Petya Ransomware: Older Malware, New Dangerous Techniques
by Joe Gray
On June 27, 2017, the world experienced another outbreak of Petya ransomware. This article details the background of this threat and provides information on the new variant, as well as ways to prevent getting infected.
Ransomware is a class of malicious software that takes infected systems hostage and demands a “ransom” to unlock the system or systems. To further complicate this, the method of delivery can vary from phishing emails, unsolicited file downloads (also called watering hole attacks or drive-by downloads), or from another system on the network.
The malware will use one or more of a few methods to make the data inaccessible. Common methods are: encryption, renaming files, and changing file extensions and permissions. This relies on those maintaining the ransomware to follow through on their promises or else the scheme does not work.
In order to get the data restored, one must pay the ransom. Common methods of payment are Bitcoin (BTC), Ethereum Ether, and gift cards. Both Bitcoin and Ether are unregulated cryptocurrency. Cryptocurrency is lucrative for those operating in nefarious business for several reasons, most notably the near anonymous nature of transactions, lack of regulation, and decentralized nature.
As of June 27, 2017, the world experienced another outbreak of Petya ransomware. Petya was prevalent in early 2016, which I will discuss later in this text. Per the WhiteSunset Bitcoin Purse, Petya had ‘raised’ 3.28 BTC which equates to around $8,000 near the end of the work day in Eastern Time in the US.
A few key factors to bear in mind:
- Petya is the feminine voice of Peter in Slavic languages. This loosely translates to “stone,” which is a pun on information security terminology, as preventing a system from functioning is sometimes called “bricking” systems.
- It is unique in the respect that it attacks the Master Boot Record (MBR) of a system, which prevents most conventional methods of circumventing the software.
Officially, some outlets are referring to Petya 2017 as “NotPetya,” but for the purpose of this text, the Petya 2017 convention will be used.
In March 2016, Petya started making its initial rounds. The typical attack vector was using a ‘resume’ on Dropbox. It charged around 0.99 BTC which at the time was about $400 to release the key to decrypt the system. If the victim did not pay in what the attackers considered a timely manner, they doubled their ransom demands.
The file size is: <500 KB (less than 500KB or .5MB)
The typical file sizes of samples are: 330.2KB (338169 bytes) and 130.3 KB (133423 bytes)
The hashes of the file are:
- SHA256: 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
- MD5: dfcced98585128312b62b42a2a250dd2
- SHA1: 1b6068c506c94a27b66f1d1596e145eae230e9bd
- SHA256: 019a6fda29af707476b2c58e5b6bbf306e8c248671c8f4dc7424e474018376a1
- MD5: ef77af6b83d2d31b091c3dc652f6a57c
- SHA1: d16aa9361263f113e3c54a65c80c2cef81f940a7
- SHA-256: 0983a838ddbb506e58ad5ddb44e1b9a11cc36e96e90e88defcfbae898b24d717
- MD5: d243f3304cdbe29f5f21d2091e3a41b8
- SHA1: ba27af1d902a49bbc04776001a3dc34fde1bc8ff
MD5: 8b8568e264197cbe031f0cd14946f5c4SHA1: 858a5df3bacb2a786dac4f0ac3cc8b14345ed921
- SHA256: 0f9579ebc2ff166ca0aa5bd50b0ccda0caa9b8ec3da7460c67b0259019e2ffa5
MD5: 92a856fc4ff7b6bee53cd620e74b4abfSHA1: e57904064f85c6d4f83e968d628019314700228f
- SHA256: 103ce79acd0498378fa4b3853379cb719d807f08441f6be28ab27a3f2573992e
- MD5: 9ed3bdaeb95e1084db73f39414b4f2b9
- SHA1: 4467f73489a93ff09122110a5be421ad45369b49
- MD5: af2379cc4d607a45ac44d62135fb7015
- SHA256: 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
- MD5: 8b52c06d4a95a3657fe9975ccf13cda6
- SHA1: 19d80af357c795d7f9b1b62438f35add5a77edd0
- SHA256: 2700fa2fb84912a9f6b9d4271d85210dc3b80b9e276b1028f620a3c2dbdf6968
- SHA256: 3db158edf79c13969ec96b91465c26a307e46eb2af58d154191fd88151ea95cb
Relationship to Wannacry
At this point, Wannacry is likely still fresh in the minds of most of the world. It was revolutionary as it took on a unique approach in attacking its victims precisely 30 days after the patches for CVEs 2017-0143 through 2017-0148 (MS17-010) were released. The exploits used were ETERNALBLUE and DOUBLEPULSAR. Around the same time, EternalRocks worm also came out, acting somewhat like a WannaCry copycat, but leveraging ETERNALBLUE, DOUBLEPULSAR, and 5 other NSA tools that the ShadowBrokers released.
Starting during the morning of June 27, 2017, reports started to circulated that another WannaCry Ransomware was on the loose. Through a little investigation, it was determined that it was not another WannaCry, but rather a new spin on the older Petya ransomware.
Whereas the older version used the pretext of a resume coming through Dropbox, this variant uses ETERNALBLUE and DOUBLEPULSAR via TCP port 445 to gain access then overwrite the MBR. Attackers are asking for $300 in Bitcoin to a specific BTC address then email the wallet ID to a specific email address that is now disabled.
As a result of the use of Server Message Block (SMB), the protocol that is being used to infect, this software exhibits greater ease in pivoting to other hosts within the network. If SMBv1 is disabled, this loses much steam and will not work by default, although there are work arounds to make ETERNALBLUE work on SMBv2 and SMBv3. A related exploit in the same leak and Microsoft Bulletin as ETERNALBLUE is called ENTERNALSYNERGY and specifically attacks SMBv3.
Per Ukrainian site, Hromadske, Ukraine’s “Ministry of Interior, the Cabinet Office, the State Fiscal Service, ‘New Mail’, ‘Ukrtelecom’, ‘Savings’, ‘Kyivenergo’ refueling ‘Vogue’, the mobile operator ‘Kyivstar’ stores ‘Epicenter’ and many others” were infected. SBU, the Ukrainian counterpart to the Secret Service, states that a phishing email containing an infected file was one of the vectors used to initially deploy Petya. As a result, the Ukrainian government suspended opening email attachments and prosecutors in Kiev turned off their servers until this is under control. CNN is reporting that the radiation monitoring system at Chernobyl was also infected.
Per Palo Alto Networks, the file is spread as a DLL file and needs another process to execute it in order for it to operate. Rebooting ones system (as often prescribed in training) will actually trigger the infection. If SMB is enabled, this malware will move laterally. There is no known “Kill Switch” thus far. The original did not have one but decrypters were developed.
Kenn White, a prominent researcher and cryptographer and Colin Scott, another prominent researcher, noted there are reports of this variant successfully infecting a Windows 10 system that is fully patched with SMBv1 manually disabled and updated antivirus signatures as seen below:
Forbes is reporting the source of infection may be a Ukrainian software company that provides accounting software called MeDoc. Experts believe that the company was breached and the malware was initially distributed through their automatic updates. From this point, it would be relatively easy to pivot.
- MD5: 71b6a493388e7d0b40c83ce903bc6b04
- SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
- SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
- MD5: 0df7179693755b810403a972f4466afb
- SHA1: 9717cfdc2d023812dbc84a941674eb23a2a8ef06
- MD5: e285b6ce047015943e685e6638bd837e
- SHA256: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
- MD5: e595c02185d8e12be347915865270cca
- SHA256: 752e5cf9e47509ce51382c88fc4d7e53b5ca44ba22a94063f95222634b362ca5
- File Path: dllhost.dat
- Email: firstname.lastname@example.org
- IPv4: 220.127.116.11
- IPv4: 18.104.22.168
- URL: http://22.214.171.124/myguy[.]xls
- URL http://COFFEINOFFICE[.]XYZ
- IPv4: 126.96.36.199
- IPv4: 188.8.131.52
- URL: http://french-cooking[.]com/myguy[.]exe’
- URL: http://184.108.40.206/~alex/svchost[.]exe
The preventative measures for this variant of Petya ransomware are relatively standard:
- Train employees on a routine basis. When the annual training comes around for compliance, people have not retained most of that information within the month in many cases. I recommend training at least quarterly.
- Based on the training, test the employees. Run phishing campaigns and other realistic scenarios to test the effectiveness of the training, allowing the organization to realign as necessary to current threats and attacks.
- Implement role-specific training. While a call center or IT should not be routinely opening untrusted attachments via dropbox, HR and Purchasing may have that need. Train them on the techniques they can reasonably do at their level to protect the company.
- Establish a non-networked, internet accessible kiosk system to receive such attachments. Install anti-malware protection with automatic updates in addition to a sandbox, and verbose logging off the system. Allow the system to be used to “detonate” the files and determine if any malice exists.
- Disable unnecessary ports, protocols, and services.
- Enable implicit deny (allow the following rules and deny anything else) on all firewalls.
- Utilize network and host based Intrusion Detection or Prevention systems (NIDS/HIDS or NIPS/HIPS).
- Conduct routine vulnerability scans on the network and remediate in a timely manner (i.e. within 30 days for High and Critical severity findings).
As with all ransomware, a decision from management in (preferably in advance) regards to whether to pay or not is warranted. Furthermore, routine backups that are not on the network will increase an organizations odds at defeating the infection without paying. The difficult point is determining the time and vector of infection and ensuring that the backup is before the infection and the vector is mitigated.
In terms of prevention, the original Petya made its rounds using a pretext of a resume being delivered via Dropbox, so general prevention would likely suffice as mitigating factors.
At this point, there are several decryption tools available for the original Petya. A quick search on Github yielded these results:
- Petya Recovery (September 2016)
- Hack-Petya (April 2016)
- Petya-Green (September 2016)
- Petya-Green Multicore (June 2016)
Petya ransomware 2017 is not as cut and dry. While the same preventative measures will lessen the impact, the worm characteristics that it exhibits similar to WannaCry (which was called a Ransomworm by some) increases the complexity in solving the problem before it is a problem.
Due to the nature of SMB, Windows systems can communicate with each other using it. Vulnerability scanners use it to log into hosts and conduct the checks. Disabling all SMB in a Windows environment is not reasonable.
Blocking incoming SMB and NetBIOS ports at the firewall will reduce the likelihood that the infection can use that vector. If the malware is introduced via phishing and SMB is allowed to/from any host, the outcome will be the same.
While there is no “Kill Switch,” a “vaccine” was created to halt the infection – for now. During source code review, a researcher determined that if you have a READ-ONLY file in the C:\Windows directory named perfc (C:\Windows\Perfc), you will not be infected according to Bleeping Computer. Lawrence Abrams has created a batch file that will automate this for you. As we learned with WannaCry, this will likely change and be ineffective by morning, rendering Petya immune (sorry for the medical terminology pun).