears that all of the victims have got ties with MeDoc, or a connection with an entity which has.
Who are or can be affected?
It appears a Windows only variant so far. So Windows users are at risk. Multiple large enterprises are hit, Maersk, TNT, and several Ukrainian entities are among them.
What did the attackers want to achieve?
The money side of this business model isn’t that well setup. That is the surprising part, as the rest of the code is really well designed. So far they have raked in only 4 BTC from 45 payments, while 10,000s of computers have been infected…
An e-mail address where victims have to send a clearnet e-mail to including their very lengthy and complex “encryption” key? That doesn’t make sense, the attackers will be flooded with incorrect keys and causing a lot tedious and annoying correspondence between attacker and victim. Not to mention the obvious take-down of the account very early in the game (Posteo’s blog).
It has more characteristics of an attack with the goal of just causing (global) mayhem. It can very well be a trial run for something bigger. It bears resemblance with sabotage like attacks in the past (Iran in 2010 (Powerplant) and Saudi Arabia in 2010 (Aramco)).
The use of ransomware creates a nice ‘plausible deniability’ effect.
I can’t deny that I have a funny feeling this isn’t the last we hear about this new variant.
Update 29/6/2017: Proof seems to be found that the ‘encryption’ key is nothing more than a random string without use (source)
Why did the attack spread so fast?
The worm collects actual user credentials from the host itself and uses that with a legitimate method of connecting to other hosts. This was done by obtaining a golden kerberos ticket via mimikatz and leveraging these obtained credentials with psexec to move laterally.
This results in very fast lateral movement. It spreads like an oil spill with a logarithmic character.
How can we protect our company?
Multiple possible ways, best is to patch your system and not to click on links in e-mails from untrusted sources.
However this is not enough, as the worm spreads via a “legitimate” method. The following recommendations will help preventing the ransomware from spreading within a network.
1. If you are infected, do not pay the ransom fee. The e-mail address referred to is no longer in service according to Posteo’s blog. The decryption key will not be received when you pay the fee.
2. Change all user passwords in the network, force a direct change. When the worm doesn’t hold working credentials it can’t spread
3. Block the ADMIN$ share in the network. The worm uses this to spread itself, thus disallowing access prevents the possible spread.
4. A vaccine is available to prevent infection of a host. Create a read-only file with the name of the DLL without its file extention in C:\Windows.
* It has to be noted that the vaccin works against infections that have the exact same injected dll filename.
I ran several analysis and found that the created file has the same name as the executed payload. This means the vaccine will only work as long as there is no change in filename.