Tuesday, 27 June 2017

Peyta / NotPeyta / Petrwrap Ransomware Explained & Advice

Here we go again, another large scale ransomware attack is causing chaos across the globe, including at British marketing firm WPP, a Harpenden Jewson hardware store, several Ukrainian national infrastructure firms, and even causing a halt in production at a Cadbury chocolate factory in Australia.
The ransomware in question is a new strain of the Petya ransomware family, modded to take advantage of the same EternalBlue SMB (Server Message Block) vulnerability (CVE-2017-0144) as the WannaCry ransomware. EternalBlue was leaked by the Shadow Brokers hacker group in April 2017 and is believed to be developed by the NSA.  The malware also uses another exploit for vulnerability CVE-2017-0145 known as EternalRomance. Both of these Microsoft Windows vulnerabilities enables the Peyta ransomware to spread rapidly across local area networks, potentially self-infecting any other Windows systems without the MS17-010 security update applied. It is this rapid spread capability within company networks with unpatched Windows systems which is causing the major impact at organisations around the world.The Microsoft MS17-010 Critical Security Update, released on 14th March 2017, prevents both EternalBlue and EternalRomance exploits and the rapid internal spread of the malware, so reducing the potentially high impact on businesses.

The Petya ransomware has been around since early 2016, instead of encrypting individual files like most ransomware, it goes after locking out the operating system by attacking the operation system's Master File Table (MFT). The MFT is a database in which information about every file and directory on the file system (NTFS) volume is stored. This new version or copy of Petya is also known as NotPetya and Petrwrap.

The most common malware entry into organisations is via a Phishing Email, there are reports of Peyta loaded emails having a subject of ‘Hi’ along with a .zip or .scr attachment with the title of ‘gone’.

The ransomware element of Peyta requires Window Administrator rights, however, with basic level Windows User Rights Peyta is still able to propagate onto other insecure local area network connected Windows systems. Peyta doesn't have a killswitch which brought the WannaCry outbreak to an abrupt end last month, so expect the Peyta outbreak to last longer.

How to Protect your Organisation from Peyta
Much of the same protection advice applies as with the WannaCry ransomware.
  1. Perform regular Staff Phishing Email Awareness, teach staff how to spot suspect emails and to not open attachments or click on any links within them.
  2. Ensure the Microsoft MS17-010 security update is applied to all Windows systems or disable SMBv1, as this prevents Peyta from rapidly spreading within the internal network.
  3. Adopt a robust Patch Management process, ensure all Critical Security Updates are quickly applied, they are marked as critical for a reason! 
  4. Ensuring Anti-Virus (AV) is running on all Microsoft Windows systems, with AV definitions kept up-to-date. Most anti-virus solutions have updates released which detect and prevent the latest Peyta strain - see https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/. However, be aware your anti-virus product may not be able to detect and prevent new versions of the malware for a period of time, that is until the AV vendors are able to update their products (virus detection definitions) to detect, which is why it is important to keep your anti-virus solutions updated daily.
    • There is a Peyta Infection Blocking alternative to Anti-Virus, see Petya Vaccine
  5. Back up your data regularly, it is far quicker to recover from ransomware when you know your data is safe.
  6. If you do suspect your Windows device is infected with Peyta
    • do not reboot or power back on the computer, Peyta does its damage during the bootup sequence, it runs a fake CheckDisk/ChkDsk as per the below screenshot, warning not to switch off the computer. If you see that message power off immediately
    • Peyta creates a scheduled task to reboot the computer between 10 and 60 minutes after infection, find and remove this task to prevent the Windows reboot. Petya does not reschedule the reboot task.

Detecting Infections through Network Traffic Monitoring
Any devices scanning ports 139 and 445 across the LAN is a solid indication of a Peyta compromised system attempting spread. 

The Ransom Payment - Don't Pay it
Peyta demands a ransom of $300 worth of Bitcoin and provides an email address to confirm the payment. However, that email address has been shut down by the email provider, so do not pay the ransom. 

Petya Data Recovery
At this time there are no known methods to recover Petya encrypted data. Restoring the MBR will not decrypt the data. Wipe the disk drive and reinstall/reimage the Operation System and restore data from an anti-virus scanned backup.

Nation-State or Cyber Criminal Orchestrated?
This cyber attack has all the hallmarks of a nation-state attack, given the initial outbreak of Peyta was reported to occur at large national infrastructure organisations in the Ukraine and India, and then went on to spread globally. In my opinion, at this time, the attack was probably conducted by either a nation-state or a group affiliated with a nation-state, motivated to cause national infrastructure mayhem by mirroring the impact of the recent WannaCry attack, and not by Cyber Criminals out to make easy money. Cyber Criminals tend to target home users with ransomware attacks which are a far more lucrative and rewarding market for them than companies. Although there was a report of a South Korean company paying a $1m ransom recently, it is worth noting Petya only asks for $300 worth of Bitcoin, which is low for business ransomware, and only $8,000 worth of Bitcoin has been paid so far, which again is extremely low financial reward for the scale of the attack. In late 2016 Ukraine had several state websites hacked and the Ukraine national electricity grid was also cyber attacked in late 2015, suggesting the country does have an advanced persistent cyber threat advisory that is active.

Kaspersky have named the malware as calling the malware 'NotPeyta', as they believe it is a new type of ransomware. Petrwrap is another popular name for it within the cyber security industry.

List of organisations known to be impacted.
  • UK - WPP, Jewson
  • US - Marck &Co, DLA Piper, a Pittsburgh Hospital
  • Ukraine - Central bank, power grid
  • Russia - Evraz, Rosneft
  • France - Saint-Gobain
  • Germany - Metro, Deutsche Post
  • Denmark - AP Moller-Maersk
  • Norway - Unnamed firm
  • The Netherlands - APM Terminals
  • India - Jawaharlal Nehru container port in Mumbai
  • Australia - Cadburys and another yet unnamed company
File Indicators and Example Hashes
Windows Executable (DLL) Size is 354K
SHA-1 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
MD5 71b6a493388e7d0b40c83ce903bc6b04

SHA-1 68f98db6d599286f61395dd1bc9a0febc82006e7
MD5 4481411bd9b5d08ca31f4af62571fb58

SHA-1 9717cfdc2d023812dbc84a941674eb23a2a8ef06
MD5 e285b6ce047015943e685e6638bd837e

SHA-1 101cc1cb56c407d5b9149f2c3b8523350d23ba84
MD5 415fe69bf32634ca98fa07633f4118e

SHA-1 9288fb8e96d419586fc8c595dd95353d48e8a06
MD5 a1d5895f85751dfe67d19cccb51b051a

Detailed Technical Breakdown of Peyta
This Peyta version was compiled on 18th June 2017
Scans your local network and tries to spread using PsExec and WMI calls.
Uses SMB exploits EternalBlue and EternalRomance (Patched by MS17-010).
Uses API calls to map Active Directory and DHCP environments
Uses bespoke version of Mimikatz to dump admin credentials
Excellent video analysing how Peyta works - https://www.youtube.com/watch?v=vtDgA_aasf
Full technical brief by Microsoft https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

No comments: