Beyond WannaCry: The NotPetya Ransomware attack

Reports earlier today, spread of a widespread infectious worm distributing the well known Ransomware: Petya, targeting the Ukraine infrastructure (Power, Transportation, Finance) and other big companies around the world. It later came to light, that this attack could possibly not be a variant of Petya, but an entirely new kind of ransomware attack, leading to it also being called NotPetya. No matter the name, the findings indicate an ongoing campaign with similar attack vectors as the WannaCry infestation in May 2017, thus leading experts to believe it is the next evolution in a possible series of attacks that will continue to affect companies around the world.

Screenshots of Petya/NotPetya:

Ransomware detection from JASK's product:

Initial reports in the community suggest EternalBlue exploit may be present in some of the researched samples. This would enable the ransomware payload to spread rapidly and aggressively. Further lateral movement would only occur if the targeted environment is not patched.

Other reports indicate that the main attack vector is phishing, a MS office file that proceeds to download malicious payload once user has opened and enabled Macros. Some of the code reported shows a Powershell syntax downloading an executable, there are also other code snippets showing lateral movement using Powershell.

It is important to clarify that even if your systems are patched, some ransomware versions will use compromised user credentials to search, probe, copy, and execute malicious payload based on the rights given to such user. This means spreading and infestation is possible but limited to user's credentials and rights in targeted shares.

These versions of malicious code seem to be using EternalBlue in some cases and in others extracting credentials of compromised systems to move laterally and further infestation. In addition, there are reports of more than one variance of the malicious code currently in play. This makes it more difficult for companies in compromising situations to detect and remediate.

A quick check on BlockChain.info indicates several payments have been made to bitcoin address related to this attack https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX  . The email address referenced in the message hosted on POSTEO has been apparently disabled, preventing the actors behind the attack to receive communications, making it even more difficult to get any type of keys to decrypt.

Current consistent indicators suggest this ransomware campaign is based on the following vectors:

  • Malicious document delivered via email
  • PS code downloads malicious payload
  • User must open file and allow execution
  • Malicious file mimic Petya ransomware signatures
  • Malicious code proceeds to probe for shares adjacent to victim machine and possibly checking for EternalBlue execution. If successful then it proceeds to copy, write and execute ransomware payload on every share. If privileges are high (admin) code will proceed to encrypt MBR, if not it will encrypt specific files.
  • Other instances, malicious code uses credentials of compromised user/machine and only writes to those shares user has privileges
  • Machine is rebooted via scheduled task
  • Messages are presented on screen.

JASK technology already has the capabilities of detecting this type of ransomware attack, as this version uses similar methods as WannaCry. JASK can also detect malicious file download and unusual SMB share access. This attack is more targeted than WannaCry and it seems to specifically target infrastructure companies. This code also more versatile than WannaCry as it checks for EternalBlue or it spreads by SMB rights from compromised user.

 

 

Mitigations:

US-Cert Ransomware prevention/mitigation info

US-Cert Petya bulletin

Petya IOCs & Yara Rules

IBM X-Force Snort signatures

JASK Eternal Blue & WannaCry detection

 

 

 

 

 

 

 

 


WannaCry Ransomware spreading leveraging MS17-010

The Ransomware strain "Wanna Decryptor 2.0" aka "WannaCry" is currently on a devastating run, reportedly taking offline several NHS hospital networks in the United Kingdom as well as other major organizations in Europe are reporting ransomware infections.

The JASK Labs team's initial research shows the actors have repurposed the recently (ShadowBrokers) leaked zero-day vulnerability MS17-010 in Microsoft SMB protocol.  Remember this vulnerability originated as a purportedly leaked NSA offensive tool "EternalBlue" and has now been completely weaponized by criminal malware gangs for Ransomware campaigns.

Here is a Youtube video displaying the WannaCry ransomware in action:

https://m.youtube.com/watch?feature=youtu.be&v=T062Ke10jpY

If you recall from our earlier blog post, we did a fairly extensive run-down on EternalBlue and already offered coverage in our product for MS17-010, back when those details first emerged.   Beginning today JASK added coverage for WannaCry in JASK Trident.  ***UPDATE WannaCry is also installing DoublePulsar backdoor as it spreads. ***

So if your wondering how WannaCry is getting into your network and how exactly is it using EternalBlue?  See the following detailed breakdown:

  1. The initial attack vector is simple Phishing based, a first stage exploit is sent via email either as an HTML/JS attachment or PDF with links to some Exploitkit (details coming soon)
  2. Second stage drops WannaCry and EternalBlue variant which starts scanning and exploiting systems on the network laterally via Windows SMB filesharing protocol.  This is dangerous (*Worm like behaviour*) because if the initial phishing victim is simply a Wifi Guest or Home computer connected to the Office VPN then it quickly spreads to any vulnerable Windows Server or Workstation on the network!
  3. Encryption (Ransomeware) routines aggressively start on any machine compromised by Eternal Blue and hidden command and control commands are stealthy routed through TOR via an onion address.  This hides the traffic from typical DNS monitoring to C2 domains.

The good news is that if you use JASK Trident you have TOR detection and Eternal Blue detections as default content.  We detect TOR using advanced network analysis using meta-data, which is a huge upgrade from the typical approach of tracking exit-node IP list's.  Our approach is much more accurate and doesn't require updating... this in itself is a huge benefit that most other security products cannot or do not support when detecting TOR!

If you are not currently a JASK user, we recommend you leverage the following Snort/Suricata rule made by the IBM X-force team and observe the below IOC's related to WannaCry.

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

We also recommend tracking TOR exit node IP's as Threat Intel if thats the only viable way you can track TOR on your network, otherwise reach out to our team to get a JASK sensor setup quickly to ensure coverage here.

The following WannaCry network IOC's were observed in AlienVault's OTX community and deployed to all JASK customers running Trident.

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

xxlvbrloxvriy2c5.onion

sqjolphimrr7jqw6.onion

gx7ekbenv2riucmf.onion

cwwnhwhlz52maqm7.onion

76jdd2ir2embyv47.onion

57g7spgrzlojinas.onion

If you would like to learn more about WannaCry or JASK, please contact our research team [email protected]

References:

https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#416a1b09e599

https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak/

http://www.cnn.com/2017/05/12/health/uk-nhs-cyber-attack/