It seems like just yesterday the Wannacry ransomware malware was released and impacted many companies around the world. Just when you think the worst is over, another more sophisticated form of ransomware malware was released a few days ago, and is spreading like wildfire and impacting those organizations that have not patched or remediated their networked devices with the Microsoft patch. This attack is very serious, affecting airlines, banks and utilities across Europe, and hospitals, pharmaceuticals and law firms in the United States. This ransomware affects virtually all Microsoft Windows clients and servers that have not been patched with the latest security patches.
Impact to date
Initial indications report the infections began spreading across Europe, with first infections in the Ukraine, where over 12,500 machines were affected by the malware. Infections have spread across 64 countries so far, including Belgium, Brazil, Germany, Russia and the United States. The latest victims in the U.S :
- Pittsburgh, where Valley Health Systems’ two hospitals were slammed, causing surgeries to be canceled
- the Law Firm of DLA Piper
- Merck Pharmaceutical
- Maersk Cargo – causing cargo delays
Source and nature of this malware
The current ransomware malware, called Petya/NotPetya, uses the same core components of the NSA released malware called Eternal Blue. This malware was released through faulty tax accounting software (MEDOC) updater service in the Ukraine. The malware attempts to spread to the existing network with wormlike capabilities, but does not try to propagate to other outside networks. The malware is a software supply chain attack, a recent trend with attackers. This new ransomware employs the same EternalBlue exploit used by Wannacry, allowing it to spread quickly between infected systems. It uses multiple techniques to spread, including one which was addressed by a security update previously provided for all platforms from Windows XP to Windows 10 (MS17-010). The objective of this ransomware is not so much to obtain bitcoin ransom as it is to steal credentials, impersonate users and exfiltrate sensitive data. Kaspersky believes that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper attack to cause widespread damage and render systems unbootable.
Specifics of the Petya/NotPetya malware
Initial infection involves dropping the MEDOC updater file “ezvit.exe” in a command line, and executing the following command line:
C:\\Windows\\system32\\rundll32.exe\” \”C:\\ProgramData\\perfc.dat\”,#1 30
The ransomware spreading functionality is composed of multiple methods responsible for:
- stealing credentials or re-using existing active sessions
- using file-shares to transfer the malicious file across machines on the same network
- using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines
This ransomware drops a credential dumping tool (typically as a .tmp file in the %Temp% folder) that shares code similarities with Mimikatz and comes in 32-bit and 64-bit variants.
Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call DhcpEnumSubnets() to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using DhcpEnumSubnetClients()) for scanning for tcp/139 and tcp/445 services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.
It then tries to execute remotely the malware using either PSEXEC or WMIC tools.
The ransomware attempts to drop the legitimate psexec.exe (typically renamed to dllhost.dat) from an embedded resource within the malware. It then scans the local network for admin$ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.
In addition to credential dumping, the malware also tries to steal credentials by using the CredEnumerateW function to get all the other user credentials potentially stored on the credential store. If a credential name starts with “TERMSRV/” and the type is set as 1 (generic) it uses that credential to propagate through the network.
This ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using NetEnum/NetAdd) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).
Lateral Movement using SMB
The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144(also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin). This ransomware also attempts to use these exploits by generating SMBv1 packets (which are all XOR 0xCC encrypted) to trigger these vulnerabilities at the following address of the malware code:
This ransomware’s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and replaces original files with encrypted files using the same names. Encryption is using RSA key 2048 bits, virtually uncrackable.
Overwrite the MASTER BOOT RECORD
Beyond encrypting files, this ransomware also attempts to overwrite the MBR and the first sector of the VBR. If the malware runs with SeShutdownPrivilege or SeDebugPrivilege or SeTcbPrivilege privilege, it overwrites the MBR of the victim’s machine. It directly accesses the drive0 \\\\.\\PhysicalDrive0.
DROPS TEXT FILE
After completing its encryption routine, this ransomware drops a text file called README.TXT in each fixed drive. The said file has the following text:
CLEARS SYSTEM EVENT LOGS AND NTFS JOURNAL INFO
This ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info. If the ransomware has reached this point, the victim computer is severely compromised and incapacitated.