Complex Petya-Like Ransomware Outbreak Worse than WannaCry

Join Kaspersky Lab and Comae Technologies Thursday June 29, 2017 at 10 a.m. Eastern time for a webinar “The Inside Story of the Petya/ExPetr Ransomware.” Click here to attend.

The attackers behind today’s global ransomware outbreak are spreading the malware using a modified version of the leaked NSA EternalBlue exploit and two Windows utilities to move laterally on local networks, adding layers of complexity to this attack to where it could dwarf WannaCry in short order.

Unlike WannaCry, this new ransomware sample contains no killswitch and is burrowing through corporate networks and endpoints, forcing workers at a number of locations to pull their machines from the internet.

Critical industries and services have been affected since the attack began this morning in Russia, Ukraine and then throughout Europe, including the radiation monitoring station for the crippled Chernobyl nuclear power plant and pharmaceutical giant Merck and Co.’s MSD operation in the United Kingdom. This augments a growing list of victims that also includes Danish shipping giants Maersk, Ukraine’s central bank, the country’s Borispol Airport in Kiev and dozens of other victims there, along with SaintGobain, a leading manufacturer in France and Russian oil company Rosneft and steel manufacturer Evraz.

Complicating matters is the fact German email provider Posteo, which hosts the email address provided in the ransom note, wowsmith123456@posteo[.]net has shut down the attacker’s account. Victims are being advised not to pay because there is no way for the attacker to deliver the decryption key even if the $300 demand in Bitcoin is arranged.

> Email account used by #Petya #NotPetya for ransomware payment closed <https://t.co/s4qiQj6wmu&gt;
>
> — Kevin Beaumont (@GossiTheDog) June 27, 2017

“There is no killswitch as of yet, and reports say the ransom email is invalid so paying up is not recommended,” said researcher Sean Dillon of RiskSense.

The ransomware behaves similarly to a year-old strain called Petya, which encrypts a computer’s Master File Table along with a number of file types. Experts are divided on whether this is Petya, a variant, or a knock-off, but that matters little to victims worldwide.

“This appears to be a complex attack which involves several attack vectors,” Kaspersky Lab said in a statement. The company published its analysis of the attack this afternoon.

The gravity of this attack is multiplied by the fact that even servers patched against the SMBv1 vulnerability exploited by EternalBlue can be successfully attacked, provided there is at least one Windows server on the network vulnerable to the flaw patched in March in MS17-010.

The attackers have built in the capability to infect patched local machines using the PSEXEC Windows SysInternals utility to carry out a pass-the-hash attack. Some researchers have also documented usage of the Windows Management Instrumentation (WMIC) command line scripting interface to spread the ransomware locally. Organizations are being advised to disable both utilities and apply MS17-010 if they haven’t done so already.

“If I run the attack on my machine and I’m a domain admin, it uses my credentials to authenticate to other machines on the network,” said Matthew Hickey, founder of My Hacker House. “In an enterprise environment, if it gets one privileged user, one domain admin, this will spread across the network even to patched machines.”

Unlike WannaCry, this attack does not have an internet-facing worming component, and only scans internal subnets looking for other machines to infect.

“I think this is actually worse than WannaCry from that perspective alone,” said Jake Williams, founder of Rendition Infosec. Williams said that this version of EternalBlue has been “cleaned up,” and that it’s not a direct copy-and-paste of the original leaked by the ShadowBrokers in April along with the Fuzzbunch platform. Once a server is compromised by EternalBlue, the attacker is in as a system user.

“You’re basically in God mode on the machine,” Williams said. “From there, you can take the local admin account and PSEXEC from there to another machine if the machines share the same credentials (which would have been set up by an admin). If they’re the same, you’re going to be successful. It passes the authentication hash and the attacker can begin pivoting around the network, even to patched machines. Some thought went into this and how to improve on WannaCry’s distribution method.”

Researchers at Cisco, also confirmed by Kaspersky Lab, have identified a Ukrainian tax accounting package called MeDoc as a potential infection vector. Both companies’ researchers said some infections could be linked to an attack against MeDoc’s software update systems. Early reports also suspected that some infections were spread via phishing emails with infected Excel documents exploiting a CVE-2017-0199, a Microsoft Office/WordPad remote code execution vulnerability.

Experts such as Dillon and Hickey were concerned about this type of virulent outbreak leveraging EternalBlue that did not include a WannaCry-like killswitch. Hickey said a sample he examined arrived as a DLL wrapped in crypto that also includes anti-analysis capabilities, something that Williams confirmed.

“As soon as I saw MS17-010, I began banging the drum quite loudly about exactly this type of incident,” Hickey said. “Even though it’s been patched, it only takes one missing patch on a critical server that will be the Achilles heel of a network.”

Avecto VP Andrew Avanessian said there may be copycat malware for the foreseeable future.

“Cyber criminals are taking a preexisting piece of malware and changed some of the payload elements of it. With the release of different hacking techniques from the NSA, nation-state hacking capabilities are now in the hands of novice cybercriminals,” Avanessian said.