Update: This post was updated on June 28, 2017. A follow-up blog, “A ‘Wiper’ in Ransomware Clothing: Global Attacks Intended for Destruction Versus Financial Gain” was published June 29.

The malware, being referred to as a Petya variant, has impacted systems in 65 countries, one initial infection vector has been traced, by Microsoft, to the MEDoc updater process. And there are some reports that the creators of the malware meant to destroy data not just hold it ransom.

Today IBM X-Force analysts determined that the credentials used with PsExec and WMIC for lateral movement were obtained using Mimikatz. To help stop lateral movement a new recommendation has been added to the recommendations at the end of this post.

Read the follow-up blog: A ‘Wiper’ in Ransomware Clothing

Once the malware is loaded on a machine it encrypts the MBR (master boot record) and schedules a reboot. During the reboot a fake CHKDSK screen is displayed. After the fake CHKDSK run is finished, the system is again restarted and the following ransom message is shown:

Additional technical details from Mark Yason of the IBM X-Force Research team:

Initial Execution

  • The malware arrives as a DLL on infected systems. It exports an unnamed function (ordinal 1) which runs its main code.
  • Upon execution, the malware copies its code into a newly allocated memory and continues execution from there. The malware then deletes itself (the malware DLL) from the file system.
  • The malware checks if the file C:\Windows\%DllNameWithoutExtension% exists, if it does, it terminates itself, otherwise, it creates the said file to mark that it is was executed on the system.
    • %DllNameWithoutExtension% is the name of the malware DLL without the extension. For example, if the name of the malware DLL is “perfc.dat”, the file C:\Windows\perfc is checked.

Propagation via EternalBlue Vulnerability

  • The malware propagates to target machines by exploiting the EternalBlue vulnerability.
  • Upon successful exploitation of a target machine, the malware will be dropped as “%WINDIR%\%MalwareDllName% and will be executed by lsass.exe using the following command:

ADMIN$ Share Propagation

  • The malware also propagates via the ADMIN$ share of target machines.
  • To be able to connect to the ADMIN$ share of target machines, the malware drops and executes a logon credential dumper tool to a temporary file and then executes it. It communicates with the credential dumper tool via a pipe named “\\.\pipe\%RandomGUID%” where it will receive the dumped credentials.
  • The malware also drops the PsExec tool that it will use for executing its dropped copy on remote machines. The dropped PsExec tool will have the name “%WINDIR%\dllhost.dat” or “%ProgramData%\dllhost.dat”.
  • The malware attempts to connect to the ADMIN$ share of target machines using the dumped credentials. If the connection is successful, the malware will drop a copy of itself as “\\%TargetMachine%\admin$\%MalwareDllName%” which corresponds to “%WINDIR%\%MalwareDllName%” in the target machine.
  • Once dropped in the target machine, the malware will attempt to execute its dropped copy by using PsExec:

If PsExec failed, the malware will attempt to use the WMIC tool to execute its dropped copy:

New Recommendation

  • Block ADMIN$ with GPO to stop lateral movement via WMI and PSEXEC.

Original article published June 27, 2017.

Early on Tuesday, June 27, reports began to circulate that organizations in the Ukraine and elsewhere in Europe were suffering ransomware attacks. It quickly became clear that this Petya attack could equal or surpass the May WannaCry attack.

WannaCry’s spread was so successful because it was powered by a flaw in Windows, and although Microsoft had released a patch to fix the flaw, many companies didn’t apply it before the outbreak. Luckily, companies outside of the initial attack zone of the EU were able to get their systems patched to prevent greater international impact.

Unfortunately, the authors of this variant of ransomware have learned from the past. The current outbreak of Petya ransomware can be spread to unpatched systems via the same exploit as WannaCry, but it can also achieve lateral movement to infect patched systems on connected networks using Windows Management Instrumentation Command-line (WMIC) and PsExec, a remote command tool from Microsoft.

Learn More: Visit the Petya Collection on X-Force Exchange

What Is Petya?

Most outlets are reporting the ransomware as Petya, however at least one security company believes it is a copycat and not a true Petya variant. At this time, IBM X-Force has identified at least three samples we believe are updated Petya variants.

Petya ransomware first appeared in 2016. It is unique in the ransomware space because it encrypts the master boot record (MBR) and master file table (MFT) on infected hosts. One of Petya’s more unique aspects is that it can work even if a system is offline. It does not require a live connection to a command-and-control (C&C) server.

In this recent outbreak, it appears that the current Petya payload is being distributed using the same EternalBlue exploit that was part of the so-called Shadow Brokers leaks that powered the spread of WannaCry. As in the WannaCry outbreak, this malware is modular.

Basic Technical Details

The Petya outbreak made headlines for spreading very rapidly on June 27, 2017, but the building blocks were not new.

Lateral Movement: SMB Wormholes

One of the ways Petya moves around and propagates is by scanning transmission control protocol (TCP) port 445 to identify and target machines that use unpatched versions of server message block (SMB). If that sounds familiar from your reading during the WannaCry outbreak, you’re right. It’s the same.

Remote Execution: EternalBlue, WMIC and PsEXEC

IBM X-Force Incident Response & Intelligence Services (XF-IRIS) has confirmed that the samples from the current outbreak are using EternalBlue. From the alleged Shadow Brokers leak, EternalBlue exploits CVE-2017-0144, which allows attackers to execute arbitrary code on a target system. This can include code that scans for the presence of exploit code like DOUBLEPULSAR, or to scan nearby systems and attempt to infect them with exploit code.

WMIC and PsExec are not vulnerabilities: They are Microsoft tools to help admins manage systems and networks. WMIC allows users to run processes and scripts, while PsExec allows a remote user to take remote control of a system. In the hands of administrators these are important and useful tools, but when accessed by an attacker, they can be used to install malcode — like Petya — on target systems.

Once on the system, the ransomware copies itself to the C:\Windows\ directory and installs a PE file in C:\Windows\dllhost.dat. To cover its tracks, the ransomware uses schtasks to create a task file that will reboot the system at a scheduled time. To further cover its tracks, the ransomware uses wevtutil.exe to clear out Setup, System, Security and Application logs, and uses fsutil.exe to delete information in the change journal.

Don’t Pay the Ransom

Many companies may be tempted to pay the ransom to get their systems back online. Going forward, address network segmentation and backups so that in the future, if systems are locked up, they can be taken offline and restored quickly.

IBM Security recommends:

  • Ensure systems are patched (MS17-010) and all antivirus programs are up to date.
  • Determine if backup systems are effectively configured.
  • Restore only from secure backups with known safe snapshots or reimage systems completely.
  • Isolate any unpatched systems to prevent lateral movement of Petya.
  • Verify effective monitoring of all critical systems and networks.
  • Create or maintain regular reviews of privileged credential protection to prevent further access via legitimate tools across a network.
  • Review incident response and contingency plans.
  • Block ADMIN$ with GPO to stop lateral movement via WMI and PSEXEC.

Protecting Your Organization with IBM

Based on the seriousness of this event, IBM is making all of our findings publicly available via a continuously updated X-Force Exchange Collection.

For immediate help, contact the IBM X-Force Incident Response Hotline at 1.888.241.9812 or 1.312.212.8034.

This is a developing situation. As relevant information becomes available, we will post updates here, on the @IBMSecurity Twitter page and on X-Force Exchange.

Watch the on-demand webinar: Inside the Latest Petya Variant

More from Malware

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today