“Petya” Ransomware - Connecting Links to States and Cyber War?

A massive cyber-attack reported yesterday, targeting Ukraine Critical Infrastructure, and few other entities in the region. Coincidentally, US political/administrative leader has plans to visit Ukraine during the coming days.Does the latest widespread ransomware infection indicate state actor involvement? Relatively less matured security posture of Ukraine firms, especially national critical infrastructure organizations compounded to the easy exploitation by the bad actors. Aircraft manufacturing, transportation, postal service, government officials, national banks – many of the key areas were impacted, with an opened can of worms by NSA? At the same time, Russia’s biggest oil producer “Rosneft” also felt the “Petya” heat. The “WannaCry” style of ransomware infection that exploits a supposedly “ZeroDay” vulnerability in Microsoft environment. The malware spreads through similar vulnerability that was the cause of the global security chaos couple of months back. Initially, researchers believed this new ransomware was a different version of an earlier threat called “Petya.” Later discovered that this was a new strain altogether, which borrowed some code from Petya, hence the reason why they recently started it calling “NotPetya,” “Petna,” or as some like to call it “SortaPetya” Considering that the security weakness was identified and was being exploited by NSA for spying organizations in some specific regions, links and suspicion are on from the cyber security community that, the new trend of ransomware triggered by state actors, and not by random players or criminals. Some of the investigations by UK and US agencies have indirectly referred North Korea for “WannaCry” and Bangladesh Central Bank Swift” incidents Since the SMB1 (Server Message Base Protocol) is one of the many “Zero Days” available on the dark web or with criminals and potentially with state actors, the cyber world is expecting more sophisticated and targeted attacks. Existing security technologies and solutions cannot protect organizations and countries from zero-day attacks (where there are no patches available or no signatures from product vendors.). The only potentially practical recommendation is to take a holistic approach towards these issues, by having right process, technology, and people controls. A lot of resources and quicker actions were visible to protect from the latest “Petya” ransomware variant, including the signature DAT file updates from major Antivirus players. However, interesting to see, how much it can safeguard the firms from different variants of the same malware or a combined form of multiple similar malicious codes. It is always a cat-mouse game for cyber security professionals and the parties on the other side of the table! The defense can cripple based on how targeted and determined the attack and attackers are! To be proactive and to be better prepared for the fight, organizations must develop basic security hygiene and tighten up their security fundamentals. These basics include minimum the following

Details of the “Petya” Ransomware

Certain information reports this ransomware as a variant of Petya and Misha (also known as GoldenEye).The actual main targets are in Ukraine and Russia. Only few sample have detected in France, Germany, North Korea, and Spain

How to works?

Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.

Functionality

Petya best described as a three-stage ransomware, where each stage has its dedicated functionality: 1. Stage 0 “MBR Overwrite” – Overwrite the hard drive’s Master Boot Record and implanting custom boot-loader. 2. Stage 1 “MFT Encryption” – Use the custom boot-loader introduced in Stage 0 to encrypt all Master-File- Table (MFT) records, which renders the file system completely unreadable. 3. Stage 2 “Ransom Demand” – Display the Petya logo and the ransom note detailing what must be done to decrypt the hard-drive.

Facts:

Current variant uses EternalBlue as an attack vector (CVE-2017- 0143 [3])
spreading via SMB post-exploitation

Ransomware performs the following actions after exploitation of the vulnerability:

Main binary at hxxp://185[.]165[.]29[.]78/~alex/svchost[.]exe
Clears the Windows event log using Wevtutil (wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:)
Writes a message to the raw disk partition
Reboot the system at noon as a logic bomb (schtasks %ws/Create /SC once /TN ""/TR "%ws"/ST %02d:%02d ; at %02d:%02d %ws)
After booting, a message appears notifying system encryption and demanding a Bitcoin $USD 300 ransom
Binary uses a fake Microsoft digital signature [1]
Bitcoin wallet utilized in this attack [2]
[email protected] is the email address used in this attack

What files the “Petya” tries to Encrypt?

The ransomware attempts to encrypt files that correspond to the following file extensions: [.]3ds,[.]7z,[.]accdb,[.]ai,[.]asp,[.]aspx,[.]avhd,[.]back,[.]bak,[.]c,[.]cfg,[.]conf,[.]cpp,[.]cs,[.]ctl,[.]dbf,[.]disk ,[.]djvu,[.]doc,[.]docx,[.]dwg,[.]eml,[.]fdb,[.]gz,[.]h,[.]hdd,[.]kdbx,[.]mail,[.]mdb,[.]msg,[.]nrg,[.]ora,[.]ost,[. ]ova,[.]ovf,[.]pdf,[.]php,[.]pmf,[.]ppt,[.]pptx,[.]pst,[.]pvi,[.]py,[.]pyc,[.]rar,[.]rtf,[.]sln,[.]sql,[.]tar,[.]vbox,[.] vbs,[.]vcb,[.]vdi,[.]vfd,[.]vmc,[.]vmdk,[.]vmsd,[.]vmx,[.]vsdx,[.]vsv,[.]work,[.]xls,[.]xlsx,[.]xvd,[.]zip,[.] In order to help detection and identification of this ransomware, here is a non-exhaustive list of indicators of compromise (IoC):

SHA256 hashes

- 8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58 - 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 [4][5][6] - f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 - 41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165 - 0a3706fd283a5c87340215ce05e0bdbc958d20d9ca415f6c08ec176f824fb3c0 - eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc

Files related to this attack

- %WINDIR%dllhost[.]dat

Anti-Virus definitions

[CrowdStrike Falcon (ML)] malicious_confidence_67% (D); [Endgame] malicious (high confidence); [Ikarus] Win32.Outbreak; [Kaspersky] UDS:DangerousObject.Multi.Generic; [ZoneAlarm by Check Point] UDS:DangerousObject.Multi.Generic; [McAfee] Artemis!71B6A493388E; [McAfee-GW- Edition] Artemis!Trojan; [Panda] Trj/CryptoPetya.B; [Qihoo-360] Trojan.Generic; [Palo Alto Networks (Known Signatures)] generic.; [Sophos] Mal/Generic-S; [Tencent] Win32.Trojan.Agent.Ntrp; [Webroot] W32.Ransomware.Gen;

YARA Rule

-- -- -- -- -- -- YARA RULES rule IOC_OCD_39B4A617722E3D0B60C27CE107BC4B06 {meta: author = "Laboratoire Epidemiologique Signal Intelligence Orange Cyberdefense" ref_IOC = "39B4A617722E3D0B60C27CE107BC4B06" date_IOC = "27/06/2017 - 16:15:22" info = "Version 1.0 b" internal = false score = 99 risk_score = 10 Classification = 104 Severity = 5 threat = "OCD APT Native Mutagenesis Envelope" comment = "IOC APT-Sensor"

strings:

$header = {4D 5A ?? ??} $env1 = {50 45 00 00 4C 01 05 00 5C 28 46 59 00 00 00 00 00 00 00 00 E0 00 02 21 0B 01 0A 00 00 BE 00 00 00 AE 04 00 00 00 00 00 39 7D 00 00 00 10 00 00 00 D0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00} $env2 = {6A 08 FF 15 C0 D1 00 10 50 FF 15 DC D1 00 10 5D C2 04 00 55 8B EC 83 7D 08 00 74 12 FF 75 08 6A 08 FF 15 C0 D1 00 10 50 FF 15 D4 D1 00 10 5D C2} $env3 = {0A 25 FF FF 00 00 0D 00 00 07 80 89 45 F0 E9 AD 00 00 00 6A 0A 8D 45 C4 50 FF 75 AC E8 6A 93 00 00 8D 85 9C FE FF FF 83 C4 0C 8D 50 01 8A 08 40} condition: $header at 0 and ($env1 at 0xF0 and $env2 at 0x406 and $env3 at 0x553)

Vulnerable products

******** No product list has been published. However, regarding previous attacks, we would assume that the following products could be targeted:  Windows XP  Windows Vista  Windows 7  Windows 8  Windows 8.1  Windows 8.1 RT  Windows Server 2003  Windows Server 2008  Windows Server 2008R2  Windows Server 2012  Windows Server 2012R2  Windows Server 2016  Windows Server Core  Windows Embedded Standard 2009  Windows Embedded POSReady 2009 There is no evidence that Windows 10 is a target

Solution

*** There is no confirmed operating mode. SecureRead recommends you to perform the following actions (But by Computer Experts. All necessary precautions should be taken):  Filter inbound connections on ports TCP 445 and 139 coming from untrusted networks. Block smb & wmi port 135,445,1024-1035 TCP  Completely disable SMBv1 support (deprecated) [4]  New signatures files for antivirus products are available or will be available soon. It is necessary to update the antivirus urgently.  Avoid reboot! shutdown -a  Detect/blacklist all incoming emails from [email protected]  Detect all upcoming emails to [email protected]  Check logs for IOCs above  Use gPO to block the ports 135, 445, 1024-1035 TCP  Avoid the system reboot (cmd /k shutdown -a)  Try not to format the encrypted systems but rather get its image  Block execution of .exe within %AppData% and %Temp%

Actions to be taken:

1.Enable the “NotPetya”/”Petna”/”Petya” Vaccine

To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:Windows folder and make it read only. For those who want a quick and easy way to perform his task, Lawrence Abrams has created a batch file that performs this step for you.

2.Block source E-mail address

[email protected]

3.Block domains:

http://mischapuk6hyrn72.onion/ http://petya3jxfp2f7g3i.onion/ http://petya3sen7dyko2n.onion/ http://mischa5xyix2mrhd.onion/MZ2MMJ http://mischapuk6hyrn72.onion/MZ2MMJ http://petya3jxfp2f7g3i.onion/MZ2MMJ http://petya3sen7dyko2n.onion/MZ2MMJ http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin COFFEINOFFICE.XYZ http://french-cooking.com/

4. Block IPs:

95.141.115.108 185.165.29.78 84.200.16.242 111.90.139.247

5.Apply patches:

6.Disable SMBv1

7.Update Anti-Virus hashes

a809a63bc5e31670ff117d838522dec433f74bee bec678164cedea578a7aff4589018fa41551c27f d5bf3f100e7dbcc434d7c58ebf64052329a60fc2 aba7aa41057c8a6b184ba5776c20f7e8fc97c657 0ff07caedad54c9b65e5873ac2d81b3126754aac 51eafbb626103765d3aedfd098b94d0e77de1196 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f 7ca37b86f4acc702f108449c391dd2485b5ca18c 2bc182f04b935c7e358ed9c9e6df09ae6af47168 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5 82920a2ad0138a2a8efc744ae5849c6dde6b435d myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6 BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

Controls – Corrective Actions to address Root Causes and Future Attacks!

A. People

 Right Information Security/Cyber Security Organization Structure with an executive role for CISO (Chief Information Security Officer) reporting to CEO or Board of Directors.  CISO and Information Security Team with authority, total visibility & control, and executive management support  Focused approach to security monitoring, threat intelligence with excellent resources and capabilities  Continuous security awareness among the users, including IT and Executive Management

B. Process

 Centralized and correlated Threat Intelligence collection and dissemination.  Security Embedded business and Technology processes  Multiple levels of Defense  Least privilege principles in providing controlled/monitored access rights  Refined, secured process in access provisioning, change, review and de-provisioning process  Need to know/Need to have base access/resource provisioning.  Fool-proof patching process – Regular, Timely and Comprehensive  Incident management plans and Crisis Management process – Scenario Planning  Identification/Classification/control of data and its handling across the organization  Business/IT Service Continuity Plans  Effective Crisis Management and Communication Plans

C. Technology

 Adequate and restorable backups – Online and Offline  Antivirus/Antimalware with behavioral detection capabilities  Effective technology for timely patching of all systems  Email Filtering with tight level of checks on suspicious emails with attachments/links  Logical/Physical segmentation of networks/systems  Tight and well-monitored controls for USB and other external media usage.  Closely filtered, monitored, controlled, and restricted download permissions  Comprehensive security solutions for monitoring and response  Firewalling at different layers – Network, Application  Advanced Threat Protection (APT) Solution  Technology for Threat intelligence collection, correlation, and application  Effective SIEM (Security Incident and Event Management) Solution, configured with right use cases  Configure security monitoring solutions/devices with the right use cases, and customized one as applicable. SIEM (Security Incident and Event Management) should configure with good IOCs (Indicators of Compromise)

“Petya” related technical resources provided below

IOCs (Indication of Compromise) & Analysis

Share Your Story!