Petya – Ransomware, malware, worm, virus

PETYA !! What’s in the name ? A thick black smoke which crashed the world with its jet BLACK screen and RED font.

When a security professional identifies a SQL Injection, Cross-site Scripting (XSS), Distributed Denial of Service (DDOS) or even coincidently stumbled upon a Remote Code Execution (RCE) attack, the Development team’s first reaction to the list of reported vulnerabilities will be “So What the Fuzz?? What is the impact to the Business?? We have invested heavily in Web Application Firewall (WAF), load balancers; given proper KT to Developers on security, etc. do you think we all are dumb and WAFs are incapable of stopping a simple RCE?? We are running the latest version of TLS and have a proper Patch Management Process in-place. We will keep aside your findings, since our Clients want this Application to move to Production tonight, give us a sign-off or face my wrath”. Now is the time for those Security Professionals to show such Development Teams real-time consequences of not fixing those identified security vulnerabilities.

  • Recent Past:
    • Brief: On May 12th 2017, the world woke up and helplessly saw a massive Ransomware attack their computers by encrypting all their personal data on their respective computers. This Ransomware was named WannaCry / WannaCrypt.
    • Technical Details:
    • Attack pattern: Mostly received as part of a Phishing email:
      • Users receive a infected file, opens the file and lets malicious code into the computer
      • The code then executes by encrypting most of the file formats with a encryption on a remote command control server and locks down all the user data on the local user machine
      • Once the encryption process is complete, users are requested to reboot their computers after which users will be unable to access any files
      • A Ransom demand screen is displayed to the end user who tries accessing their own files, demanding them to make a payment of $300 in BitCoins to get the decryption key
      • User makes the payments, there were no records of any user getting back their encrypted data
    • The fix: Though this Ransomware created a mess overnight and infected nearly 3,00,000 computers worldwide, this attack was short-lived since a security researcher stumbled upon the fix by accidently buying a domain ending with “gwea.com” thus putting an end to this nightmare
  • Present:
    • Brief: Even before the world could come out of the threat from WannaCry, there were several rumours of the second version of the same Ramsomware. UIWIX was one such infamous Ramsomware which couldn’t make a great hype in the market. On the 27th of June 2017, the world was unknowingly awaiting to embrace a similar but much effective version of WannaCry. This time the name was inherited from one of the earlier Ransomware’ namely PETYA. As of Tuesday, Microsoft countedat least 12,500 infected systems across 65 countries and counting. Those include Belgium, Brazil, Britain, Denmark, Germany, Russia and the United States.
    • Technical Details:

Petya is a ransomware family which crashes the system by gaining access to the Master Boot Record (MBR). This spreads over the windows Server Message Block (SMB), reportedly using the ETERNALBLUE exploit tool, which exploits the CVE-2017-0144 vulnerability initially released by Shadow Brokers in April 2017.

Petya also called as NotPetya, SortaPetya, Petna, ExPetr, GoldenEye and Nyetya was initially believed to be a Ransomware, however there are some security practioners who claim Petya to be a wiper which deletes data completely from ones hard disk making it impossible for the user to access his/her files again.

Source: https://twitter.com/ntisec/status/879698154161152000
Source: https://twitter.com/ntisec/status/879698154161152000

Observations by security experts:

  • In a Ransomware attack, each victim gets supplied with a unique bitcoin address to help attackers know who has paid. But NotPetya gives the same address to every victim
  • The listed email was an account hosted by the German company Posteo, was quickly shut the account down, thus making it impossible for victims to reach the attackers
  • Even if a victim paid the ransom, security firm Kaspersky Labsuspects that NotPetya’s developers can’t decrypt any computers
  • In the case of NotPetya, the installation ID, which a victim who has paid must furnish to the attackers, so they can reveal the decryption key to a victim, is comprised solely of random data
  • “That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID,” Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov write
    • Attack Pattern:
      • Petya Attack Pattern

      • Infection: Well-known Ukrainian software MEDoc was infected with the Petya DLL by attackers to deliver the same to its end users
      • Installation: This variant of Petya is spread as a DLL file and id dependent on another process before it takes action on the system. Once executed, the Master Boot Record (MBR) is overwritten and creates a scheduled task to reboot the system. After the system reboots, the malware displays a fake “chkdisk” scan which tricks the victim into believing the program is repairing their hard drive. In reality, the malware is encrypting the NTFS Master File Table in the background. The fake chkdisk completes and the malware displays a ransom note which demands a payment of $300 in bitcoin
      • Communication: Petya contains no Command and Control mechanisms that are currently known. After a host is infected, there is no communication from the malware back to the attacker
      • Circulation: Petya uses the following mechanisms to spread across hosts:
        • Scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on system hosting the share
        • Uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatzto extract credentials from the infected system and use them to execute itself on the targeted host
        • And finally attempts to use the ETERNALBLUE exploit tool against hosts on the local subnet. This will only be successful if the targeted host does not have the MS17-010 patches deployed
      • The fix: Here are some fix recommendations from various sites to help protect users from this ransomware malware worm from infecting your computers
      • Future: Not sure how much this hurts the human emotions, but future is not all can foresee. [On a lighter note] We have to look up to the Prophecies documented by Nostradamus to help us find an answer to all these human pains. [On a serious note, as said by a great person] If a hacker wants to attack you, there is nothing much that you can do to stop, but just make it harder for him/her to attack.
      • Reason behind all these attacks: Phishing emails, ignorance from users, SMB version 1, NSA, Shadow Brokers, EternalBlue, MEDoc, Petya DLL

 

Conclusion:

WannaCry and Petya are just the tip of the iceberg, there are many such security vulnerabilities out in the wild just waiting to be unleashed. Ransomware is undoubtedly the current threat to be dealt with and ASAP. The actors behind this threat are continuously experimenting & enhancing their hacking skills on real-time users and creating havoc globally.

This is not the time to freak out; it’s a learning curve for both hackers and end users. With the current day scenario, there are going to be a lot of openings in the information security field. So keep yourselves updated, educated and remember – ignorance is not an option

Until next time, stay secure.


SecureFirst Solutions Private Limited is a security centric Product-cum-Services Organization assisting its Clients to develop and maintain security applications. Our offerings are classified broadly into two categories:
1. Product: Vulnerability Management System (VMS)
2. Services: Security as a Service (SaaS)
3. On-premise classroom trainings

Download our brochure at: http://securefirstsolutions.com/downloads/SecureFirstSolutions_Brochure.pdf

Learn more about our Security Offerings at: http://securefirstsolutions.com/

References:

 

Author: admin

Raghavendra Rao PV has more than 11years of experience in Information Technology. He started his career as a software developer at Accenture in the year 2006 and then moved to Information Security. Prior to starting SecureFirst Solutions Private Limited, he worked with Organizations namely; Accenture Services Private Limited, TATA Consulting Services, Dell International Services. He is a Certified Ethical Hacker (CEH) and IBM Rational AppScan Certified.

Leave a Reply