Petya-based Ransomware Assaults Global Networks
From David Kennerley Director of Threat Research – Webroot USA
As with any developing story, updates will no doubt come thick and fast, new information will come to light, leading some possible theories dead in the water. We are seeing reports of another ransomware strain, appearing to use the leaked NSA’s Eternal Blue exploit tool.
While many organisations have spent many an hour patching the SMBv1 vulnerability since the WannaCry outbreak, without a doubt, there will be many more vulnerable machines out there.
This first hit Webroot’s radars at around 10 am UTC today in the US but have since been seen in a number of other countries including Ukraine, Japan, China, and the UK.
Webroot currently protects against this variant.
The Early analysis appears to show the ransomware looks to possibly encrypt the Master Boot Record (MBR) on infected machines as well as the victim’s files, similar to the nasty Petya ransomware seen last year – which only went after the MBR, and was relatively easy to fix.
A large percentage of infected machines appear to be Windows 7 and 10, with the majority running the 64-bit OS.
It goes without saying that organisations should test their disaster recovery plan (DRP) regularly.
This will help them understand the time it will take to restore systems to a useable state and what data is likely to be lost due to backup schedules.
The danger with paying the ransom is there’s no guarantee they’ll recover their encrypted data and this only makes ransomware more successful in the long run for hackers.
Also be aware that ransomware by its very nature is designed to be annoying and loud.
Be aware, there also may be secondary infections intent on staying hidden, looking to perform damage using other means – like data and password pilfering.
A host of companies across industries has confirmed attacks today by a brutal wave of ransomware, including global law firm DLA Piper, U.S. pharmaceutical giant Merck, and the Danish shipping company Maersk. Although targets originally appeared in Ukraine—shutting down power plants, banking services and supermarkets—this latest cyberattack has quickly spanned critical economic sectors around the globe.
Webroot customers are protected against this variant.
This cyberattack was first seen by our threat research team at roughly 10:00 a.m. UTC today.
What we know:
Webroot’s threat researchers have confirmed that this ransomware is a variant of an older attack dubbed Petya, except this time the attack uses EternalBlue to target Windows systems—the same exploit behind the infamous WannaCry attack. While this variant appears to be an upgraded version of Petya, there is no confirmation that this attack is from the same author.
This variant mirrors Petya in that it encrypts the Master File Table (MFT) by overwriting the bootloader code, though unlike previous versions, it encrypts files based on file extension. The system fails to boot as usual and the end user instead sees a screen that appears similar to DOS and demands payment. The shot below depicts the preparation of the EternalBlue triggering packet.
This is the same attack vector that made WannaCry so effective, but we have also observed additional techniques used to infect more machines.
Here we can see that the worm is also utilising WMI (Windows Management Instrumentation) in a technique to further reach through the network using credentials syphoned from the local machine.
Once the machine is infected, the computer will immediately restart to what looks like a ‘chkdsk,’ but isn’t. Below is an image from Ukrainian Prime Minister Pavlo Rozenko’s Facebook showing the world what the ransomware looks like while it encrypted his computer during this fake chkdsk stage.
This stage is the ransomware encrypting files on your hard drive. We found that the ransomware doesn’t encrypt the entirety of your files with matching extensions, but instead encrypts up to the first mebibyte of data. This is done presumably to save time during the encryption process but also ensures that enough of the file is encrypted to be unlikely to restore without paying the ransom.
Once the fake chkdsk is complete (or all the files on the computer are encrypted) the infection will reboot the computer once more to this screen:
There is no way for a victim to retrieve their files other than to email the cybercriminal after paying the Bitcoin address listed in the ransom. In fact, the email address listed in the ransom has, as of now, been shut down by the email provider. Essentially, this means victims are unable to get their files back, even after paying the ransom, as the payload author is now prevented from checking this email.
Why it matters:
The bottom line is that companies are still failing to adequately secure their IT systems from the EternalBlue vulnerability in the Windows Server Message Block (SMB) server.
Microsoft issued critical security updates to patch this vulnerability on March 14, 2017.
To verify that the MS17-010 patch is installed, follow the directions in this Microsoft support article.