The Petya-like ransomware that has been prominent in headlines over the past few hours has been rapidly propagating in-the-wild since mid-afternoon (UTC) on June 27. The malware uses the same SMB exploit as WannaCry (EternalBlue/DoublePulsar) in order to spread remotely, and in addition, leverages both PsExec and WMIC in order to spread laterally within corporate environments.
The multitude of spreading mechanisms ensures this ransomware is far more versatile in propagating than WannaCry, with the ability to infect remote systems patched against the MS17-010 vulnerability. Importantly, this attack lacks a remote kill switch that significantly limited the impact and spread of WannaCry.
N̶o̶t̶e̶:̶ t̶h̶e̶r̶e̶ i̶s̶ s̶o̶m̶e̶ d̶i̶s̶c̶u̶s̶s̶i̶o̶n̶ a̶b̶o̶u̶t̶ w̶h̶e̶t̶h̶e̶r̶ t̶h̶i̶s̶ m̶a̶l̶w̶a̶r̶e̶ s̶h̶o̶u̶l̶d̶,̶ i̶n̶ f̶a̶c̶t̶,̶ e̶v̶e̶n̶ b̶e̶ c̶o̶n̶s̶i̶d̶e̶r̶e̶d̶ r̶a̶n̶s̶o̶m̶w̶a̶r̶e̶,̶ r̶a̶t̶h̶e̶r̶ t̶h̶a̶n̶ a̶ w̶i̶p̶e̶r̶.̶ W̶e̶ a̶r̶e̶ c̶o̶n̶t̶i̶n̶u̶i̶n̶g̶ t̶o̶ r̶e̶s̶e̶a̶r̶c̶h̶ i̶n̶ t̶h̶i̶s̶ a̶r̶e̶a̶. UPDATE: 07/06/17: After further research, we have concluded that the primary intention of “Petya-like” was in fact to cause data-loss, by encrypting files with an irretrievable key and performing irreversible damage to critical areas of the filesystem. We’ll be posting an additional technical blog with our new findings early next week, and we’ve uncovered quite a bit of unexpected behavior from this Petya-like ransomware.
Delivery, Propagation and Behavior
There is widespread speculation on the initial attack vector, including a compromised update package for a Ukrainian financial software and a phishing attack. Microsoft confirmed a direct link to the updater process and a few of the active infections. The documents in the supposed email phishing attack can be traced to a gist started in response to the ransomware attack. We’ve analyzed the documents and they are not related.
Regardless of the attack vector, the malware is in the wild and we have confirmed that it contains multiple mechanisms to propagate. The malware will attempt to enumerate subnets configured via DHCP, scan those networks and then attack the found hosts with a number of techniques.
The malware includes SMB exploits uncovered in the Shadow Brokers dump similar to the WannaCry worm. In addition, the malware will attempt to steal credentials from the infected machine and use standard techniques to remotely logon to hosts found on the subnet. What this means is that as machines move from corporate networks, to home networks, to public, shared networks, there will be multiple ways this malware can jump from one machine to another.
The ransomware itself arrives as a Win32 DLL file named perfc.dat, which is 353.9KB in size and is launched via rundll32.exe. The DLL purports to have been compiled on 2017/06/18, and is signed using a fake Microsoft certificate that fails to validate:
Figure 1. Invalid Signature of Ransomware
Once active, the ransomware performs several installation steps, including enabling various privileges (SeDebugPrivilege, SeTcbPrivilege, SeShutdownPrivilege), enumerating running processes, reading itself into heap memory and creating a new running instance. From there, it attempts to create a file named perfc under the Windows directory, and will terminate if the file already exists (the so called “vaccine”).
During the installation phase, the malware checks for the following active processes:
• avp.exe (Kaspersky)
• ccSvcHst.exe (Symantec Enterprise)
• NS.exe (Norton Security)
Figure 2. AV Process Detection
̶I̶f̶ i̶t̶ d̶i̶s̶c̶o̶v̶e̶r̶s̶ a̶v̶p̶.̶e̶x̶e̶ p̶r̶e̶s̶e̶n̶t̶ o̶n̶ a̶ s̶y̶s̶t̶e̶m̶,̶ i̶t̶ w̶i̶l̶l̶ f̶o̶r̶g̶o̶ i̶n̶f̶e̶c̶t̶i̶o̶n̶ o̶f̶ t̶h̶e̶ M̶B̶R̶. UPDATE 7/6/17: If it discovers avp.exe active on the system, it will forgo infection of the MBR and instead wipe the first 10 sectors of the hard drive, rendering the system unbootable. If either of the other processes are found, it will forgo network propagation.
Next the ransomware schedules a task, designed to reboot the system after a random amount of time has elapsed (ten minutes or more):
Figure 3. Create Shutdown Service
In order to facilitate lateral movement via WMIC and PsExec, the malware is bundled with two password dumpers (for both 32/64-bit architectures) that it drops to disk (as a .tmp file under %TEMP%) and then executes. Credentials are harvested from lsass.exe, and fed back to the parent process via a named pipe. Afterwards, it enumerates subnets defined on the DHCP server via the DhcpEnumSubnets() API, and then uses the response to scan each subnet by attempting to connect to ports 139 and 445 (TCP). If it gains a successful connection, it will attempt to copy itself to a remote share on the system:
Figure 4. Copying Itself to admin$ Share
Once copied, it will then use any harvested credentials in conjunction with PsExec (dropped as dllhost.dat under either %WINDOWS% or %COMMONAPPDATA%) or WMIC to remotely execute. In addition, the malware will also attempt to spread laterally to systems using the EternalBlue (confirmed) and EternalRomance (we have not confirmed this but has been noted by others; we will continue our research here) exploits:
Figure 5. Spreading via SMB Utilizing EternalBlue Exploit
Figure 6. Spreading via WMIC
The ransomware then proceeds to drop additional components and install itself in the Master Boot Record (MBR), prior to launching a thread to encrypt files on all fixed drives. Encryption is performed using a random 128-bit AES key, which is subsequently encrypted with the attackers 2048-bit RSA public key prior to being stored. Files are overwritten directly and not replaced with a new file extension, and the following extensions are targeted:
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc
.docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php
.pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk
.vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
Finally, the malware wipes the Setup, System, Security and Application event logs and deletes the NTFS USN change journal, prior to the system rebooting.
Once the system reboots the following ransom note is displayed:
Send your Bitcoin wallet ID and personal installation key to e-mail
Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because
they have been encrypted. Perhaps you are busy looking for a way to recover
your files, but don't waste your time. Nobody can recover your files without
our decryption service.
We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
Send $300 worth of Bitcoin to following address:
Figure 7. Encryption Screen
Figure 8. Ransom Screen
While inspired by WannaCry and Petya, the consensus is that the malware payload contains enough unique features to say that it’s a new malware strain, unlike those that came before it.
The malware uses several of the techniques used by previous ransomware variants including the SMB exploit seen in the WannaCry outbreak and the MBR infection technique used by Petya. In addition, we’ve observed the malware attempting to spread with an embedded version of PSExec and also by remotely invoking WMIC.
Our Threat Guidance team will continue researching this Petya-like ransomware and provide further technical detail in the coming days.
If you use our endpoint protection product CylancePROTECT®, you were already protected from this attack. You can watch CylancePROTECT in action blocking this ransomware here. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.
Indicators of Compromise (IoCs)
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f (x86 Password dumper)
eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 (x64 Password dumper)