Petya/PetrWrap! yet another Ransomware

Petya ransomware Technical Analysis — A Triple Threat: File Encryption, MFT Encryption and Credential Theft.

In addition to encrypting files on infected systems, PetrWrap moves laterally to encrypt other systems in the organization by leveraging the same EternalBlue vulnerability that was popularized by WannaCry last month.

 It then uses another propagation technique that starts by stealing credentials, then uses those legitimate credentials to infect other systems on the network via built-in Microsoft tools (WMI and PSEXEC). Finally, PetrWrap employs a destructive technique that prevents infected systems from booting by encrypting the master boot record (MBR).

Attacks have been reported in countries including Ukraine, Russia, Poland, France, Germany, Spain, the United Kingdom, the Netherlands, India, Australia and the United States. Sectors impacted by this attack include government, energy, finance, defense, telecom, media, maritime, aviation, and transportation.

PetrWrap Summary

Initial infection in Ukraine accomplished by exploiting vulnerability in M.E.Doc software, infected systems then attempt to propagate the infection to other systems

To infect other systems inside the organization, the malware steals credentials and propagates with built-in Windows tools WMI and PSEXEC:
PSEXEC code snippet: C:\Windows\dllhost.dat \\IP ADDRESS -accepteula -s -d C:\Windows\System32\rundll32.exe “C:\Windows\perfc.dat”,#1 10 “USERNAME:PASSWORD”
WMI code snippet: C:\Windows\system32\wbem\wmic.exe /node:”IP ADDRESS” /user:”USERNAME” /password:”PASSWORD” process call create “C:\Windows\System32\rundll32.exe \”C:\Windows\perfc.dat\” #1 XX \”USERNAME:PASSWORD\”

To infect additional systems outside the organization, the malware attempts to exploit the EternalBlue vulnerability.

The malicious payload then begins encrypting data, which includes the Master File Table and MBR

The attack creates a scheduled task to reboot the system after a certain amount of time has passed (up to 60 minutes):

Code snippet: schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR “C:\Windows\system32\shutdown.exe /r /f” /ST XX:XX (where XX:XX is the time)

It also attempts to cover its tracks by running commands to delete event logs and the disk change journal:

Code snippet 1: wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application

Code snippet 2: fsutil usn deletejournal /D C:

Upon reboot the end user cannot get back into Windows, and instead they see a ransom note (screenshot below). This happens because PetrWrap encrypted the MBR, thereby breaking the normal Windows boot process.

Source of origin

According to multiple sources, infections of PetrWrap were first identified on systems running a legitimate updater for the document management software M.E.Doc (http://www.me-doc[.]com[.]ua). This software is heavily used by Ukrainian companies, and companies operating in Ukraine, for maintaining information on tax and payroll accounting. From these infected systems, the ransomware can propagate to other systems using the techniques described above.

Payment Mechanism(don't pay for them!)

The ransomware operators demanded a ransom of $300 USD for each infected machine, and established Bitcoin payment workflow through an email address (wowsmith123456@posteo[.]net) provided by the third-party email service Posteo. Upon notification of this incident by the security community, the email provider announced that service to this address had been suspended as of 16:15. As a result, recovery of files upon payment of the ransom is no longer possible for impacted victims, as no mechanism currently exists for the ransomware operators to provide victims with decryption keys.

Once the malware is deployed on a victim machine, it creates a scheduled task to reboot the host an hour after the infection, likely in order to allow it to spread further before launching its destructive payload. To achieve this, the malware drops and runs either an x86 or an x64 version of a credential stealer executable from a resource that contains code similar to the well-known Mimikatz tool.

The ransomware payload uses a combination of 2048-bit RSA and 128-bit AES in Cipher Block Chaining (CBC) mode to encrypt files with extensions matching entries from a hard-coded list. Public reporting mentions similarities with the Petya ransomware; however, CrowdStrike was not able to confirm any links, and assesses that the code structure of this new family is different from Petya’s.

How to protect yourself from Petya?

Well the hackers knew about the EternalBlue vulnerability and since the people are too lazy to update their machines they got infected! So the point here is that as I always say, keep your machines up-to-date with the latest software patches and updates from the manufactures and invest in a proper, well-known Antivirus and internet security software and do a Backup for your data on a regular basis.

And finally! Do not pay for the ransomware!!!!!! Your data will not be recovered!