A malware strain that appears to be based off of the “Petya” ransomware began targeting and infecting governments and businesses worldwide on June 27th, 2017. Since dubbed “NotPetya” by some researchers, and “Nyetya” by others, this malware has spread across Europe and North America and infected several businesses in countries such as Denmark, France, Germany, India, Russia, Spain, Ukraine, North America and the United Kingdom. The Petya ransomware trojan is speculated to be part of a Ransomware-as-a-Service (RaaS) malware family that was first advertised by Janus Cybercrime Solutions as a Ransomware-as-a-Service (RaaS) in late 2015.
The threat actors behind this campaign are currently demanding that an email be sent to “wowsmith123456@posteo[.]net” for the decryption key, accompanied by a payment of 300 USD in Bitcoins sent to “1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX”. The German email provider, Posteo, has blocked the email address that was being used to manage the ransom demands. This now prevents users from receiving decryption keys even if the ransom is paid. It is unknown if the actors behind the campaign will attempt to create a new email account to manage any additional funds that may be received. The actors’ Bitcoin wallet has since received 3.99009155 Bitcoins ($10,161 USD).
Figure 1. Ransom Notification
Anton Gerashchenko, an aide to the Ukrainian Interior Minister, has stated that this infection is “the biggest in Ukraine’s history.” Numerous companies across various industries have been infected with the Petya ransomware. Kievenergo, a utility company, turned off all of their computers after Petya breached their network. Another power company, Ukrenergro, has also reportedly been affected by the malware. Ukraine’s Central Bank has issued a warning on their website regarding how several banks within the country have also been targeted by threat actors. Additionally, the Ukrainian deputy prime minister, Pavlo Rozenko, tweeted an image of a black computer screen stating that the entirety of the government’s computer system had been shut down because of the trojan.
The malware distribution has also reached entities in Denmark and France. The Danish conglomerate company, Maersk, has stated that its customers are unable to use online booking systems and that their internal systems are offline.
Saint-Gobain, a French manufacturing company, has also released a statement discussing that they too have been affected by Petya.
As news of the ransomware circulated on June 27, so too did theories of the infection method. Many researchers and companies alike claimed that the malware’s propagation was similar to the May 12th, 2017 outbreak of Wanacry ransomware via the EternalBlue exploit, while others claimed that the infection vector was a phishing campaign with malicious Word document attachments. As the day progressed in Europe it became clear that Russian and Ukrainian entities were most affected. At 11:49 a.m. (UTC+02:00), Ukrainian authorities published a Tweet in which they claimed that the infection was caused via an update issued by the Ukrainian tax account package called “MeDoc.” MeDoc has since issued a statement on Facebook denying these allegations.
Researchers now believe that, in some cases, the initial infection vector was associated with contaminated software updates from MeDoc. Contrary to their statement made earlier in the day, MeDoc released another statement stating that their servers had “made a virus attack.” According to Ukrainian authorities, MeDoc has a built-in update feature that updates periodically. It is believed that this feature was exploited to deliver the malicious Petya Dynamic Link Library (DLL). Researchers also believe that a threat actor(s) managed to compromise the MeDoc server that handled the software updates in order to switch the updates from legitimate software to a malicious payload.
Once inside a victim’s network, Petya spreads internally using the PSEXEC tool that allows execution of process on other systems and Windows Management Instrumentation (WMI) that provides information about local or remote computer systems. Prior to using said tools, Petya will first harvest user credentials from the infected system that are then passed to PSEXEC and WMI to gain access to other machines and systems connected to the network.
Additional information and analysis has lead researchers to believe the ransomware was not, in fact, Petya. Researchers instead maintain that this is a new strain of ransomware which was subsequently dubbed “NotPetya.” Other researchers maintain that due to code reused between this strain of Petya and previously observed strains of Petya, that this is indeed a new variant of the Petya ransomware. Regardless, researchers have also discovered a way to “vaccinate” a machine from NotPetya. However, unlike the WannaCry ransomware that had the ability to be killed via a network connection, this “vaccination” requires modifying a potential victim machine prior to being infected. This involves creating a file that NotPetya drops in the Local Disk (C:) called “perfc.dat” and setting it to read only so it cannot be overwritten. If this file already exists on machine, and is changed to read only, the malware should not be able to infect the machine nor propagate. Leveraging tools like Group Policy (as suggested by researchers at Binary Defense) is a way to automate this “vaccination”.
Figure 2. Reversed Malware to Detect Vaccine
Systems infected with the ransomware will attempt to discover a file dropped titled “Perfc.dat.” This library contains the instructions which attempts to gain administrative privileges for the current logged-in user. If the malware achieves administrative privileges through the Windows API AdjustTokenPrivileges, the ransomware will override the Master Boot Record (MBR). Even if the MBR override is unsuccessful, the malware will maintain a schedule to reboot the system one hour after initial infection.
The malware then attempts to find other visible machines on the network by using NetServerEnum and scans for an open TCP 139 port. Researchers believe this strain of ransomware uses three methods to distribute itself once a machine is infected. These include the aforementioned PSEXEC, WMI, and EternalBlue and EternalRomance exploits (used in the WannaCry outbreak). These are used to install and execute the “perfc.dat” on other devices attempting to propagate itself across the network, according to Talos researchers.
Note: The EternalBlue exploit was patched in MS17-010, and should be applied as soon as possible if it has not been already.
Threat Intelligence Analyst