Liveblog: Huge Petya ransomware wave

Revision history:

  • Update 2 (current): 28th of June, 2017 22:45 (UTC +2) – Added Snort rule for detection purposes
  • Update 1: 27th of June, 2017 18:04 (UTC +2) – Initial post

A new variant of the Petya ransomware started to spread havoc within various companies around the world the 27th of June 2017 . The first news came from the Ukraine where at least two energy companies were struck.

WannaCry

This Petya variant comes only weeks after the WannaCry hack made headlines around the world where hundreds of thousands devices were infected.

This variant of Petya has more spreading methods than WannaCry (in specific PSEXEC and WMI) but does share at least one of the exploits, namely: EternalBlue, which is an exploit leaked by ‘The Shadowbrokers’ and originally used by the NSA.

The Petya ransomware was in the news earlier this year for encrypting the entire hardisk rather than only files on local and remote drives, something which is more common with other ransomware.

Source

Cisco Talos reports that the infections started in Ukraine following the auto-update feature of software by the Ukrainian company Me-Doc. Attackers likely got access to the Me-Doc update servers, using the update feature of the software to infect all their, mostly Ukrainian customers. This explains the disruptions observed within various Ukrainian companies, including airports, hospitals and other vital infrastructure. This supports what Fox-IT is observing, affected companies have business in Ukraine and observed initial Petya activity from those networks.

Because of the various spreading mechanisms of Petya the ransomware managed to reach companies in other countries, most likely as a result of existing network connections between (branch) offices or suppliers.

Infection

When a computer gets infected with this specific version of Petya, it starts to encrypt files on the local machine and also attempts to spread across the local network to other machines.

After a number of hours, the infected client is restarted and is faced with a ransom screen. At this point it is no longer possible to start the Windows operating system. On this ransom screen a bitcoin address is shown, together with a string of text that uniquely identifies this infection as well as the email address to contact the authors when the payment has been made.

Infection vector

Where WannaCry was scanning random IP addresses on the internet, and in that way infecting other companies, this version of Petya is only scanning internal hosts. This means that there must be a different initial infection vector. What this vector exactly is, is unknown for the time being. If the ransomware is run on a Windows Server, it will attempt to spread to all connected clients by looking at DHCP-leases, to greatly improve spreading speed within a network.

Prevention

The following measures can be taken to limit the chances of infection:

  • Apply Windows update MS17-010
  • Disable the outdated protocol SMBv1
  • Limit the use of accounts that are ‘local administrator’
  • Make back-ups and verify that they can be restored

Detection

Currently the Fox-IT CTMP network module is able to detect a number of the spreading methods of Petya and work is being done to identify other methods of spreading. Among others the following rule has been developed:

[code lang=text]
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FOX-SRT – Trojan – Possible Petya ransomware connection"; flow:established,to_server; uricontent:"admin$/"; content:"User-Agent: Microsoft-WebDAV-MiniRedir/"; http_header; classtype:trojan-activity; threshold:type limit, track by_src, count 1, seconds 600; reference:url,https://blog.fox-it.com/2017/06/27/liveblog-huge-petya-ransomware-wave/; sid:21002170; rev:1;)
[/code]