New Variant of Petya Ransomware Spreading Like Wildfire

The world woke up today to another ransomware outbreak wreaking havoc throughout companies’ networks. This time, the family causing the fuss is Ransomware Petya, a nasty variant that encrypts files and the computer’s master boot record (MBR), rende…

The world woke up today to another ransomware outbreak wreaking havoc throughout companies’ networks. This time, the family causing the fuss is Ransomware Petya, a nasty variant that encrypts files and the computer’s master boot record (MBR), rendering the machine unusable.

Ransomware Petya has been around since at least March 2016 and differs from usual ransomware families because it encrypts a system’s MBR in addition to encrypting files. This double stroke renders the disk inaccessible and prevents most users from recovering anything on it.

The new variant found today has further increased its nastiness by adding a spreading mechanism similar to what we saw in WannaCry just a few weeks ago. Petya comes as a Windows DLL with only one unnamed export, and uses the same Eternal Blue exploit when it attempts to infect remote machines, as we can see below:

In the preceding image we can see the typical transaction occurring right before the exploit is sent—as we discussed in our WannaCry blog.

Once the exploit succeeds, the malware copies itself to the remote machine under C:\Windows, and starts itself using rundll32.exe. The process is executed under lsass.exe, the Windows process injected by the Eternal Blue exploit.

Because the WannaCry outbreak caused many people to apply all the latest Windows patches, Petya introduces a few more spreading mechanisms to be more successful. The next method Petya attempts is to copy itself and a copy of psexec.exe to the remote machine’s ADMIN$ folder. If it is successful, the malware attempts to start psexec.exe using a remote call to run it as a service, as we can see below:

The preceding image first shows the DLL being copied to the remote host. And the following image shows psexec being copied and then attempting to start it using the svcctl remote procedure call.

Both files are copied to the C:\Windows folder.

One last method attempted by the malware is to use the Windows Management Instrumentation Command-line (WMIC) to execute the sample directly on the remote machine, using stolen credentials. The command used by the malware looks like this:

  • exe %s /node:”%ws” /user:”%ws” /password:”%ws” process call create “C:\Windows\System32\rundll32.exe \”C:\Windows\%s\” #1

where “%ws” is a variable representing a wide string, which will be generated based on the current machine and credential being exploited.

Once the malware runs on the machine, it will drop psexec.exe to the local system as c:\windows\dllhost.dat, and another .EXE (either 32- or 64-bit version depending on the operating system) to the %TEMP% folder. This binary is a modified version of a password dump tool, similar to Mimikatz or LSADump.

The preceding code shows the LSA functions used during password extraction.

This .EXE accepts as parameter a PIPE name similar to the following:

  • \\.\pipe\{df458642-df8b-4131-b02d-32064a2f4c19}

This pipe is used by the malware to receive the stolen passwords, which are then used by the WMIC shown above.

All these files are present in the resource section of the main DLL in a compressed form, as follows:

The malware then encrypts local files and the MBR, and installs a scheduled task to reboot the machine after one hour using schtasks.exe, as seen below:

The encryption used by the malware is AES-128 with RSA. This is different from previous variants, which used SALSA20. The RSA public key used to encrypt the file encryption keys is hardcoded and can be seen below:

The malware also attempts to clear Event logs to hide its traces, by executing the following commands:

  • wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

After the machine is rebooted, the ransom message appears and demands US$300 in Bitcoins:

At this moment there are few transactions to this account, but this could change quickly once more people start to notice they are infected:

We will update this blog as more information arrives. For now, McAfee product users with McAfee ENS 10.5 and WSS should be protected from known samples if their products are up to date and by McAfee Global Threat Intelligence. (This Knowledge Center article has more information.) McAfee ATP detects both the main DLL as well as the dropped EXE, as seen below:

Detection for the main DLL is shown above, and for the sample dropped in %TEMP% is shown below:

Indicators of compromise

Known hashes

  • 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 (main 32-bit DLL)
  • 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1 (main 32-bit DLL)
  • f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 (signed PSEXEC.EXE)
  • 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f (64-bit EXE)
  • eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 (32-bit EXE)

Files

  • c:\windows\dllhost.dat
  • c:\windows\<malware_dll> (no extension)
  • %TEMP%\<random name>.tmp (EXE drop)

Other indicators

  • PIPE name: \\.\pipe\{df458642-df8b-4131-b02d-32064a2f4c19}
  • Scheduled task running “shutdown -r -n”

 

The post New Variant of Petya Ransomware Spreading Like Wildfire appeared first on McAfee Blogs.