Petya ransomware is back – using WannaCry vulnerabilties to cause chaos and disruption

What we are seeing now are two additional exploits being added to the family of ransomware threats. With Wannacry, we saw ransomware designers for the first time combine ransomware with a worm to speed its delivery and expand the scale and scope of the attack. And now, with Petya/NotPetya, we see the addition of targeting the Master Boot Record to up the ante on the consequences of failing to pay the demanded ransom, from simply losing personal files, which may have been backed up, to potentially losing the entire device.

The Petya-like ransomware exploits the same SMB vulnerability as WannaCry (EternalBlue) which ravaged systems globally back in May 2017. Mimicking WannaCry in its propagation, this malware exhibits the same worm-like capabilities (Windows SMBv1 sharing) to spread itself remotely with no user interaction needed. In addition, it also leverages password dumping capabilities to gather credentials, PsExec to remotely run WMIC to exploit the inherent trust inside of corporate networks to spread laterally within those environments.

Petya ransomware is back – using WannaCry vulnerabilties

DOWNLOAD: https://tweeat.com/2vAfLs

Unfortunately, the authors of this variant of ransomware have learned from the past. The current outbreak of Petya ransomware can be spread to unpatched systems via the same exploit as WannaCry, but it can also achieve lateral movement to infect patched systems on connected networks using Windows Management Instrumentation Command-line (WMIC) and PsExec, a remote command tool from Microsoft.

If you have already taken the proactive measures outlined above, you should be protected from Petya/NotPetya. If you have been impacted by Petya, or another type of ransomware, head to NoMoreRansom.org. And remember, never pay the ransom: If you are dealing with Petya, you will not get your files back.

Locky is one of the stealthiest ransomware out there. It was all in the news in 2016 and infected via Necurs (It is touted to be the most massive botnet available). Locky has multiple campaigns, and they come to force for some time. Locky, however, came to a halt in the early part of 2017 by Necurs to give way to JAFF (discussed below), but in April again Locky came back with few tweaks. Initially, Locky infection was up to 90K devices per day and Countries which were most affected were France, Italy, USA, Germany, and Spain. Affected victims like Hollywood hospital must pay $17000 to resume operations. Below is the infection process of Locky

JAFF ransomware was also distributed via Necurs botnet. Since this ransomware has Necurs backing, success followed it. As expected, this ransomware was spread through campaigns. Since Necurs was behind JAFF, researcher detected thousands of emails as part of the campaign, and the requested ransom amount was 2.047 BTC. Below is the complete infection process of JAFF.

The Locky ransomware has a had a turbulent past in trying to infect users. Appearing all through 2016, Locky came back in mid-summer of 2017 with a vengeance. In August, Locky ransomware introduced two new strands of the virus. zDNet reported that in a 24 hour timespan, the spam campaign sent over 23 million emails to users in the United States containing the Locky ransomware. It fast became one of the largest spam campaigns of 2017.

One more method for remote process execution used by the ransomware is using Windows Management Instrumentation Command-line (WMIC) for executing the ransomware remotely with stolen credentials. The command used for WMIC is shown in the below code snippet.

This latest attack is using a nearly identical clone of GoldenEye, itself a member of the Petya family of ransomware. Petya, like other ransomware variants, encrypts files and makes users pay to get them back.

Petya ransomware is powered by Shadow Brokers exploits, which were leaked earlier this year. After compromising a system, the malware encrypts the data using a private key, and prevents users from accessing the system until it is restored or decrypted. The initial infection vector for this campaign appears to be a poisoned update for the MeDoc software suite, a tax software package used by many Ukrainian organizations. The malware then infects systems that are vulnerable to MS17-010 and spreads laterally across the infrastructure.

Similar to the WannaCry ransomware that infected systems globally earlier this year, Petya takes advantage of known vulnerabilities that already have patches. In a world where malware threats arise every day, chasing daily threats is not advised. Organizations everywhere and of every size need a more strategic approach to proactively manage security threats (and protect themselves and their customers) by implementing good cyber hygiene practices, including regular patching, updates, backups, and continuous monitoring.

The most basic protection, whether against ransomware or malware that actually corrupts data, is off-site backups. Best practice for backup frequency and scope varies by industry, and senior leadership should collaborate with security to identify minimum standards.

Recent global ransomware attacks WannaCry and Petya (also knownas NotPetya) show that damage caused to computers and data can alsohave tangible consequences in the physical world: from paralysingall operations of a company, to causing life-threateningmalfunctions of medical equipment. Infecting one computer can beenough to spread the virus across global networks at lightningspeed.

Ransomware is on pace to become a USD 1 billion criminalindustry; and a competitive and highly innovative one, at that.Staying ahead in a cybersecurity arms race is challenging.Preventive information-security measures and regular back-ups areindispensable, but not by themselves sufficient. To curtailransomware and other cyberattacks and mitigate their consequences,we recommend implementing a compliance, enforcement, and educationframework addressing cybersecurity risks. Also, a ransomware attackis a criminal offence. If you become a victim, consider involvinglaw enforcement authorities.

Today, computers are running enterprises, driving trains andcars, and performing surgical operations. Data processed by andstored in company computers are often their most valuable resource.Recent ransomware attacks, WannaCry and Petya (also known asNotPetya), show that damage caused to computers and data can alsohave tangible consequences in the physical world; from paralysingall operations of a company, to causing life-threateningmalfunctions of medical equipment. The high stakes to businesses oftheir data and computer systems make ransomware attacks anattractive target for cybercriminals.

For providers of software whose vulnerabilities were exploitedby ransomware, it is as yet uncertain if they will be subject toliability for leaving users exposed to the attacks. In themeantime, the head of Ukrainian Cyber Police Serhiy Demydiuk has announced that the company supplying M.E.Doc software is underinvestigation and will face charges. Although repeatedly warned byinformation security companies about the vulnerability of itssoftware, M.E. Doc did not take appropriate measures to rectify it.On a more practical note, the Indian government is using theransomware attacks as a negotiation tool. The Indian government hasasked Microsoft to offer a sharply discounted one-time deal tomore than 50 million Indian users so that they can upgrade to thelatest Windows 10 operating system. If Microsoft agrees, this dealcould cost several billion dollars in lost revenue.

WannaCry is an entrypting ransomware that exploits a vulnerability in the Windows SMB protocol, and has a self-propagation mechanism that lets it infect other machines. WannaCry is packaged as a dropper, a self-contained program that extracts the encryption/decryption application, files containing encryption keys, and the Tor communication program. It is not obfuscated and relatively easy to detect and remove. In 2017 WannaCry spread rapidly across 150 countries, affecting 230,000 computers and causing an estimated $4 billion in damages.

NotPetya originally spread using a backdoor in accounting software used widely in the Ukraine, and later used EternalBlue and EternalRomance, vulnerabilities in the Windows SMB protocol. NotPetya not only encrypts the MFT but also other files on the hard drive. While encrypting the data, it damages it in such a way that it cannot be recovered. Users who pay the ransom cannot actually get their data back.

Regularly backup data to an external hard-drive, using versioning control and the 3-2-1 rule (create three backup copies on two different media with one backup stored in a separate location). If possible, disconnect the hard-drive from the device to prevent encryption of the backup data.

Imperva File Security can detect ransomware activity before it does widespread damage, using policy-based monitoring and deception technology. Imperva identifies suspicious file access behavior in real time, and quarantines infected users or devices which may be affected by ransomware. It also provides data that can help security teams investigate and report on ransomware activity.

NotPetya combines ransomware with the ability to propagate itself across a network. It spreads to Microsoft Windows machines using several propagation methods, including the EternalBlue exploit for the CVE-2017-0144 vulnerability in the SMB service. This is the same vulnerability Microsoft reported on in MS17-010, which was exploited so successfully in the recent WannaCry ransomware outbreak. Once a machine is infected by NotPetya, a series of malicious activities ensue, including the following:

In addition, it initiates a loop that waits for the user to input the purchased key. Once the key is entered, the code attempts to decrypt the contents of Sector 33, which were previously encrypted using Salsa20 key. Once the sector is decrypted, the code reads all 512 bytes of the sector and ensures that they all equal 0x7. If this is successful, the CRYPT_FLAG is set to 2 (decrypted), and the same key is used to decrypt the MFT. Furthermore, the original encoded MBR in Sector 34 is also decoded, and placed back into Sector 0, as shown below. 2ff7e9595c