27.06.2017

Petya starts with Ukraine and then goes global

Group-IB has identified the ransomware that has infected energy, telecommunications and financial companies
Petya starts with Ukraine and then goes global
Group-IB has identified the ransomware that has infected energy, telecommunications and financial companies
On June 27, a large-scale cyber attack was recorded in Ukraine using a new modification of the Petya ransomware, which partially affected companies in Russia, the United States, India, and Australia. A preliminary investigation showed that the pro-state Black Energy group that had previously attacked energy and financial organizations in Ukraine was behind the attack.

Initial penetration occurs through updates of MeDoc, accounting software that is very popular in Ukraine. Then the Trojan resets the administrator's password on the computer where it first entered, and tries to connect to all computers on the network, using a legitimate tool PsExec, Wmi and exploits from the NSA set. For decryption, hackers demand 300 USD in bitcoin.
One week later, actors demanded 100 bitcoins (250 000$) for secret key, which is needed to decrypt all encrypted files.

According to preliminary estimates, about 80 companies have been attacked, with the majority of them located in Ukraine. The list of victims includes large Ukrainian banks and enterprises, namely, Oschadbank, Ukrgasbank, Pivdenny Bank, OTP Bank, TASKombank, The Epicenter chain store, Kovalska industrial and construction group. Three major Ukrainian telecom operators, Kyivstar, LifeCell, Ukrtelecom, have also been affected.

State enterprises Ukrtelecom, Ukrzaliznytsia, Ukrposhta, Kievvodokanal, and state-run aircraft manufacturer Antonov informed they had come under a large-scale attack. The Boryspil international airport, Kiev subway, computer networks of the Cabinet of Ministers and the website of the Ukrainian government have also been infected.

In Russia Rosneft and Bashneft oil giants have been hit by a massive attack.
Supermarket "Rost", Kharkov, Ukraine.
Malware analysis
When the malicious attachment is opened, it employs a recent vulnerability: CVE-2017-0199. This has previously been used in attacks by other criminal groups and is currently employed in a range of malicious builders on sale on underground forums.

After deployment it starts two threads:

  • In first, the malware tries to infect other network computers by exploiting the

    EternalBlue vulnerability (CVE-2017-0144). As with WannaCry.

  • In second thread, the malware uses an LSA Dump to get network/local admin passwords (similar to mimicatz x86, x64), and after that it infects other computers with PsExec or WMI commands.

    In short, there is no need for all computers to be vulnerable to EternalBlue. You need only one infected computer with admin credentials in LSA to compromise the network.

    The malware executes the following commands to clear OS System Logs and NTFS journal logs (wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:)
The malware waits around 30-40 minutes after infecting the endpoint (presumably to spread itself), then encrypts files with the following extensions:

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fd b.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.s ln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.

Then it changes MBR and MFT on localhost. And Reboot

After encryption the following screen is displayed:
KillSwitch: On launch, the malware checks if a file with its own name exists in Windows directory, without an extension. For example, if malware body has name perfc.dat (internal PE name), in the event it finds the file "%WINDOWS%/perfc", the program will exit.

However, Group-IB specialists could not confirm, that the next "Petya" campaign will use this same file name. Therefore, it depends on specific exploit that creates this file in the system. Considering this, this protection method cannot be used as a universal KillSwitch.

The malware was compiled on June 18:
According to Group-IB experts, a recently modified version of Petya (PetrWrap) was used by the Cobalt hacker group to hide traces of their targeted attack on financial institutions. It is critical to know because Cobalt is currently active, targeting banking infrastructure: ATM control systems, SWIFT, payment gateways and card processing systems.
Rustam Mirkasymov
Head of Dynamic Analysis of Malicious Code Group-IB
What should I do to be protected against attacks like this?
1
Take technical steps to prevent mimikatz and different privilege escalation techniques in Windows:
2
Install Patch KB2871997
3
Regedit: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/WDigest/UseLogonCredential - set to 0;
4
Make sure that passwords of Local Admins accounts on workstations differ;
5
Change ALL passwords of Domain privileged users and Domain Admins;
6
Install patches, that mitigate CVE-2017-0199 and EternalBlue (МS17-010);
7
Revoke all admin accounts if they are not needed. (According to LSA dumps, there often too many admin accounts in a network)
8
Unless you have patched all PCs in your corporate network, don't allow your employees to connect their laptops to corporate LAN.
9
Back up your systems regularly. Ideally if you use both – cloud and drives that aren't constantly connected to the network.
10
Implement Zero Trust policy and arrange a Security Awareness training course for your
employees
11
Consider disabling SMBv1 in your network.
12
Subscribe to Microsoft Technical Security Notifications.
Should I pay the ransom?
We don't recommend to pay the ransom, since:
  • You sponsor the criminals
  • We have no evidence that the data of those who's paid has ever been restored.
    Group-IB Threat Intelligence customers already received IOCs on Petya outbreak.
    Group-IB TDS installed in customers' infrastructure detected this malware outbreak.