Petya-Like Ransomware Reloaded

Overview 

The Petya-like ransomware that has been prominent in headlines over the past few hours has been rapidly propagating in-the-wild since mid-afternoon (UTC) on June 27. The malware uses the same SMB exploit as WannaCry (EternalBlue/DoublePulsar) in order to spread remotely, and in addition, leverages both PsExec and WMIC in order to spread laterally within corporate environments.

The multitude of spreading mechanisms ensures this ransomware is far more versatile in propagating than WannaCry, with the ability to infect remote systems patched against the MS17-010 vulnerability. Importantly, this attack lacks a remote kill switch that significantly limited the impact and spread of WannaCry.

N̶o̶t̶e̶:̶ t̶h̶e̶r̶e̶ i̶s̶ s̶o̶m̶e̶ d̶i̶s̶c̶u̶s̶s̶i̶o̶n̶ a̶b̶o̶u̶t̶ w̶h̶e̶t̶h̶e̶r̶ t̶h̶i̶s̶ m̶a̶l̶w̶a̶r̶e̶ s̶h̶o̶u̶l̶d̶,̶ i̶n̶ f̶a̶c̶t̶,̶ e̶v̶e̶n̶ b̶e̶ c̶o̶n̶s̶i̶d̶e̶r̶e̶d̶ r̶a̶n̶s̶o̶m̶w̶a̶r̶e̶,̶ r̶a̶t̶h̶e̶r̶ t̶h̶a̶n̶ a̶ w̶i̶p̶e̶r̶.̶ W̶e̶ a̶r̶e̶ c̶o̶n̶t̶i̶n̶u̶i̶n̶g̶ t̶o̶ r̶e̶s̶e̶a̶r̶c̶h̶ i̶n̶ t̶h̶i̶s̶ a̶r̶e̶a̶.  UPDATE: 07/06/17: After further research, we have concluded that the primary intention of “Petya-like” was in fact to cause data-loss, by encrypting files with an irretrievable key and performing irreversible damage to critical areas of the filesystem. We’ll be posting an additional technical blog with our new findings early next week, and we’ve uncovered quite a bit of unexpected behavior from this Petya-like ransomware. 

Delivery, Propagation and Behavior

There is widespread speculation on the initial attack vector, including a compromised update package for a Ukrainian financial software and a phishing attack. Microsoft confirmed a direct link to the updater process and a few of the active infections. The documents in the supposed email phishing attack can be traced to a gist started in response to the ransomware attack. We’ve analyzed the documents and they are not related.

Regardless of the attack vector, the malware is in the wild and we have confirmed that it contains multiple mechanisms to propagate. The malware will attempt to enumerate subnets configured via (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog