June 29, 2017
Following on the heels of the WannaCry malware attack a few weeks ago, reports are now emerging of a new global spread of ransomware, initially identified as Petya.
According to an early Computerworld report, (see - PETYA - Darwinism applied to cyberspace) news of widespread attacks emerged early on 27 June 2017 against Ukrainian critical infrastructure sectors that included aviation, banking, and electricity. An unknown malware had begun affecting IT systems in these sectors. Business systems were made unavailable and normal processes stopped. Fortunately, no operational technology, the technology that runs the energy grid, was reported to be affected.
Affected systems included Ukrenergo, the country's electric transmission company, and Kyivenergo, the distribution company serving the Kiev region, While Ukrenergy reported no outages, Kyivenergy was forced to shut down all administrative systems, awaiting permission from the Ukraine's Security Service (SBU) before restarting.
This news follows a recent exclusive interview [see - Malaysia at risk: CyberSecurity Malaysia chief covers espionage and state level attacks] and later as keynote speaker at this year's Computerworld Malaysia Security Summit, when CyberSecurity Malaysia's chief executive officer Dato' Dr Amirudin Abdul Wahab had first warned of impending state level and critical infrastructure dangers.
Speaking to Computerworld Malaysia, computer forensics investigator and expert witness Krishna Rajagopal (pic below) suggested how Malaysian IT could cope with the latest threat.
'Petya' is a more powerful, dangerous and intrusive malware, which will encrypt the - Master File Table (MFT) - tables for NTFS partitions and override the Master Boot Record (MBR), he said.
This means that, once the PC is infected with this malware, you won't be able to boot into Windows at all and a custom bootloader will display a ransom note. Hence, your PC will likely be unusable as there are no way we can performed a virus or malware scan when your system are unable to boot into Windows.
Petya spread via email spam with booby-trapped Office documents. The documents, once opened, will download and run the Petya installer and execute the SMB worm to spread to other computers. This make it difficult to detect if the file is legit or not.
Social engineering techniques
Rajagopal, who is also group chief executive officer of AKATI, said that "beginning Tuesday, June 27th, 2017, at AKATI Consulting Emergency Response Team and at our Security Operations Centre in Hong Kong and Malaysia, we started seeing a new wave of "Petya"-like ransomware attack initially targeting organisations across Ukraine and Russia and then moving itself to Europe and the rest of the world."
"This new ransomware,' which is now becoming known with several different names such as GoldenEye, Petya , NoPetya, was initially spread through a software update for a Ukrainian tax accounting program called MeDoc," he explained.
"Subsequently we have seen the ransomware being distributed using social engineering techniques mainly phishing - where company employees opened malicious attachments in e-mail messages," Rajagopal said.
"This new "Petya" - like ransomware bears similarities to the Petya which first emerged in 2016," he said. "Petya used a different and unique approach to ransomware at that time, which was overwriting the Master Boot Record (MBR) with a custom boot loader to load a malicious kernel that will proceed to encrypt the drive."
So if the ransomware looks like something from a year ago, and the exploit was EternalBlue' which was behind WannaCry recently, then what's the fuss about?
"The danger is in its propagation techniques," Rajagopal said. "This 'Petya'- like ransomware propagates across the local network in a much more sophisticated fashion than WannaCry and other ransomwares. Perhaps most crucially, thanks to all these sophistication, the new strain will infect even patched Windows PCs even Windows 10."
How does it do this? He outlined the process as follows.
- First it only needs one machine that is vulnerable to (CVE-2017-0144) to infiltrate into the network. This could be any of your users dialling in via VPN, perhaps.
- It then loads LSDump (Mimikatz like tool to read credentials from memory) to finds passwords on the infected computer to move to other systems
- Subsequently it spreads laterally throughout the network using PSExec and WMI. This means that even computers that have been patched to Eternal Blue are still vulnerable to infection subsequently
- Once a system has been compromised, the ransomware takes the following steps:
i. It writes a message to the raw disk & clears the Windows Event log
ii. Adds a delay of 270000ms roughly 45 minutes before restarting the machine
iii. Upon rebooting Encrypts files matching a list of file extensions (including .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf .ppt, .pptx, .pst, .pvi, .py .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, and .zip)
iv. Leverages WMI or PsExec to spread (PsExec is dropped as dllhost.dat)
v. Presents a text message on the screen of the user