Intelligence Advisory – New Petya Ransomware Outbreak

June 27, 2017

Intelligence Advisory – New Petya Ransomware Outbreak

On June 27, 2017, Optiv’s Global Threat Intelligence Center (gTIC) received reports from several sources concerning a recent modification to the Petya ransomware strain. This new strain is being referenced as ‘GoldenEye’. The modification has been identified as the SMB exploitation leveraged by WannaCry, the so-called EternalBlue exploit. This appears to be a previously unseen ransomware, sharing capabilities of the Petya ransomware. This ransomware continues to evolve its’ tactics, techniques, and procedures (TTPs) to maintain its’ dominance as a paid effective ransomware solution.

Countries that are currently reporting Petya infections include, but are not limited to, Russia, Ukraine, Spain, France, United Kingdom, the United States, and India. Extortion for Petya infections are set at $300 in bitcoin per infected device. Reported affected industries include, but are not limited to: financial services; retail, hospitality and travel; and energy and utilities.

Intelligence Advisory

The Global Threat Intelligence Center assesses with HIGH confidence that malicious campaigns will continue to be modified to exploit the SMB vulnerability leveraged by WannaCry, EternalBlue and now Petya. Even though Microsoft released MS17-010 in April of 2017 rendering the SMB vulnerability inert, organizations around the globe continue to report successful exploit by malicious actors. Associated patches should be applied immediately, ensuring all backups are up-to-date, and taking any other precautions, including disabling SMBv1 except where necessary, continuously updating A/V signatures and applying all known indicators of compromise. These precautions include perimeter hardening, Microsoft Word hardening, and user education to protect against commonly used infection vectors. gTIC mitigation recommendations included in the recommendations section.

Technical Background

The Petya Ransomware infection vector includes a malicious Microsoft document that downloads an executable payload. Additionally, Petya has two distinct stages. Although last updated January of 2017, Malwarebytes provides the following breakdown for Petya’s two stages:

During the first stage, the Windows executable file is dropped and executed. This overwrites the beginning of the disk, including the Master Boot Record, and makes an encrypted (XOR) backup of all original data. Stage one ends when the infected device is rebooted. Saving data from an infected device prior to reboot is relatively easy. This is because only the beginning of the disk becomes modified.

The second stage initiates after the device reboots, and results in the entire drive being encrypted.

Early analysis indicates that if the user does not have admin rights, infection will not spread beyond the infected device. The infection will be isolate only to the local system, enabling encryption only after reboot. If MS17-010 is not patched, the malware will spread via Microsoft Server Message Block. If MS17-010 is patched and the malware has admin rights, it will spread laterally via WMIC.

Recommendations

Remediation in all cases is to prevent reboot after bluescreen, thereby preventing stage 2 encryption. Take a disk image to retain information, then wipe and reboot. The following Microsoft software are exposed to SMB vulnerability attacks, as well as other variants and tools that employ the same vulnerability:

Microsoft Windows Vista SP2
Microsoft Windows Server 2008 SP2 and R2 SP1
Microsoft Windows 7
Microsoft Windows 8.1
Microsoft Windows RT 8.1
Microsoft Windows Server 2012 și R2
Microsoft Windows 10
Microsoft Windows Server 2016
Microsoft Windows XP
Microsoft Windows Server 2003

MS17-010 is the Microsoft security bulletin number the SMB Server patches that need to be applied. They include:

KB4012598
KB4012215
KB4012212

Petya leverages CVE-2017-0199 and the following needs to be applied.

KB4015546
KB4015549

If patching is not possible at this time, tighten SMB security and close port 445.

Thwart malware by hardening settings for what tools can be run on a machine, as well as which file paths can be made executable. For instance, executables should not be run out of the system’s temporary directory. Because all binaries have permissions to write to the temp dir it is often used by malware for initial execution after exploitation.

Implement Endpoint Controls to Protect the Windows AppData Folder. Many malware variants (including CryptoLocker) use the AppData folder to store and call executable files and DLLs. Preventing DLL and executable access from being copied to or accessed from this folder contains many common ransomware variants.

Monitor for Unauthorized Use of Windows Administration Tools. Modern APTs are using native Windows administration tools such as PSExec, Cygwin, PowerShell, Windows Credential Editor (WCE) and alternative consoles. Native tools are often allowed by endpoint security tools and will not trigger alerts. Organizations who are not actively using these tools should add them to a blacklist or enable the potentially unwanted programs (PUP) group containing these tools.

User education should involve frequently advising users of how attackers are trying to gain a foothold in the environment – an aware user is more likely to identify and rebuff an attack attempt. User education around this campaign should include:

Lure types: Microsoft Word documents claiming to be attached scans.
Document trust: Do not open documents that are not expected. This includes attachments from unknown senders, as well as documents claiming to be scans, faxes, invoices, or receipts related to vague, unknown, or unrecognized business.
Microsoft Word features: If a document from an email is opened in Protected Mode, a user should not enable editing of the document unless they expected the document and know who sent it.

Furthermore, ensure that users are trained on how to report phishing emails to the internal information security department.

Resources