On June 27th, 2017 we became aware of a new variant of the Petya Ransomware malware which is spreading over the Microsoft Windows SMB protocol. The malware appears to use the ETERNALBLUE exploit tool to accomplish this. This is the same exploit the WanaCrypt0r/WanaCry malware exploited to spread globally in May, 2017. Multiple organizations have reported network outages, including government and critical infrastructure operators.
Palo Alto Networks will be updating shortly with full details on prevention of Petya for customers. Windows users should take the following general steps to protect themselves:
- Apply security updates in MS17-010
- Block inbound connections on TCP Port 445
- Create and maintain good back-ups so that if an infection occurs, you can restore your data.
This is a developing situation, we will update this blog as new information becomes available. AutoFocus users view samples using the Petya tag.
Attack Overview
Petya is a ransomware family that works by modifying the Window’s system’s Master Boot Record (MBR), causing the system to crash. When the user reboots their PC, the modified MBR prevents Windows from loading and instead displays an ASCII Ransom note demanding payment from the victim (Figure 1).
Figure 1: Latest Petya Ransom note displayed on a compromised system.
The latest version of the Petya ransomware is spreading over Windows SMB and is reportedly using the ETERNALBLUE exploit tool, which exploits CVE-2017-0144 and was originally released by the Shadow Brokers group in April 2017.
After the system is compromised the victim is asked to send US $300 in Bitcoin to a specific Bitcoin address and then send an e-mail with the victim’s bitcoin wallet ID to wowsmith123456@posteo[.]net to retrieve their individual decryption key. As of 16:00 UTC on Jun 27th, 13 payments have already been made to attackers wallet.
Ransomware Attack Lifecycle
We are aware of the following information about how the Petya attack lifecycle works.
Delivery/Exploitation
We have not yet confirmed the initial infection vector for this new Petya variant. Previous variants were spread through e-mail, but we have not identified this latest sample carried in any e-mail related attacks.
Users may be infected through direct exploitation of CVE-2017-0144 if their host is accessible to the internet on TCP port 445 and has not been updated with the patches included in MS17-010.
Installation
This variant of Petya is spread as a DLL file, which must be executed by another process before it takes action on the system. Once executed, it overwrites the Master Boot Record and creates a scheduled task to reboot the system. Once the system reboots, the malware displays a ransom note which demands a payment of $300 in bitcoin.
Command and Control
Petya contains no Command and Control mechanisms that we know of. After a host is infected, there is no communication from the malware back to the attacker.
Lateral Movement
Petya may spread to other hosts directly using SMB or through the ETERNALBLUE exploitation tool.
Conclusion
Ransomware attacks are very common, but they are rarely coupled with an exploit that allows the malware to spread as a network worm. The WannaCry attacks in May, 2017 demonstrated that many Windows systems had not been patched for this vulnerability. The spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received.