Several countries in Europe are reporting a significant ransomware campaign delivering a variant of the Petya ransomware. Attacks appear to be targeted at specific organizations and so far reports for Ukraine’s national bank, Boryspill International Airport, Ukraine state power provider, and a Danish shipping company have been reported. Other reports of compromise are being investigated.
A ransom of $300 USD in bitcoins is demanded per infected host. The bitcoin wallet for ransom payment shows nine payments have been made so far.
The initial infection vector for the threat is email-based and has been reported by threat researchers to be a fake resume scam. Other social engineering emails targeted to the intended company may also be being used in conjunction with CVE-2017-0199 to deliver the Petya payload. Once the document is opened and Petya has been installed, the ETERNALBLUE exploit is allegedly used to spread inside the affected organization through exploitation of the SMBv1 protocol (MS17-010).
As this campaign progresses and more details become available, Symantec will continue to keep you updated with Threat Landscape Updates.
What is Ransomware? Ransomware is a malicious software that encrypts the files and locks device, such as a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a dangerous ransomware named ‘Petya’ has been affecting the computers worldwide creating the highly targeted ransomware attack the world has ever seen. This has affected a computers in India also.
What is Petya Ransomware? Petya / Petrwrap / NotPetya / GoldenEye / ExPetr (assigned by Kaspersky labs) is a ransomware virus that affects Microsoft Windows based systems. This ransomware outbreak, though smaller than the previous WannaCry attack, has had a considerable impact. This is a new version of the previously known Petya ransomware virus. It demands payment in bitcoin wallet and contains a personal Posteo email ID, firstname.lastname@example.org. It demands a ransom of $300 worth of Bitcoins.
What makes it dangerous? Unlike other ransomware viruses, it encrypts the Master File Table (MFT) for NTFS partitions. Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT). If the MFT is corrupted the file system structure on the disk becomes unusable. It also overwrites MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents the victim from booting their computer. This means that once a machine is infected it is in a complete state of lockdown. This makes it more intrusive. In comparison, the WannaCry ransomware virus targeted only specific file extensions while still allowing the operating system access.
Also, unlike WannaCry, this ransomware does not have a kill switch. It also has the capability to steal login credentials and spread laterally. This is of major concern if the ransomware virus lands on machines with administrative privileges.
The above mentioned email ID has been shutdown, thus breaking the chain to obtain decryption keys for infected systems. This implies that even after the ransom is paid (though not recommended), there’s no recourse to save the infected machines.
What vulnerabilities are exploited? It uses the previously known SMB vulnerability, CVE-2017-0143 / MS17-010 (Eternal Blue). As per various open source reports and CERT-IN advisory, it also uses the CVE-2017-199 office RTF vulnerability to download and run the Petya installer. It combines both client-based and network-based attack.
How does it spread? It uses EternalBlue MS17-010 to propagate. The ransomware spreads by clicking on links and downloading malicious files over internet and email. These emails contain malicious office documents which use the above mentioned vulnerability to download and run the Petya installer. The installer then executes the SMB exploit (EternalBlue) and spreads to new computers on the same network. It scans the network for specific ports, searches for the vulnerability and then exploits it to inject the malware in the new machine and thus it spreads widely across the network. It is also being reported that the ransomware virus spreads by stealing login credentials using WMIC / PSExec tools. Another infection vector are the software updates published by a little-known Ukrainian firm, MeDoc.
It is also reported to spread via The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445.
What is its impact? So far the malware has been dominant in Ukraine. Incidents have also been reported in Russia, England, US, France, Norway, Israel, Poland, Germany, Italy, Belarus, Lithuania and India. It has affected various business outlets spread across multiple sectors. The affected entities include banks, telecom companies, metro railways, airports, power plants, oil plants, pharmaceutical companies, government departments, logistics companies, food conglomerates, law firms etc. It has also led to shutdown of shipping terminals across the world. A total of 2,000 machines are being reported to be infected by this virus across the world.
How to prevent infection? Users and administrators are advised to take the following preventive measures to protect their computer networks from ransomware infection / attacks:
- In order to prevent infection users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010 (https://technet.microsoft.com/library/security/MS17-010) and June 2017 Security Update (https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/40969d56-1b2a-e711-80db-000d3a32fc99_ This fixes the CVE-2017-0199
- Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
- Create the read-only file C:\Windows\perfc.dat on computers. It prevents the file-scrambling part of the ransomware from running, but doesn’t stop it spreading on the network.
- Microsoft Patch for Unsupported Versions such as Windows XP, Vista, Server 2003, Server 2008 etc. (http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598)
- To prevent data loss Users & Organisations are advised to take backup of Critical Data
- Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1. (https://support.microsoft.com/en-us/help/2696547)
- Restrict TCP ports 139 and 445 traffic to where it is absolutely needed using router ACLs
- Use private VLANs if your edge switches support this feature
- Use host based firewalls to limit communication on TCP ports 139 and 445, especially between workstations
Indicators of Compromise
Following are IOCs as reported by various security researchers (some of these are from unofficial sources and hence should be used with caution):
Email address associated with this ransomware: wowsmith123456(@)posteo(.)net
Ransomware spreading URL: hxxp://benkow(.)cc
Bitcoin addresses: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
C&C payment servers: