HackDig : Dig high-quality web security articles for hacker

Petya Weren’t Expecting This: Ransomware Takes Systems Hostage Across the Globe

2017-06-27 20:30

Early on Tuesday, June 27, reports began to circulate that organizations in the Ukraine and elsewhere in Europe were suffering ransomware attacks. It quickly became clear that this Petya attack could equal or surpass the May WannaCry attack.

WannaCry’s spread was so successful because it was powered by a flaw in Windows, and although Microsoft had released a patch to fix the flaw, many companies didn’t apply it before the outbreak. Luckily, companies outside of the initial attack zone of the EU were able to get their systems patched to prevent greater international impact.

Unfortunately, the authors of this variant of ransomware have learned from the past. The current outbreak of Petya ransomware can be spread to unpatched systems via the same exploit as WannaCry, but it can also achieve lateral movement to infect patched systems on connected networks using Windows Management Instrumentation Command-line (WMIC) and PsExec, a remote command tool from Microsoft.

Learn More: Petya X-Force Exchange Collection

What Is Petya?

Most outlets are reporting the ransomware as Petya, however at least one security company believes it is a copycat and not a true Petya variant. At this time, IBM X-Force has identified at least three samples we believe are updated Petya variants.

Petya ransomware first appeared in 2016. It is unique in the ransomware space because it encrypts the master boot record (MBR) and master file table (MFT) on infected hosts. Petya is often deployed together with Mischa, which acts as a fallback; if Petya can’t access the admin account to encrypt the MBR, Mischa kicks in and encrypts individual files (such as all .DOC, .PPT and .XLS). Another unique aspect of Petya is that it can work even if a system is offline. It does not require a live connection to a command-and-control (C&C) server.

In this recent outbreak, it appears that the current Petya payload is being distributed using the same EternalBlue exploit that was part of the so-called Shadow Brokers leaks that powered the spread of WannaCry.

As in the WannaCry outbreak, this malware is modular. In addition to the Petya payload, some reports indicate that the Loki Bot Trojan may be included.

Basic Technical Details

The Petya outbreak made headlines for spreading very rapidly on June 27, 2017, but the building blocks were not new.

Lateral Movement: SMB Wormholes

One of the ways Petya moves around and propagates is by scanning transmission control protocol (TCP) port 445 to identify and target machines that use unpatched versions of server message block (SMB). If that sounds familiar from your reading during the WannaCry outbreak, you’re right. It’s the same.

Remote Execution: EternalBlue, WMIC and PsEXEC

IBM X-Force Incident Response & Intelligence Services (XF-IRIS) has confirmed that the samples from the current outbreak are using EternalBlue. From the alleged Shadow Brokers leak, EternalBlue exploits CVE-2017-0144, which allows attackers to execute arbitrary code on a target system. This can include code that scans for the presence of exploit code like DOUBLEPULSAR, or to scan nearby systems and attempt to infect them with exploit code.

WMIC and PsExec are not vulnerabilities: They are Microsoft tools to help admins manage systems and networks. WMIC allows users to run processes and scripts, while PsExec allows a remote user to take remote control of a system. In the hands of administrators these are important and useful tools, but when accessed by an attacker, they can be used to install malcode — like Petya — on target systems.

Once on the system, the ransomware copies itself to the C:Windows directory and installs a PE file in C:Windowsdllhost.dat. To cover its tracks, the ransomware uses schtasks to create a task file that will reboot the system at a scheduled time. To further cover its tracks, the ransomware uses wevtutil.exe to clear out Setup, System, Security and Application logs, and uses fsutil.exe to delete information in the change journal.

Don’t Pay the Ransom

Many companies may be tempted to pay the ransom to get their systems back online. In this outbreak, it appears that the attackers never even attempted to be able to restore files to victims. Going forward, address network segmentation and backups so that in the future, if systems are locked up, they can be taken offline and restored quickly.

IBM Security recommends:

  • Ensure systems are patched (MS17-010) and all antivirus programs are up to date.
  • Determine if backup systems are effectively configured.
  • Restore only from secure backups with known safe snapshots or reimage systems completely.
  • Isolate any unpatched systems to prevent lateral movement of Petya.
  • Verify effective monitoring of all critical systems and networks.
  • Create or maintain regular reviews of privileged credential protection to prevent further access via legitimate tools across a network.
  • Review incident response and contingency plans.

Protecting Your Organization with IBM

Based on the seriousness of this event, IBM is making all of our findings publicly available via a continuously updated X-Force Exchange Collection.

For immediate help, contact the IBM X-Force Incident Response Hotline at 1.888.241.9812 or 1.312.212.8034.

This is a developing situation. As relevant information becomes available, we will post updates here, on the @IBMSecurity Twitter page and on X-Force Exchange.

The post Petya Weren’t Expecting This: Ransomware Takes Systems Hostage Across the Globe appeared first on Security Intelligence.

Source: /E1-YRp00gbb/3~/ecnegilletnIytiruceS/r~/moc.elgoog.yxorpdeef

“Petya Weren’t Expecting This: Ransomware Takes Systems Hostage Across the Globe”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud