Large Scale Petya Ransomware Attack in Progress, Spreading Fast Globally

A large-scale ransomware attack reported to be caused by a variant of the Petya ransomware is currently hitting various users, particularly in Europe. This variant, RANSOM_PETYA.SMA, is known to use both the EternalBlue exploit and the PsExec tool as infection vectors. Users and organizations are thus advised to perform the following mitigation steps immediately in order to prevent and avoid infection:

  • Apply the security patch MS17-010
  • Disable TCP port 445
  • Restrict accounts with administrator group access

Infection Flow

As previously mentioned, this ransomware’s initial entry into the system involves the use of the PsExec tool, an official Microsoft utility used to run processes on remote systems. It also uses the EternalBlue exploit–previously used in the WannaCry attack–that targets a vulnerability in Server Message Block (SMB) v1. Once on a system, this Petya variant uses the rundll32.exe process to run itself. The actual encryption is then carried out by a file named perfc.dat, located in the Windows folder.

This ransomware then adds a scheduled task, which reboots the system after at least an hour. Meanwhile, the Master Boot Record (MBR) is also modified so that the encryptor will carry out the encryption and the appropriate ransom note will be displayed. A fake CHKDSK notice is initially displayed; this is when the encryption is actually carried out. Unusually for ransomware, it does not change the extensions of any encrypted files. More than 60+ file extensions are targeted for encryption; it is worth noting that the file extensions targeted are focused on file types used in enterprise settings; images and video files (targeted by other ransomware attacks) are notably absent.

Aside from the use of the EternalBlue exploit, there are other similarities to WannaCry. Like that attack, this Petya variant’s ransom process is relatively simple: it also uses a hardcoded Bitcoin address, making decryption a much more labor-intensive process on the part of the attackers. This is in contrast to earlier Petya attacks, which had a more developed UI for this process. Each user is asked to pay US$300. As of this time, approximately US$7,500 had been paid into the Bitcoin address. As in all ransomware attacks, we advice against paying the ransom–this is particularly true in this case, as the email account mentioned in the ransom note is no longer active.

PsExec and Windows Management Information Command-line (WMIC)

Petya cleverly uses legitimate Windows processes PsExec and Windows Management Information Command-line, which is an interface that simplifies the use of Windows Management Instrumentation (WMI).

Once Petya is dropped, it will drop psexec.exe as dllhost.dat on the target machine. The malware also drops a copy of itself to \\{remote machine name}\admin$\{malware filename}. It then executes the dropped copy by using dllhost.dat locally (which is the file name of the PSExec tool) with the following parameters:

dllhost.dat \\{remote machine name} -accepteula -s -d C:\Windows\System32\rundll32 “C:\Windows\{malware filename}”,#1 
{random number minimum 10} {enumerated credentials}

The format of {enumerated credentials} is as follows:

“un1:pw1” “un2:pw2” “un3:pw3” … “unN:pwN”

If this is unsuccessful, Petya will then use WMIC.EXE to execute the file in the remote machine:

%System%\wbem\wmic.exe /node:”{node}” /user:”{user name}” /password:”{password}” process call create 
“C:\Windows\System32\rundll32 \”C:\Windows\{malware filename}\” #1 {random number minimum 10} 
{enumerated credentials}”

Petya will use PSExec or WMIC to spread the malware to other systems within the local network. If this portion of the infection chain does not work, only then will Petya exploit the EternalBlue vulnerability.

Information Extraction Method

We discovered that this Petya variant uses an advanced method to extract information from the infected system. It makes use of a customized Mimikatz—a legitimate security tool—to extract usernames and passwords. The 32-bit and 64-bit Mimikatz executables are encrypted and stored in the resource section of the ransomware. The extraction method runs when the main malware process opens a pipe, which is used by the custom Mimikatz to write its results. These results are then read by the main malware process. As mentioned earlier, Petya is able to spread to other systems within the local network by using this extracted information.

Disk Modification Procedure

Before encryption, Petya will first modify the MBR as part of its process. Initially, the sector after the Volume Boot Record (VBR) is written with code (0xBAADF00D), rendering the system unbootable.

It also accesses the following sectors:

  • Sectors 0 to 18 (disk offset 0 to 25FFh) are overwritten with its own boot program.
  • Sector 32 (disk offset 4000h to 41FFh) is written with some structured random data.
  • Sector 33 (disk offset 4200h to 43FFh) is filled with 07h.

The original MBR is encrypted:

  • Sector 34 (disk offset 4400h to 45FFh) is written with the XOR-encrypted original MBR.

If the above process fails, it will overwrite sectors 0-9 with code (0xBAADF00D).

Related posts