Update: Intelligence Advisory –  Petya Outbreak

This is an update to the Intelligence Advisory released June 27, 2017.

On June 27 2017, Optiv’s Global Threat Intelligence Center (gTIC) received reports from several sources pertaining to the newly created Petya ransomware strain. Initial reports identified infections in multiple countries including Russia, Ukraine, Spain, France, United Kingdom, the United States, and India. Affected industries included: financial services; retail, hospitality and travel; and energy and utilities. The modification was identified as the EternalBlue exploit (SMB vulnerability in multiple Microsoft Window distributions) leveraged in the globally recognized WannaCry outbreak.

Further analysis suggests that the recent Petya malware is operating as a disk wiper instead of the ransomware it purports to be. New research released June 28th, 2017 by the cyber-security firm Comae contained an analysis of the differences in Petya code samples captured back in 2016, and compared it with code obtained in June of 2017.  Differences between the two code samples highlight Petya (GoldenEye, Petyawrapper, NotPetya, SortaPetya, Petna) as a wiper, instead of ransomware. Ransomware attempts to extort victims for monetary gain while wipers are designed to destroy data, and prevent recovery.

The gTIC team assesses with HIGH CONFIDENCE that this Petya variant has an espionage-based intent, and should be addressed as a critical threat. According to Comae, the ransomware lure was designed to be a distraction, and the author(s) never intended to allow data recovery. 

It should also be noted that payment should not be made under any circumstance as the associated e-mail account for this variant has been disabled by its’ service provider. Even if the campaign alignment was monetary extortion, a decryption key will NOT be exchanged.

Technical Background

Researchers following the Petya outbreak believe that ground zero for the global outbreak was a compromised accounting software update server. M.E.Doc is a Ukrainian software vendor that has had historic issues of being compromised. In May of 2017, M.E.Doc was found to have been serving up XData Ransomware during one of its’ automated software updates. M.E.Doc customers are primarily Ukrainian and Russia therefore constituting the vast majority of victims infected with the Petya variant.

Research conducted by Comae, backed by Kaspersky, identified differences in the core of the ransomware code. While traditional Petya, and it’s many variants, are extortion-based malware conducting campaigns designed for monetary gain from victims, the change in its core code caused this Petya to focus on wiping the first few sectors of the drive, where it would then switch back to Petya’s encryption of the Master Boot Record.  This type of attack is commonly seen in wiper-based malware, such as Shamoon. Additionally, according to MalwareTech, this Petya variant was specifically designed to only spread across the infected devices’ local network.

According to Comae: “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.”

NotPetya deletes the first twenty-four sector blocks of the drive, and prevents any data from being written to those sectors. These changes are permanent and cause critical damages to the disk. Considering the steps that were taken to modify the ransomware code, and how most ransomware campaigns are not very ‘profitable’, it would be safe to imply the smokescreen theory and the national state attribution.

Recommendations

As previously stated, the e-mail account associated with this variant has been shut down by its’ service provider. The recovery of decryption keys will NOT be possible, and therefore ransoms should NOT be paid under any circumstances.

Previous recommendations from the original advisory are still in effect:

Remediation in all cases is to prevent reboot after bluescreen, thereby preventing stage 2 encryption. Take a disk image to retain information, then wipe and reboot. The following Microsoft software are exposed to SMB vulnerability attacks, as well as other variants and tools that employ the same vulnerability:

• Microsoft Windows Vista SP2
• Microsoft Windows Server 2008 SP2 and R2 SP1
• Microsoft Windows 7
• Microsoft Windows 8.1
• Microsoft Windows RT 8.1
• Microsoft Windows Server 2012 și R2
• Microsoft Windows 10
• Microsoft Windows Server 2016
• Microsoft Windows XP
• Microsoft Windows Server 2003

MS17-010 is the Microsoft security bulletin number the SMB Server patches that need to be applied. They include:

• KB4012598
• KB4012215
• KB4012212

Petya leverages CVE-2017-0199 and the following needs to be applied.

• KB4015546
• KB4015549

If patching is not possible at this time, tighten SMB security and close port 445. 

Thwart malware by hardening settings for what tools can be run on a machine, as well as which file paths can be made executable. For instance, executables should not be run out of the system’s temporary directory. Because all binaries have permissions to write to the temp dir it is often used by malware for initial execution after exploitation.

Implement Endpoint Controls to Protect the Windows AppData Folder. Many malware variants (including CryptoLocker) use the AppData folder to store and call executable files and DLLs. Preventing DLL and executable access from being copied to or accessed from this folder contains many common ransomware variants.

Monitor for Unauthorized Use of Windows Administration Tools. Modern APTs are using native Windows administration tools such as PSExec, Cygwin, PowerShell, Windows Credential Editor (WCE) and alternative consoles. Native tools are often allowed by endpoint security tools and will not trigger alerts. Organizations who are not actively using these tools should add them to a blacklist or enable the potentially unwanted programs (PUP) group containing these tools.

User education should involve frequently advising users of how attackers are trying to gain a foothold in the environment – an aware user is more likely to identify and rebuff an attack attempt. User education around this campaign should include:

• Lure types: Microsoft Word documents claiming to be attached scans.
• Document Trust: Do not open documents that are not expected. This includes attachments from unknown senders, as well as documents claiming to be scans, faxes, invoices, or receipts related to vague, unknown, or unrecognized business.
• Microsoft Word features: If a document from an email is opened in Protected Mode, a user should not enable editing of the document unless they expected the document and know who sent it.

Furthermore, ensure that users are trained on how to report phishing emails to the internal information security department.

Resources

• Cimpanu, Catalin: Surpise! NotPetya is a Cyber-Weapon. It’s Not Ransomware 
• Cimpanu, Catalin: Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software  
• Kastrenakes, Jacob: Petya Virus is Something Worse Than Ransomware, New Analysis Shows  
• MalwareBytes Labs: Petya – Taking Ransomware to the Low Level
• Hybrid-Analysis  
• McAfee: Protecting Against Modified Petya Ransomware Variant
• Microsoft: WMIC 
• VirusTotal
• Suiche, Matt: Petya.2017 is a Wiper Not a Ransomware  
• Talos: New Ransomware Variant Compromises Systems Worldwide