Ransomware Petya

More spreading mechanisms than Wanacry

Ransomware Petya

[updated on June 28 at 11:40 CEST]

Today, the 27th of June 2017, a new variant of the Petya ransomware started to spread havoc within various companies around the world. The first news came from the Ukraine where at least two energy companies were struck.

WanaCry

This Petya variant comes only weeks after the WanaCry hack made headlines around the world where hundreds of thousands devices were infected.

This variant of Petya has more spreading methods than WanaCry (in specific PSEXEC and WMI) but does share at least one of the exploits, namely: EternalBlue, which is an exploit leaked by ‘The Shadowbrokers’ and originally used by the NSA.

The Petya ransomware was in the news earlier this year for encrypting the entire hardisk rather than only files on local and remote drives, something which is more common with other ransomware.

Source

Cisco Talos reports that the infections started in Ukraine following the auto-update feature of software by the Ukrainian company Me-Doc. Attackers likely got access to the Me-Doc update servers, using the update feature of the software to infect all their, mostly Ukrainian customers. This explains the disruptions observed within various Ukrainian companies, including airports, hospitals and other vital infrastructure. This supports what Fox-IT is observing, affected companies have business in Ukraine and observed initial Petya activity from those networks.

Because of the various spreading mechanisms of Petya the ransomware managed to reach companies in other countries, most likely as a result of existing network connections between (branch) offices or suppliers.

Infection

When a computer gets infected with this specific version of Petya, it starts to crypt files on the local machine and also attempts to spread across the local network to other machines.

After a number of hours, the infected client is restarted and is faced with a ransom screen. At this point it is no longer possible to start the Windows operating system. On this ransom screen a bitcoin address is shown, together with a string of text that uniquely identifies this infection as well as the email address to contact the authors when the payment has been made.

Infection vector

Where WanaCry was scanning random IP addresses on the internet, and in that way infecting other companies, this version of Petya is only scanning internal hosts. This means that there must be a different initial infection vector. What this vector exactly is, is unknown for the time being. If the ransomware is run on a so called domain controller, one of the most important servers within a company, it will attempt to spread to all connected clients, to greatly improve spreading speed within a network.

Payment problems

The payment amount of $300, has to be paid in bitcoin, after which contact has to be made with the authors via the email address shown on the ransom screen. This email address however has been blocked by the provider, making it impossible to confirm payments to the people behind Petya.

Prevention

  • Apply Windows update MS17-010
  • Disable the outdated protocol SMBv1
  • Limit the use of accounts that are ‘local administrator’
  • Make back-ups and verify that they can be restored

Detection

Currently the Fox-IT Network sensors are able to detect a number of the spreading methods of Petya and work is being done to identify other methods of spreading.

Now at Fox-IT

Contact us

+31 (0) 15 284 79 99

fox@fox-it.com

Delft