Acalvio Threat Research Labs

 

Petya is the most recent ransomware strain. It originated in Ukraine [1] and is spreading across Europe. This blog summarizes our technical analysis of Petya.

Technical Analysis

In addition to the encryption and ransomware functionality, the Petya malware has very  aggressive spreading capabilities. The dropper analyzed was a VB6 packed binary which contains the malicious DLL. All of the functionality is executed from the DLL’s unnamed and only  exported function.

All of the file encryption is located in the MBR code. The MBR is overwritten and the old MBR is saved on the physical disk at location 0x4400 (xor’ed with 0x07).

Figure 1.0 Code showing writing of MBR

 

A fixtool could easily clean up the overwritten MBR on any Petya infected machine.

The ransomware’s aggressive spreading behavior is performed via the ETERNALBLUE smb exploit. The binary uses a global object containing dynamically populated entries for attackable targets. This global object is populated by several methods and is used by a thread which enumerates the object attacking each entry in the object/array synchronously.

Figure 2.0 Target enumeration – WMI network path spread attempt

The malware also attempts to propagate via WMI (presumably network share copy/execute remote task) to adjacent network hosts.

Figure 3.0 Credential harvesting, enumeration of CredEnumerate() function

Credentials for spreading via WMI are obtained via CredEnumerate calls which are stored in a global object, accessed by the spreading WMI function

The targets are chosen exhaustively:

  • All IP addresses in the current system’s subnet are checked for Smb (port 139, 445)
  • If the system is a domain controller, then for every DHCP subnet in the DC, every current DHCP client from the subnet is target for spreading.

Figure 4.0 Enumeration of DHCP

Every 3 minutes, the network is enumerated for additional targets:

  • All connected TCP endpoints in the Windows extended TCP table
  • All entries in the Address Resolution Protocol (ARP) mapping table
  • All network adjacent workstations, servers, and primary domain servers visible to the current host becomes target for spreading.

Figure 5.0 Code scheduling task to shut down machine

The malware sets a shutdown task with a timer counting down and after an interval, shutting down the system after attempting to spread, encrypting filtered files in the filesystem, and overwriting the MBR.

The malware cleans up the event log via a CLI command

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c

Conclusion:
The severity of the infection gets multiplied due to the lateral movement techniques. Petya is not a new ransomware. However, it could increase the damage caused by using spreading techniques. Deception based detection are designed for timely, accurate and cost-effective detection of ransomware like Petya. To prevent worms like Petya, we would recommend not only to keep machines updated with the latest patches but also to deploy deception based detection solutions so that effective remediation steps can be taken in a timely fashion.

Reference:

[1] Petya Cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shutdown. http://www.telegraph.co.uk/news/2017/06/27/ukraine-hit-massive-cyber-attack1/

IOC  of the Analyzed Samples

MD5 af2379cc4d607a45ac44d62135fb7015

SHA-256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

MD5 17c25c8a7c141195ee887de905f33d7b

SHA-256 e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660

MD5 d0a0e16f1f85db5dfac6969562923576

SHA-256 03da4e05d9d8c0c28d1acbb4056d041fa6fc740bacb47d46083c9da469237404

MD5 71b6a493388e7d0b40c83ce903bc6b04

SHA-256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745