Petya Ransomware Information

Just correlating all the useful information I can find with regards to the latest Petya Ransomware attack.

https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100

Behaviour

<Ignored Process>
 rundll32.exe C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1" (PID: 2880)
 cmd.exe " /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45" (PID: 2724) 
 schtasks.exe " /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45" (PID: 2720) 
 FE04.tmp %TEMP%\FE04.tmp" \\.\pipe\{E532AB34-D5C5-4AA8-9511-A05572AE75BC}" (PID: 1968) 
 dllhost.dat %WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"" (PID: 2512) 1/59 Seen in another context
 cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: (PID: 2072) 
 wevtutil.exe wevtutil cl Setup (PID: 2204) 
 wevtutil.exe wevtutil cl System (PID: 2128) 
 wevtutil.exe wevtutil cl Security (PID: 4016) 
 wevtutil.exe wevtutil cl Application (PID: 3988) 
 fsutil.exe fsutil usn deletejournal /D C: (PID: 1368) 
 shutdown.exe %WINDIR%\system32\shutdown.exe" /r /f" (PID: 2796)

 

Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know

Another good analysis from Kaspersky

How does the ransomware spread?

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

Other observed infection vectors include:

  • A modified EternalBlue exploit, also used by WannaCry.
  • The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
  • An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.

IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

Schroedinger’s Pet(ya)

 

Cloaking Itself in Legitimate Code

Petya uses memory injection as an evasive technique to bypass existing defenses. Attackers often use this method to hide in legitimate processes on the endpoint by injecting malicious code into the memory of non-malicious applications. Sometimes referred to as fileless malware, these threats avoid being detected by file-based detection tools, as the malicious code manipulates the memory stack to achieve malicious actions without actually placing the malicious program on the file system.

In the case of Petya, the executable creates another instance of itself and injects decrypted code into it.

 

https://minerva-labs.com/post/new-petya-ransomware-attack-prevented-by-minerva