There is certainly no shortage of threats to write about these days when it comes to ransomware and the recent surge of activity involving high profile attacks and victims. I’m reminded of the MyDoom/Netsky/Bagle flurry of 2004. The truly concerning thing about the current high level of activity around ransomware is that those who still rely on traditional antivirus (AV) products and technologies are continuing to fall victim to this stuff, day in and day out.
This would be somewhat understandable if this was a new type of threat, but ransomware has been around for well over a decade. The attack models have really not changed all that much (save a few new transmission methods). The malware binaries themselves are still just as 'obviously bad’ as they ever were. Yet every week on the news, we still see companies and individuals getting virtually cleaned out.
It is deeply concerning to hear about the high-profile medical entities that have been targeted lately. In this scenario, the price paid for the attack is not just limited to the dollars and cents paid as the ‘ransom’ (or rather, the Bitcoin bounty which is the typical ransomware author’s preferred method of payment). A ransomware attack on a health center could cause delays in patient care, and delays in patient care lead to much worse things in the real world.
If you look at the attack model of the typical piece of ransomware, the method of operation is exactly the same in medical environments as it is in a private individual’s machine. Users are enticed to click on bad stuff, or browse to bad stuff, leading to the malware dropping and kicking off the process of encrypting vital files on the user’s hard drive, possibly spreading to any connected backup drives, USB sticks, and even to their company network.
When it comes to remediation, in practical terms, we have to focus on the user or on the first stage of the malware, in order to halt the malicious chain of events (execution -> encryption -> extortion).
Breaking Ransomware News
In just the last couple of days, we’ve had several big ransomware stories break:
- Medstar Health temporally shut down operations in order to contain an outbreak of a yet-to-be-named threat.
- In-the-wild observation of PowerWare – a ransomware family that leverages PowerShell to deliver ransomware functionality in a semi-fileless manner.
- In-the-wild observation of Petya– a ransomware family that overwrites the Master Boot Record (a novel approach). So rather than being stuck staring at a Windows desktop full of encrypted stuff, the victim gets to watch their system crash, then display a 1980s-esque skull animation, followed by the usual array of Bitcoin payment instructions.
Details are still being analyzed in the Medstar Health attack. While some are speculating a relationship to other similar ransomware attacks, the Cylance SPEAR™ team is currently analyzing available data and will update our customers and the public as soon as actual, non-speculative, technical data becomes available.
Figure 1: Tweet by Medstar Health regarding today’s attack.
PowerWare is unique in that the malware utilizes PowerShell code in malicious Microsoft Office documents to initiate the infection stage and encryption process. This means that no first-stage or stand-alone executable dropper will be present on the infected box. This is all done via PowerShell in VBA script within the weaponized Office documents.
This technique itself is not new, but it is something of an update to these prolific, in-the-wild ransomware families. Cylance demonstrated a similar technique this year at the 2016 RSA security industry conference. While our PowerShell payload was different, the mode was the same. In our demonstration, we showed how we could (without dropping any files) use a weaponized Microsoft Excel document to exfiltrate data, dropPony Loader, and initiate a Black Energy-style wiper. PowerWare is doing the exact same thing, but the end result is the file encryption and obfuscation that one would expect with a ransomware attack.
PowerWare masquerades as an official-looking invoice document. In order to deploy the malware, the target victim must first be enticed/convinced to enable macros when opening the document. That is an extra manual step that, if not taken, will inhibit the launch of the malware, or any macro/VB for that matter, as the execution of Macros/VB is disabled by default.
Figure 2: The target user must first enable macros in order for the malware to be able to launch.
The PowerShell scripts which run via the weaponized Word document are directly responsible for the encryption and key generation routines. The use of RSA-2048 is evident in the scripts as well as the decryption service pages available via the prescribed .onion URL:
Figure 3: the VBA above shows the download of the PowerShell script to %temp%\y.ps1, followed by the execution command.
The Petya Ransomware Project
That brings us to Petya. Petya was launched in December 2015 by the 'Petya Ransomware Project'. This particular piece of ransomware is considered more "fun" by malware analysts, in terms of its creative side. If you are a fan of cheesy 1980's 'hacking' stuff, such as War Games, Max Headroom or Weird Science, you’ll understand.
Figure 4: Skull and crossbones animation launched by Petya prior to ransom instructions.
What makes Petya unique is the overwriting of the MBR as a mechanism to block access to the files (and OS). Upon execution, the victim sees a quick crash, a reboot, a fake chkdsk screen, and finally a sinister and seizure-inducing skull and crossbones animation leading to the ransom instructions:
Figure 5: Petya ransom instructions.
It is important to note that Petya also inhibits the ability of the user to boot into Safe Mode. Also of note: the emails sent to victims contain a link to a Dropbox folder rather than to a weaponized Office document. The Dropbox folder contains the first stage executable file. Either way, both Petya and PowerWare require some level of user interaction to start the process.
In summary: email + clicking/browsing links = extortion.
Petya leverages AES-256 and RSA-4096 for the encryption routines. Decryption for Petya is handled by visiting one of the .onion URLs presented in the ransom note:
Figure 6: Encryption screen presented by Petya ransomware.
Also, just like any good and responsible ransomware author*, they are willing to assist the user if there are issues with the decryption process (*insert sarcasm here).
Figure 7: Petya ransomware payment/ message page.
Figure 8: The Petya FAQ page.
CylancePROTECT® vs. PowerWare and Petya
One only needs to look at any multi-engine malware submission site or online sandbox to see the amount of time it has taken for most traditional AV vendors to start detecting PowerWare and Petya. There are still a large percentage of vendors that do not detect or protect against either, even though Petya was released over three months ago, in December 2015.
We submitted samples of both PowerWare and Petya to Cylance products from early March 2016. Results are shown below:
Figure 9: CylancePROTECT vs. PowerWare and Petya.
Figure 10: CylancePROTECT web console, showing detection and quarantine of both PowerWare and Petya.
Our SPEAR team has also released a video showing CylancePROTECT prevent the execution of PowerWare:
Indicators of Compromise (IOCs)
PowerWare SHA256 Hashes:
Petya SHA256 Hashes: