So the big news that hit us on the 27th June 2017 was the #PetrWrap strain of ransomware, so far reports are that 2,000 companies were affected across Russia, Ukraine, Britain, France, Germany, Italy, Poland and the US. Household companies were affected and this comes just 6 weeks after we seen #wannacry explode on to the news scene.
“So what do we know so far?”
So lets rewind, we seen a new strain of ransomware emerge in 2016 called SamSam which took advantage of un patched network vulnerabilities, this was one of the first strains of ransomware where we could see it hunting across the network on its own. This was concerning and #wannacry woke the world up to these exploits which was well documented in May 2017.
So what is #PetrWrap also known as Golden eye & Nyetya, at first look it seems to leverage the exploit eternal blue and WMI for lateral movement inside an infected network. The initial attack vector has not yet been confirmed with many believing it is email but it is not 100% as of yet. Reports are out that the attack originated from a Ukrainian accounting software company who were compromised.
Compromised files have a file named “perfc.dat” dropped on them this seems to be the key to further compromise the system and contains a single un named export function. This library attempts to do the following:
- Gain admin privelleges (seShutdownPrivilege and SeDebugPrivilege) for the current user through Windows API Adjust token.
- If the above is successful it will overwrite the master boot record (MBR) on the disk drive identified in Windows as Physical drive 0.
- We have seen ransomware before attempting to overwrite MBR’s but this one is certainly the largest, what it does it removes the need to encrypt all files one by one but simple overwrites the MBR and encrypts the master file table so the OS cannot read the file system.
- We have seen this mechanism before in #CryptoWall4 back in 2016
- It then builds a scheduled task to reboot the system in one hour
- The Malware then enumerates all visible machines on the network via the NetServerEnum and then scans for TCP port 139, this is done to build a list of possible infection targets.
The Malware has 3 mechanisms used to propagate once a device is infected:
- Eternal Blue – same as #wannacry
- Psexec – Windows Admin tool
- WMI – Windows admin tool
The 3 mechanisms above are to attempt and installation and execution of perfc.dat on other devices within the infected network.
If you did not patch with MS17-010 then of course Eternal blue will be used as the exploit vector. Psexec is used to execute the following instruction (w,x,y,z) is where the IP address sits:
WMI is used to execute the following command which performs the same functyion as above but using the current username and password (We do not know how the users credentials are accessed and entered in to this command).
Once the host is successfully compromised the malware will encrypt files on the host using 2048 RSA encryption.
How can you detect this?
If you are using Malware protection, scanning, IPS systems etc. you should be able to see a few tel tale signs such as the below:
- Alert: Microsoft Windows SMB remote code execution attempt
- Specially crafted SMB messages may be sent to execute a vulnerability within a Windows SMB service.
- Symantec Link
- Alert: Microsoft Windows SMB anonymous session IPC shares access attempt
- Alert: Microsoft Windows SMB-DS Trans Unicode Max Param/Count OS-Windows Attempt
I am sure there will be a more detailed analysis coming with #PetrWrap and I will cover this once it is out.
Update how to Stop #PetrWrap
Security researchers appear to have found a kill switch to stop a machine being infected, simply create a read only file in C:\Windows and the ransomware cannot infect that computer. NOTE this does not STOP the ransomware from spreading to other machines.
Please comment, like, share.
Note research and comments taken from http://www.talosintelligence.com live blog