On June, 27 – Petya encryption malware was used in a large-scale attack primarily on companies with operations in the Russian Federation and Ukraine. Other organisations were also infected on a global scale.
The malware was distributed using phishing emails. There are currently rumors that a third party Ukrainian document management company, Me-Doc, was compromised to spread the malware but these reports are yet to be confirmed.
The attachment then infected other machines in the network with the Petya malware. For decryption, hackers demand 300 USD in bitcoin.
When the malicious attachment is opened, it employs a recent vulnerability: CVE-2017-0199. This has previously been used in attacks by other criminal groups and is currently employed in a range of malicious builders on sale on underground forums.
After deployment it starts two threads:
- In first, the malware tries to infect other network computers by exploiting the EternalBlue vulnerability (CVE-2017-0144). As with WannaCry.
- In second thread, the malware uses an LSA Dump to get network/local admin passwords (similar to mimicatz x86, x64), and after that it infects other computers with PsExec or WMI commands.
In short, there is no need for all computers to be vulnerable to EternalBlue. You need only
one infected computer with admin credentials in LSA to compromise the network.
The malware executes the following commands to clear OS System Logs and NTFS journal logs
(wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil
usn deletejournal /D %c:)
The malware waits around 30-40 minutes after infecting the endpoint (presumably to
spread itself), then encrypts files with following extensions:
Then changes MBR and MFT on localhost. And Reboot
After encryption the following screen is displayed:
KillSwitch: On launch, the malware checks if a file with its own name exists in Windows
directory, without an extension. For example, if malware body has name perfc.dat (internal PE
name), in the event it finds the file «%WINDOWS%/perfc», the program will exit.
However, Group-IB specialists could not confirm, that the next “Petya” campaign will use this
same file name. Therefore, it depends on specific exploit that creates this file in the system.
Considering this, this protection method cannot be used as a universal KillSwitch.
The malware was compiled on June 18:
What should I do to be protected against attacks like this?
1. Take technical steps to prevent mimikatz and different privilege escalation techniques in Windows:
2. Install Patch KB2871997
3. Regedit: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/WDigest/UseLogonCredential – set to 0;
4. Make sure that passwords of Local Admins accounts on workstations differ;
5. Change ALL passwords of Domain privileged users and Domain Admins;
6. Install patches, that mitigate CVE-2017-0199 and EternalBlue (МS17-010);
7. Revoke all admin accounts if they are not needed. (According to LSA dumps, there often too many admin accounts in a network)
8. Unless you have patched all PCs in your corporate network, don’t allow your employees to connect their laptops to corporate LAN.
9. Back up your systems regularly. Ideally if you use both – cloud and drives that aren’t constantly connected to the network.
10. Implement Zero Trust policy and arrange a Security Awareness training course for your employees
11. Consider disabling SMBv1 in your network.
12. Subscribe to Microsoft Technical Security Notifications
Group-IB Threat Intelligence customers already received IOCs on Petya outbreak.
Group-IB TDS installed in customers’ infrastructure detected this malware outbreak.