Update: This post was updated on June 28, 2017. A follow-up blog, “A ‘Wiper’ in Ransomware Clothing: Global Attacks Intended for Destruction Versus Financial Gain” was published June 29.
The malware, being referred to as a Petya variant, has impacted systems in 65 countries, one initial infection vector has been traced, by Microsoft, to the MEDoc updater process. And there are some reports that the creators of the malware meant to destroy data not just hold it ransom.
Today IBM X-Force analysts determined that the credentials used with PsExec and WMIC for lateral movement were obtained using Mimikatz. To help stop lateral movement a new recommendation has been added to the recommendations at the end of this post.
Once the malware is loaded on a machine it encrypts the MBR (master boot record) and schedules a reboot. During the reboot a fake CHKDSK screen is displayed. After the fake CHKDSK run is finished, the system is again restarted and the following ransom message is shown:
Additional technical details from Mark Yason of the IBM X-Force Research team:
- The malware arrives as a DLL on infected systems. It exports an unnamed function (ordinal 1) which runs its main code.
- Upon execution, the malware copies its code into a newly allocated memory and continues execution from there. The malware then deletes itself (the malware DLL) from the file system.
- The malware checks if the file C:\Windows\%DllNameWithoutExtension% exists, if it does, it terminates itself, otherwise, it creates the said file to mark that it is was executed on the system.
- %DllNameWithoutExtension% is the name of the malware DLL without the extension. For example, if the name of the malware DLL is “perfc.dat”, the file C:\Windows\perfc is checked.
Propagation via EternalBlue Vulnerability
- The malware propagates to target machines by exploiting the EternalBlue vulnerability.
- Upon successful exploitation of a target machine, the malware will be dropped as “%WINDIR%\%MalwareDllName% and will be executed by lsass.exe using the following command:
- The malware also propagates via the ADMIN$ share of target machines.
- To be able to connect to the ADMIN$ share of target machines, the malware drops and executes a logon credential dumper tool to a temporary file and then executes it. It communicates with the credential dumper tool via a pipe named “\\.\pipe\%RandomGUID%” where it will receive the dumped credentials.
- The malware also drops the PsExec tool that it will use for executing its dropped copy on remote machines. The dropped PsExec tool will have the name “%WINDIR%\dllhost.dat” or “%ProgramData%\dllhost.dat”.
- The malware attempts to connect to the ADMIN$ share of target machines using the dumped credentials. If the connection is successful, the malware will drop a copy of itself as “\\%TargetMachine%\admin$\%MalwareDllName%” which corresponds to “%WINDIR%\%MalwareDllName%” in the target machine.
- Once dropped in the target machine, the malware will attempt to execute its dropped copy by using PsExec:
- Block ADMIN$ with GPO to stop lateral movement via WMI and PSEXEC.
Original article published June 27, 2017.
Early on Tuesday, June 27, reports began to circulate that organizations in the Ukraine and elsewhere in Europe were suffering ransomware attacks. It quickly became clear that this Petya attack could equal or surpass the May WannaCry attack.
WannaCry’s spread was so successful because it was powered by a flaw in Windows, and although Microsoft had released a patch to fix the flaw, many companies didn’t apply it before the outbreak. Luckily, companies outside of the initial attack zone of the EU were able to get their systems patched to prevent greater international impact.
Unfortunately, the authors of this variant of ransomware have learned from the past. The current outbreak of Petya ransomware can be spread to unpatched systems via the same exploit as WannaCry, but it can also achieve lateral movement to infect patched systems on connected networks using Windows Management Instrumentation Command-line (WMIC) and PsExec, a remote command tool from Microsoft.
What Is Petya?
Most outlets are reporting the ransomware as Petya, however at least one security company believes it is a copycat and not a true Petya variant. At this time, IBM X-Force has identified at least three samples we believe are updated Petya variants.
Petya ransomware first appeared in 2016. It is unique in the ransomware space because it encrypts the master boot record (MBR) and master file table (MFT) on infected hosts. One of Petya’s more unique aspects is that it can work even if a system is offline. It does not require a live connection to a command-and-control (C&C) server.
In this recent outbreak, it appears that the current Petya payload is being distributed using the same EternalBlue exploit that was part of the so-called Shadow Brokers leaks that powered the spread of WannaCry. As in the WannaCry outbreak, this malware is modular.
Basic Technical Details
The Petya outbreak made headlines for spreading very rapidly on June 27, 2017, but the building blocks were not new.
Lateral Movement: SMB Wormholes
One of the ways Petya moves around and propagates is by scanning transmission control protocol (TCP) port 445 to identify and target machines that use unpatched versions of server message block (SMB). If that sounds familiar from your reading during the WannaCry outbreak, you’re right. It’s the same.
Remote Execution: EternalBlue, WMIC and PsEXEC
IBM X-Force Incident Response & Intelligence Services (XF-IRIS) has confirmed that the samples from the current outbreak are using EternalBlue. From the alleged Shadow Brokers leak, EternalBlue exploits CVE-2017-0144, which allows attackers to execute arbitrary code on a target system. This can include code that scans for the presence of exploit code like DOUBLEPULSAR, or to scan nearby systems and attempt to infect them with exploit code.
WMIC and PsExec are not vulnerabilities: They are Microsoft tools to help admins manage systems and networks. WMIC allows users to run processes and scripts, while PsExec allows a remote user to take remote control of a system. In the hands of administrators these are important and useful tools, but when accessed by an attacker, they can be used to install malcode — like Petya — on target systems.
Once on the system, the ransomware copies itself to the C:\Windows\ directory and installs a PE file in C:\Windows\dllhost.dat. To cover its tracks, the ransomware uses schtasks to create a task file that will reboot the system at a scheduled time. To further cover its tracks, the ransomware uses wevtutil.exe to clear out Setup, System, Security and Application logs, and uses fsutil.exe to delete information in the change journal.
Don’t Pay the Ransom
Many companies may be tempted to pay the ransom to get their systems back online. Going forward, address network segmentation and backups so that in the future, if systems are locked up, they can be taken offline and restored quickly.
IBM Security recommends:
- Ensure systems are patched (MS17-010) and all antivirus programs are up to date.
- Determine if backup systems are effectively configured.
- Restore only from secure backups with known safe snapshots or reimage systems completely.
- Isolate any unpatched systems to prevent lateral movement of Petya.
- Verify effective monitoring of all critical systems and networks.
- Create or maintain regular reviews of privileged credential protection to prevent further access via legitimate tools across a network.
- Review incident response and contingency plans.
- Block ADMIN$ with GPO to stop lateral movement via WMI and PSEXEC.
Protecting Your Organization with IBM
Based on the seriousness of this event, IBM is making all of our findings publicly available via a continuously updated X-Force Exchange Collection.
For immediate help, contact the IBM X-Force Incident Response Hotline at 1.888.241.9812 or 1.312.212.8034.
This is a developing situation. As relevant information becomes available, we will post updates here, on the @IBMSecurity Twitter page and on X-Force Exchange.