By Ori Bach, VP Product
Yet another major ransomware attack dubbed Petya, and also NotPetya :-), has emerged prominently this week and continues to cause problems in many companies and government offices in Ukraine and later around the world. This ransomware takes advantage of the same EternalBlue exploit that was used by WannaCry in the earlier attack.
The best news, of course, is that TrapX customers are protected from the Petya attack if they have deployed DeceptionGrid™ integrated with automated breach containment
The malware has now spread across the world
Petya has reportedly been found at prominent companies such as aircraft maker Antonov, a major Russian oil producer Rosneft, British advertising agency WPP, the Danish shipping company Maersk, a hospital operator in Pennsylvania Heritage Valley Health System (this is still being confirmed as a Petya attack), the Spanish food company Mondelez which owns brands such as Oreo and Toblerone, the French construction company St. Gobain, pharmaceutical maker Merck, government offices and many more. Ukraine has been particularly hard hit. Concerning to our team, is that the Chernobyl nuclear power plant has been forced to monitor radiation levels manually after its Windows-based sensors were shut down.
Did the malware operators intend for it to spread globally?
The identification of the initial vector has proven challenging. Early reports of an email vector cannot be confirmed. Based on observed in-the-wild behaviors, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc.
The choice of a software highly specialized to a specific market is the first indication of the prime target of the attackers.
Analysis of the malware provides additional insights into the intentions of its authors. For example one of the files that run the attack “34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d“ is coded to not run on computers only using the US-EN keyboard .This perhaps is motivated by the desire to exclude US and other English speaking countries from the attack.
Was the goal purely monetary?
In terms of the attack, the virus, which is still not sourced, exhibits expected behavior by freezing the user screens and demanding a Bitcoin ransom. You can see the status of payments for this attack so far globally by following this Bitcoin link (click a green box labeled BTS and all contents will convert to U.S. $ value):
While the sums collected at this point are not impressive security experts such as Tom Kellerman , have raised concern that the purpose of the attack may not be purely monetary.
Petya significantly more powerful then WannaCry
Petya is more advanced than WannaCry and enables a different set of techniques which are wrapped
around the original EternalBlue exploit
The most significant enhancement of Petya vs. Wannacry is the added ability to spread to computers that are immune to the EternalBlue exploit by scrapping credential from memory. This mimikatz like capability significantly expands the reach of the spread in the network beyond devices that can be patched against the EternalBlue exploit such as manufacturing , medical and PoS devices.
Additional technical data:
- There is a way to prevent the ransomware from executing using while placing the following path in the system: c:\windows\perfc
- The Exploit:
- The ransomware is using a variant of the EternalBlue exploit (used by WannaCry, patched with MS17-010), This exploit utilizes remote code execution which impacts Windows XP thru Windows 2008 systems.
- The exploit is using TCP port 445 and 139
- Additional indications of compromise ( IOC):
Other Public Data :
- https://twitter.com/IntezerLabs?s=09 – the ransomware is sharing a code with mimikatz . it tries to extract credentials from lsass.exe process and if credentials were successfully extracted, it uses PsExec or WMIC for distribution inside a network.
- http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html – more threat info
- https://t.co/jspmYEOtNn?amp=1 – more threat info
- https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX – Bitcoin Transaction of the cyber group
- https://virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/ – VT scan
This blog was written by TrapX in cooperation with PrimeObjective
If you have more questions, please do not hesitate to reach out to our