Reports earlier today, spread of a widespread infectious worm distributing the well known Ransomware: Petya, targeting the Ukraine infrastructure (Power, Transportation, Finance) and other big companies around the world. It later came to light, that this attack could possibly not be a variant of Petya, but an entirely new kind of ransomware attack, leading to it also being called NotPetya. No matter the name, the findings indicate an ongoing campaign with similar attack vectors as the WannaCry infestation in May 2017, thus leading experts to believe it is the next evolution in a possible series of attacks that will continue to affect companies around the world.
Screenshots of Petya/NotPetya:
Ransomware detection from JASK’s product:
Initial reports in the community suggest EternalBlue exploit may be present in some of the researched samples. This would enable the ransomware payload to spread rapidly and aggressively. Further lateral movement would only occur if the targeted environment is not patched.
Other reports indicate that the main attack vector is phishing, a MS office file that proceeds to download malicious payload once user has opened and enabled Macros. Some of the code reported shows a Powershell syntax downloading an executable, there are also other code snippets showing lateral movement using Powershell.
It is important to clarify that even if your systems are patched, some ransomware versions will use compromised user credentials to search, probe, copy, and execute malicious payload based on the rights given to such user. This means spreading and infestation is possible but limited to user’s credentials and rights in targeted shares.
These versions of malicious code seem to be using EternalBlue in some cases and in others extracting credentials of compromised systems to move laterally and further infestation. In addition, there are reports of more than one variance of the malicious code currently in play. This makes it more difficult for companies in compromising situations to detect and remediate.
A quick check on BlockChain.info indicates several payments have been made to bitcoin address related to this attack https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX . The email address referenced in the message hosted on POSTEO has been apparently disabled, preventing the actors behind the attack to receive communications, making it even more difficult to get any type of keys to decrypt.
Current consistent indicators suggest this ransomware campaign is based on the following vectors:
- Malicious document delivered via email
- PS code downloads malicious payload
- User must open file and allow execution
- Malicious file mimic Petya ransomware signatures
- Malicious code proceeds to probe for shares adjacent to victim machine and possibly checking for EternalBlue execution. If successful then it proceeds to copy, write and execute ransomware payload on every share. If privileges are high (admin) code will proceed to encrypt MBR, if not it will encrypt specific files.
- Other instances, malicious code uses credentials of compromised user/machine and only writes to those shares user has privileges
- Machine is rebooted via scheduled task
- Messages are presented on screen.
JASK technology already has the capabilities of detecting this type of ransomware attack, as this version uses similar methods as WannaCry. JASK can also detect malicious file download and unusual SMB share access. This attack is more targeted than WannaCry and it seems to specifically target infrastructure companies. This code also more versatile than WannaCry as it checks for EternalBlue or it spreads by SMB rights from compromised user.
US-Cert Ransomware prevention/mitigation info
US-Cert Petya bulletin
Petya IOCs & Yara Rules
IBM X-Force Snort signatures
JASK Eternal Blue & WannaCry detection