Petya Self Propagating Ransomware

The contents of this article were previously found on PetrWrap Ransomware CC-1287).

Threat ID:: CC-1492
Category:: Worm, Ransomware
Threat Severity:: Medium
Threat Vector:: Insecure network, Email spam
Published:: 28 June 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

The contents of this article were previously found on PetrWrap Ransomware CC-1287).

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions

Threat details

A new variant of PetrWrap ransomware is leveraging a modified EternalBlue SMBv1 exploit (patched in MS017-010) which is used to self-propagate within local and remote networks.

The malware also uses the EternalRomance SMB exploit (ALSO patched in MS017-010) which is a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445.

The malware is also capable of self propagating to networked systems previously patched in MS017-010 via authentication reuse and PsExec tools or WMIC.

PsExec is a legitimate Microsoft windows tool which is a tool used to execute processes on remote systems with full interactivity with console applications.
WMIC is a legitimate Windows tool - The Windows Management Instrumentation Command-line (WMIC) is a command-line and scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through WMI.

This malware uses Mimikatz to capture credentials. Mimikatz is a custom tool that extracts data from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

The malware includes several evasion techniques including long sleeps to avoid analysis by researchers.

The malware could also be delivered as an attachment in spam email which includes the CVE-2017-0199 vulnerability, a remote code execution vulnerability in Word pad which downloads the NotPetya ransomware and utilises the EternalBlue SMB exploit (MS17-010) to spread laterally across the network.

CVE-2017-0199 is a vulnerability within Microsoft Office that was patched as part of April’s Microsoft Patch Tuesday. The vulnerability works by utilising an embedded OLE2 link object that when opened causes the winword.exe process to call out to a remote server to obtain a malicious HTA file. Microsoft HTA application (mshta.exe) then proceeds to load and execute the malicious script.

The malware adds a scheduled task to reboot the computer after the system is first infected. Encryption is initiated after reboot as a fake “chkdisk” screen message appears. - Before the reboot, files can be safely backed up if infection is suspected.

If the user has admin rights on the machine the encryption routine encrypts the Master Boot Record of the infected system upon reboot after infection. If the user does not have admin rights, only the individual files the user has access to are encrypted and not the Master Boot Record.

Know

Remediation steps

Type	Step
	Ensure all systems are protected with the latest AV definitions If your network becomes infected immediately report it to your AV provider for investigation and patching Ensure your AV software is kept updated with the very latest security definitions, to detect current and evolving strains of malware which leverages this vulnerability. Confirm with your AV provider that they have rolled out virus definitions which are supported by your organisation's operating systems to protect you from the spread of this malware (especially if your organisation is running out of support operating systems). Ensure your AV software is properly configured and automatically scans all files and file operations (including file reads, writes and re-names) Ensure the following ports are blocked at your organisations firewall Block SMB related ports (UDP 137, 138 and TCP 137, 139, 445) at your organisation's external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment TCP ports 1024-1035 & 135 SMB Vulnerability Remediation Apply the remediation detailed here SMB EternalBlue and DoublePulsar Exploit (CC-1353 ) Ransomware Remediation To avoid becoming infected with ransomware, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege. Your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security. Identifying the source of infection: Identifying the infected machine and unplugging / disconnecting or quarantining it from the network is essential to damage limitation. Users should immediately report infections to their IT support provider, disconnect their network cable and power the computer down. File auditing should be enabled and file server logs should be monitored to detect signs of unauthorised encryption and allow the source of encryption to be identified (i.e. the infected PC). To limit the damage of ransomware and enable recovery: All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware. Multiple backups should be created including at least one off-network backup (e.g. to tape). The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

Type

Step

Ensure all systems are protected with the latest AV definitions

If your network becomes infected immediately report it to your AV provider for investigation and patching
Ensure your AV software is kept updated with the very latest security definitions, to detect current and evolving strains of malware which leverages this vulnerability.
Confirm with your AV provider that they have rolled out virus definitions which are supported by your organisation's operating systems to protect you from the spread of this malware (especially if your organisation is running out of support operating systems).
Ensure your AV software is properly configured and automatically scans all files and file operations (including file reads, writes and re-names)

Ensure the following ports are blocked at your organisations firewall

Block SMB related ports (UDP 137, 138 and TCP 137, 139, 445) at your organisation's external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment
TCP ports 1024-1035 & 135

SMB Vulnerability Remediation

Apply the remediation detailed here SMB EternalBlue and DoublePulsar Exploit (CC-1353 )

Ransomware Remediation

To avoid becoming infected with ransomware, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.
Your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security.

Identifying the source of infection:

Identifying the infected machine and unplugging / disconnecting or quarantining it from the network is essential to damage limitation.
Users should immediately report infections to their IT support provider, disconnect their network cable and power the computer down.
File auditing should be enabled and file server logs should be monitored to detect signs of unauthorised encryption and allow the source of encryption to be identified (i.e. the infected PC).

To limit the damage of ransomware and enable recovery:

All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.
Multiple backups should be created including at least one off-network backup (e.g. to tape).

The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

CVE Vulnerabilities

CVE-2017-0199

Last edited: 21 December 2021 12:39 pm