Petya…let us take a breath…

Hello All. So most of you know what is going on in the cyber security world…Petya. If you have no idea what I am talking about, then you may want to read a website or turn on the TV. Petya is a form of malware, more specifically ransomware. Although it has bubbled to the surface a few days a go, it has actually been around since 2016. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts the NTFS file table, demanding a payment in Bitcoin in order to regain access to the system.

As per Wikipedia, “Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware. Kaspersky Lab referred to this new version as NotPetya to disambiguate it from the 2016 variants due to these differences in operation. In addition, although it purports to be ransomware, it is unable to actually revert its changes.”

Some further valuable analysis findings:

Distribution methods

The malware is distributed via phishing e-mails.
For further distribution within the network the malware uses:

  • MS17-10 vulnerability (like WannaCry).
  • Remote access to WMI (Windows Management Instrumentation)
  • Command line:
  • “process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1”.
  • The malware also uses «PSEXEC» toolkit or some similar tool (we are currently investigating this as well as the source of credentials used to infect remote systems via WMI).

Encryption

  • The malware clears system logs using the following command:
    «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:» to make further analysis more difficult.
  • It also writes its code to Hard Drive MBR, initiates system reload and adds reload commands to Windows planner (“schtasks” and “at” commands).
  • After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive (File allocation table is encrypted, we are currently investigation what else is being encrypted).
  • If the computer is shut down before the reload, MBR can be reestablished with “bootrec /FixMbr” command. (in Vista+, for Windows XP “fixmbr” can be used).
  • In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

Recommendations

  • Recommendations that we have pulled together still indicate the same remediation as Wannacry, with the following:
  • Install required Windows updates (MS17-10): – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Turn off SMB1:
    https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
  • It is also advised to block the execution of «PSEXEC.EXE» software on potentially compromised machines and block remote access to WMI.