The Not Petya Ransomware Spreading Worldwide
There is a new ransomware family have been observed in the wild which is called the Not Petya Ransomware. It was originally identified as Petya family because both have the behavior replacing boot drive’s Master Boot Record (MBR) with a malicious loader. However there are multiple novelties in the new Not Petya ransomware compared to Petya, such as taking use of the NSA EternalBlue exploits similar as previous WannaCry ransomware.
Infection Cycle
1. Upon the execution of the malware, it first setup the shutdown of the system and related tasks:
2. Then, it goes through the local network looking for targets:
3. Any existing IP will be checked for the SMB service and infected if possible
3.5 The following code shows the SMB requests with path IP/ADMIN$ will be sent to detected local computer:
4. After the set time, MBR is replaced followed by a system reboot. Below shows the fake system repair message, which is similar to previous Petya version:
5. The victim is required to pay for the decryption:
5.5 The bitcoin address is found to be hardcoded into the malware:
6. According the code, Windows Management Instrumentation Command-line (WMIC) interface has been used:
A bitcoin address accepting the payment has been identified in the exploit. There are total of 34 transactions have been seen worth of more than 8,600 USD as the time of this SonicAlert is released. The exact transaction can be found here. However it has been reported the Email address was blocked around noon today, which means the payment might not help to decrypt the victim’s infected computers.
With further analysis, we found the malware code wipes the beginning sectors on the hard drive except MBR before save them anywhere, which render the machine unrecoverable. However, the files in the system are encrypted and recoverable, but only recoverable by knowledgeable professional with the decryption key.
Full Code Walkthrough
The first thing it does is to provide itself necessary permissions and then checks the running processes to create a key (using a xor based algorithm on each process name) if the key matches certain values then it would later perform or not perform some actions. Means if looks for some process names which if found would make the malware not perform some actions. Next it checks if the dll file is installed already in windows folder. If installed the sample would not do anything further. Next it infects the raw disk.
Disk infection:
First overwrites 0x200 bytes after the first sector from the logical drive c:. This is where the Volumn Boot Record is present which is more than 1 sector. Hence the 2nd sector of the VBR is gone. The system cannot recover. Then based on the results of the running processes found earlier it proceeds to infect the MBR. It creates a buffer of 60 random bytes using crypto apis and then use each of these bytes as index to select from another hard coded list of characters to generate the personal installation key displayed on the boot screen by the infected MBR. Because the above algorithm is going to generate completely random personal installation key there is no way the attacker would be able to find out how to decrypt from that information.
Next it reads the MBR, xor it with 0x7. It would later write this xored MBR at sector 34. It also attempts to check if any partition’s LBA (its start location on disk) is less than 40 (0x28) to find out if it has enough space to write its own MBR code. However this checking code is faulty and it ends up checking if only the last partition. It then overwrites 0-24, 32, 33 and 34 sectors. 0-24 sectors contains its MBR code, 32 contains the bitcoin address and the random personal identification key, 33 sector contains all bytes with 0x7 and 34 sector contains the xored original MBR. If somehow the MBR infection fails then it attempts to write junk on the MBR.
Mimikatz: Next if retrieves the mimikatz from its own embedded resource and drops it as a temp file in temp dir. It creates a NamedPipe from a GUID and passes the name of the pipe as parameter to the Mimikatz process it creates next.
Mimikatz provides all the username/password combinations it can find like this:
Here username and password found Sagar and SonicWall separated by ‘:’. After this is received through the named pipe it searches from the ‘:’ separator and writes down all the usernames and passwords. It would use both PSEXEC and WMI later with these credentials to infect other systems over the network. It then nulls out the mimikatz on temp dir.
Next it would drop the embedded PSExec as ‘dllhost.dat’ in the windows directory.
Use of PSExec and WMI: For lateral propagation it enumerates all the ip addresses on the local network and attempts to access the admin$ share on that remote system using the username, password found by mimikatz.
If it can access the share it would drop a copy of itself on the remote machine windows directory. Then it would first try to run the copy.
First it attempts PSExec. With command line like:
C:windowsdllhost.dat \
If this does not succeed then it attempts wmic with command line as:
C:windowswbemwmic.exe /node:”
According to the above code analysis, the code in these sample does not resemble at all the code in the original Petya ransomware. The only similarity is MBR infection behavior. Thus we can conclude that this is likely the work of someone other than people associated with Petya family of ransomware.
Prevention
To proactively prevent from being attacked by this malware or mitigate the damage, please:
- Keep your computer with the latest patch, especially apply Microsoft Windows security update MS17-010.
- Enable the Windows Firewall to block incoming requests to ports 135, 139, and 445.
- Disable SMBv1 in Windows https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows.
- Segment your network into multiple network section especially in the company network environment.
- Switch off your computer when you see the fake CHKDSK screen to mitigate the damage.
- Do not pay the ransom. Firstly the Email has been
blocked by the Email provider Posteo, so your payment message will not be delivered. Secondly according to further analysis the exploit code cannot recover your computer.
SonicWall Detection
SonicWall threat research team has researched on the new Not Petya malware and developed the following GAV signatures:
- GAV: GoldenEye.A_5 (Trojan)
- GAV: WisdomEyes.A_2 (Trojan)
- GAV: GoldenEye.A_4 (Trojan)
- GAV: Petya.A_8 (Trojan)
- GAV: Petya.AA (Trojan)
SonicWall threat research team has also deployed multiple IPS signature in April/May 2017 detecting EternalBlue or MS17-010 vulnerabilities which are proactively blocking the new Not Petya Ransomware:
- 12700 Windows SMB Remote Code Execution (MS17-010) 1
- 12792 Windows SMB Remote Code Execution (MS17-010) 2
- 12794 Windows SMB Remote Code Execution (MS17-010) 3
- 12800 Windows SMB Remote Code Execution (MS17-010) 4
- 12814 Windows SMB Remote Code Execution (MS17-010) 5
- 12849 Windows SMB Remote Code Execution (MS17-010) 6
SonicWall Capture ATP service also detects the malware binaries associated with this threat.
Above signatures shows us a huge spike recently exploiting MS17-10 vulnerabilities, which including the SMB traffic that the new Not Petya Ransomware generating:
Last updated on June 29, 2017
