by RSS Aamir Lakhani  |  Jun 27, 2017  |  Filed in: Security Research

We are currently tracking a new ransomware variant sweeping across the globe that has the ability to modify the Master Boot Record similar to a previous attack known as Petya. Researchers are referring to it as either Petya or NotPetya as it hasn't been determined if this malware is a variant belonging to the Petya family. It is currently having an impact on a wide range of industries and organizations, including critical infrastructure such as energy, banking, and transportation systems.

This is a new generation of ransomware designed to take timely advantage of recent exploits. This malware targets a variety of attack vectors, including the same vulnerabilities that were exploited during the recent Wannacry attack this past May. Because, like Wannacy, this attack combines ransomware with worm-like behaviors, we are referring to these as a new malware group called ransomworms. Rather than targeting a single organization, ransomworms use a broad-brush approach that increases the scale and scope at which it can spread because it targets any device it can find that its attached worm is able to exploit.

While research is ongoing at this stage of the investigation, we can verify at this point that the ransomware exhibits worm-like (ransomworm) behavior due to its active probe for an SMB server, and that it appears to be spreading through EternalBlue and WMIC. Researchers initially believed that the Petya/NotPetya ransomworm was transmitted to its first victims through emails containing infected Microsoft Office documents that exploited CVE-2017-0199. While we are still working to confirm this, applying the appropriate MS Office patch to your system(s) will protect you from this attack vector. 

Once a vulnerable device has been targeted, Petya/NotPetya appears to impair the Master Boot Record (MBR) during the infection cycle. It then provides the user with a ransom note stating, “Your files are no longer accessible because they have been encrypted,” and demanding approx. $300 ransom in the Bitcoin digital currency. It then specifies that shutting down the computer will result in the complete loss of the system.

This is a different tactic than a countdown clock or the gradual erasing of data files as seen in other versions of ransomware. With most ransomware attacks, the only potential loss is data. Because Petya alters the Master Boot Record, the risk is the loss of the entire system. In addition, it initiates a reboot of the system on a one-hour cycle, adding an additional denial of service element to the attack.

Curiously, in addition to Microsoft Office exploits, Petya/NotPetya uses the same attack vector as Wannacry, exploiting the identical Microsoft vulnerabilities that were uncovered by the Shadow Brokers earlier this year. However, because additional attack vectors were used in this exploit, patching alone would have been inadequate to completely stop this exploit, which means that patching needs to be combined with good security tools and practices. Fortinet customers, for example, were protected from all attack vectors as they were detected and blocked by our ATP, IPS, and NGFW solutions. In addition, our AV team issued a new antivirus signature within a few hours of the discovery to enhance the first line of defense.

There are a couple of really interesting aspects to this attack. The first is that, in spite of the highly publicized disclosure of the Microsoft vulnerabilities and patches, and the world-wide nature of the follow-up Wannacry attack, there are apparently still thousands of organizations, including those managing critical infrastructure, that have failed to patch their devices. The second is that this may simply be a test for delivering future attacks targeted at newly disclosed vulnerabilities.

Second, from a financial perspective, Wannacry was not very successful, as it generated very little revenue for its developers. This was due, in part, because researchers were able to find a kill switch that disabled the attack. Petya’s payload, however, is much more sophisticated, though it remains to be seen if it will be more financially successful than its predecessor.

So far, two things are clear: 1) far too many organizations practice poor security hygiene. When an exploit targets a known vulnerability for which a patch has been available for months or years, victims only have themselves to blame. Key elements of this attack targeted vulnerabilities for which patches had been available for some time. And 2), these same organizations also do not have adequate tools in place to detect these sorts of exploits.

Ransomware is Here to Stay

The rise of ransomware, along with a surprising array of variants over the past year has been dramatic. We now see and track several types of ransomware.

Traditionally, ransomware is a targeted attack, meaning that the victim is selected beforehand and the attack is designed to specifically target that individual organization or network. In this case, critical resources are encrypted, such as data, and a ransom is demanded in order to provide a key to unlock them.

We have also seen the rise denial of service-based ransomware. This can take several forms. In the first, a denial of service attack is aimed at an organization that overwhelms services, making them unavailable to customers and users. A ransom is demanded to turn it off.

Mirai, which was launched last August and September, was the largest denial of service attack in history, in part because in leveraged hundreds of thousands of exploited IoT devices. Recently, a new Mirai-like IoT-based botnet called Hajime used exploited DVR devices to target organizations with an overwhelming DDoS attack combined with a demand for ransom to turn it off. Hajime is a next-generation IoT exploit. It is cross-platform, and currently supports five different platforms, and includes a toolkit with automated tasks, includes dynamic passwords lists making it dynamic and updatable, and it tries to mimic human behavior to make less noise so it can stay under the detection radar.

An interesting twist has been the development of ransomware as a service (RaaS), allowing less technical criminals to leverage ransomware technology to start their own extortion businesses in exchange for providing the developers with a cut of any profits. Within this family we recently saw the very first RaaS ransomware targeting MacOS, which has thus far largely remained under the radar of attackers. However, since the profile of Mac users tends to include both engineers and corporate executives, the advent of attacks targeting these devices should not come as a surprise.

What we are seeing now are two additional exploits being added to the family of ransomware threats. With Wannacry, we saw ransomware designers for the first time combine ransomware with a worm to speed its delivery and expand the scale and scope of the attack. And now, with Petya/NotPetya, we see the addition of targeting the Master Boot Record to up the ante on the consequences of failing to pay the demanded ransom, from simply losing personal files, which may have been backed up, to potentially losing the entire device.

Fortinet protections

AV Signatures:

W32/Petya.EOB!tr

W32/Agent.YXH!tr

Other signatures are being investigated.

IPS Signatures:

MS.Office.RTF.File.OLE.autolink.Code.Execution

Created
Apr 13, 2017
Last Updated
Jun 19, 2017

We have verified that MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution can block Petya's exploitation of the Microsoft vulnerabilities that were uncovered by the Shadow Brokers.

Created
Mar 14, 2017
Last Updated
Jun 05, 2017

Sandbox Detection:

Fortinet Sandbox (FSA) detects this attack.

TOR Communications:

Block TOR Outbound traffic via AppControl signatures.

Critical Microsoft updates for Petya

Security Update for Microsoft Windows SMB Server: March 14, 2017

Security update for Office 2016: April 11, 2017

 

More on Petya and WannaCry

by RSS Aamir Lakhani  |  Jun 27, 2017  |  Filed in: Security Research