A Perspective on the ‘Petya’ Ransomware Attacks – SCC Cyber Security Intelligence Service (CSI)
What is ‘Petya’?
A calculated ransomware campaign with a heavy footprint in Ukraine was detected on 27 June 2017 from an unknown source. To date, the attack has affected global organisations primarily in the banking, pharmaceutical and transportation industries. While most reports, and the ransom demand itself, refer to the activity as ‘Petya’, a well-known malware that has existed for quite some time, at least one security company believes it is not a true Petya variant.
It has been confirmed that the ransomware tool spreads via the National Security Agency (NSA) exploit EternalBlue, similar to the ‘WannaCry’ events last month.
At SCC, our CSI team have been aware of the outbreak and monitoring it closely since 14h00 GMT on 24 June. We use IBM QRadar with the X-Force Intelligence feed to monitor our clients’ infrastructure and detect risks of such attacks, taking pre-emptive measures as necessary to further protect data and minimise IT downtime.
Is there a connection to ‘WannaCry’?
While this attack is not identical to ‘WannaCry’, it is operating in a similar fashion. Essentially, an existing ransomware tool has been updated with a new infection capability, allowing it to propagate very quickly, with potentially significant impact. Our CSI team believes the response and remediation steps that led to effectively responding to ‘WannaCry’ are highly applicable to the most recent attacks.
CSI is engaged with our Security Intelligence vendors (IBM X-Force) to determine true cause, provide recommendations, and work on responses with our clients. Our Major Incident Management Team communicated immediately to all our clients in regards to ‘Petya’, offering an update on steps taken and advice to follow.
The ‘Petya’ outbreak made headlines for spreading very rapidly on 27 June, but the building blocks were not new.
Lateral Movement: SMB Wormholes
One of the ways ‘Petya’ moves around and propagates is by scanning transmission control protocol (TCP) port 445 to identify and target machines that use unpatched versions of server message block (SMB). If that sounds familiar from your reading during the ‘WannaCry’ outbreak, you’re right. It’s the same.
Remote Execution: EternalBlue, WMIC and PsEXEC
Now for a more detailed technical analysis: IBM X-Force Incident Response & Intelligence Services (XF-IRIS) has confirmed that the samples from the current outbreak are using EternalBlue. From the alleged Shadow Brokers leak, EternalBlue exploits CVE-2017-0144, which allows attackers to execute arbitrary code on a target system. This can include code that scans for the presence of exploit code like DoublePulsar, or to scan nearby systems and attempt to infect them with exploit code.
WMIC and PsExec are not vulnerabilities; they are Microsoft tools to help admins manage systems and networks. WMIC allows users to run processes and scripts, while PsExec allows a remote user to take remote control of a system. In the hands of administrators these are important and useful tools, but when accessed by an attacker, they can be used to install malcode, like ‘Petya’, on target systems.
Once on the system, the ransomware copies itself to the C:Windows directory and installs a PE file in C:Windowsdllhost.dat. To cover its tracks, the ransomware uses schtasks to create a task file that will reboot the system at a scheduled time. To further cover its tracks, the ransomware uses wevtutil.exe to clear out Setup, System, Security and Application logs, and uses fsutil.exe to delete information in the change journal.
Broad Implications
Organisations around the world need to understand the elements of these attacks and be prepared for copycat attacks with new twists. While ransomware – the criminal practice of stealing data and not returning it to its owner until a ransom payment is made – was the profit-gaining tactic of choice, criminals could shift to new tactics and schemes in the future. For example, they could use the one-to-many attack scheme through the Microsoft vulnerability to steal personally identifiable information or embed Remote Access Trojans.
5 Steps to Protect Against Ransomware Attacks
5 simple steps you can take to help prevent such attacks, minimising data loss and IT downtime:
- Patch systems immediately to help prevent attacks and use End Point management tools;
- Engage with the SCC Cyber Security Intelligence Service, or Deploy Security Intelligence systems to detect attacks;
- Develop a response playbook with your team, in case you are infected;
- Refer to X-Force Ransomware Response Guide to evaluate organisational readiness;
- Ensure your employees, suppliers and others who work with your company receive regular security training, such as how to spot suspicious emails and actions to take if they suspect an attack.