+ All Categories
Home > Documents > Threat Alert NotPetya Ransomware Attack...The NotPetya Ransomware Attack June 2017 A Deep Dive into...

Threat Alert NotPetya Ransomware Attack...The NotPetya Ransomware Attack June 2017 A Deep Dive into...

Date post: 14-Jul-2020
Category:
Upload: others
View: 2 times
Download: 0 times
Share this document with a friend
4
www.lastline.com | © 2018 Lastline Inc. All Rights Reserved Threat Alert The NotPetya Ransomware Attack June 2017 A Deep Dive into the NotPetya Ransomware Attack This is a new variant of the Petya ransomware family that targets Windows systems. It has been referred to by several names, including PetrWrap, GoldenEye, Petya.A, Petya.C, and PetyaCry It has several similarities to the global WannaCry outbreak that occurred in May 2017, with some significant differences, including: There is no ‘kill switch’ like that which was embedded in WannaCry that ended that attack relatively quickly It can spread without relying on the SMB vulnerability patched with MS17-010 It reboots victims computers and encrypts the hard drive’s Master File Table (MFT) and renders the Master Boot Record (MBR) inoperable The Scope of the Threat This attack is widespread and does not appear to be targeting any particular industry, region, or country. There have been many reports of Ukrainian organizations and companies being hit, including power companies, airports, public transit, and the central bank” as well as a wide range of victims in Eastern Europe, Asia, and Europe, as well as the US. The attack also affected the radiation monitoring systems at Chernobyl. Lastline Enterprise’s Deep Content Inspection & Classification of the Threat Figure 1 shows a screenshot of the analysis report generated from one of the malware samples we received. Lastline’s Deep Content Inspection™ identifies every malicious behavior in the malware. With this visibility, you can see our identification of the ability to propagate the malware via remote execution and the ability to overwrite the MBR (Master Boot Record) in the list of detected activities.
Transcript
Page 1: Threat Alert NotPetya Ransomware Attack...The NotPetya Ransomware Attack June 2017 A Deep Dive into the NotPetya Ransomware Attack This is a new variant of the Petya ransomware family

www.lastline.com | © 2018 Lastline Inc. All Rights Reserved

Threat Alert

The NotPetya Ransomware Attack

June 2017

A Deep Dive into the NotPetya Ransomware Attack

This is a new variant of the Petya ransomware family that targets Windows systems. It has been referred to by several names, including PetrWrap, GoldenEye, Petya.A, Petya.C, and PetyaCry

It has several similarities to the global WannaCry outbreak that occurred in May 2017, with some significant differences, including:

• There is no ‘kill switch’ like that which was embedded in WannaCry that ended that attack relatively quickly

• It can spread without relying on the SMB vulnerability patched with MS17-010 • It reboots victims computers and encrypts the hard drive’s Master File Table (MFT) and renders

the Master Boot Record (MBR) inoperable

The Scope of the Threat

This attack is widespread and does not appear to be targeting any particular industry, region, or country. There have been many reports of Ukrainian organizations and companies being hit, including “power companies, airports, public transit, and the central bank” as well as a wide range of victims in Eastern Europe, Asia, and Europe, as well as the US. The attack also affected the radiation monitoring systems at Chernobyl.

Lastline Enterprise’s Deep Content Inspection & Classification of the Threat

Figure 1 shows a screenshot of the analysis report generated from one of the malware samples we received.

Lastline’s Deep Content Inspection™ identifies every malicious behavior in the malware. With this visibility, you can see our identification of the ability to propagate the malware via remote execution and the ability to overwrite the MBR (Master Boot Record) in the list of detected activities.

Page 2: Threat Alert NotPetya Ransomware Attack...The NotPetya Ransomware Attack June 2017 A Deep Dive into the NotPetya Ransomware Attack This is a new variant of the Petya ransomware family

www.lastline.com | © 2018 Lastline Inc. All Rights Reserved

ThreatAlert

Figure 1: Lastline’s analysis of NotPetya’s malicious behaviors.

How it Spreads

There are several ways the ransomware appears to be spreading:

• It can spread locally using the EternalBlue exploit that targeted a vulnerability patched with MS17-010, or with PsExec, utility for executing processes on remote systems.

• Talos (Cisco) reports a potential source is a software update system for a Ukrainian tax accounting package called MeDoc (which would explain why so many organizations in Ukraine were victims).

• Kaspersky reports that it can spread via the remote code execution exploit EternalRomance targeting Windows XP to Windows 2008 systems. Also, the ransomware uses Mimikatz to extract admin credentials from the lsass.exe process, and pass them to PsExec tools or WMIC for distribution inside a network, spreading the malware to systems not vulnerable to EternalBlue or EternalRomance exploits.

Page 3: Threat Alert NotPetya Ransomware Attack...The NotPetya Ransomware Attack June 2017 A Deep Dive into the NotPetya Ransomware Attack This is a new variant of the Petya ransomware family

www.lastline.com | © 2018 Lastline Inc. All Rights Reserved

ThreatAlert

Specific Behavior Once Active

Once installed, NotPetya does several things:

• It runs Mischa, a component of an earlier variant of the Petya ransomware, and encrypts individual files

• It reboots the system and encrypts the MFT (master file table) and renders the Master Boot Record (MBR) inoperable. It also overwrites the MBR with a file that displays the ransom note, which renders the system unable to boot.

Figure 2: Screenshot from Ukraine’s Deputy Prime Minister, Pavlo Rozenko, of an infected system https://twitter.com/RozenkoPavlo/status/879677026256510976/photo/1

To cover its tracks, the reboot clears the event log and deletes the USN change journal, which is a utility for monitoring any changes “to a file or directory in a volume.”

Figure 3: Lastline analysis of the ransomware modifying the USN journal.

• It demands $300 in bitcoin. You can monitor the payments here: https://blockexplorer.com/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Page 4: Threat Alert NotPetya Ransomware Attack...The NotPetya Ransomware Attack June 2017 A Deep Dive into the NotPetya Ransomware Attack This is a new variant of the Petya ransomware family

www.lastline.com | © 2018 Lastline Inc. All Rights Reserved

ThreatAlert

Other Techniques Used

What To Do About It

• Patch MS17-010 (Remember when we said to patch after WannaCry? Well, we don’t mean to say ‘we told you so’ but….)

• Block PsExec and WIMC from running using AppLocker utility • Check out this blog post on how to prevent your system from being infected

IOCs To Block

• String: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX • Email address: [email protected] (mail provider has blocked this account)

Where To Go For More Info

Lastline Labs published two blogs on ransomware, and Part 2 describes the original Petya ransomware family.


Recommended