Petya Ransomware the new WannaCry?

 In Backdoor, Business, Exploits, Malware, News, Ransomware, Threat Intelligence

When WannaCry came out last month, many were taken by surprise of the exploit of NSA tools for SMB. Especially because a patch was launched by Microsoft for the same in March. Everyone who didnt patch lost your computer. In the days and weeks that followed everyone said PATCH PATCH PATCH! to remain safe and ensure backups. You would think people would have patched by now or disabled SMB altogether?

Now entering Petya Ransomware, also attributed by some as Golden Eye variant.

Unlike most ramsonware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retreiving stored information or samples.

Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer. The ransomware is found to be spreading via SMB and WMIC. Some reports suggest to prevent infection we should block WMIC.

Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.

Indicators of Compromise:

category type value
Payload delivery filename|sha1 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
External analysis link https://www.hybrid-analysis.com/search?query=027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Payload delivery filename|sha256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Payload delivery filename|md5 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|71b6a493388e7d0b40c83ce903bc6b04
Payload delivery x509-fingerprint-sha1 4d6f357f0e6434da97b1afc540fb6fdd0e85a89f
Payload installation filename|md5 %WINDIR%\dllhost.dat|aeee996fd3484f28e5cd85fe26b6bdcd
Payload installation filename|sha1 C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|532bea84179e2336caed26e31805ceaa7eec53dd
Payload installation filename|sha512 \\192.168.56.11\ADMIN$\PSEXESVC.EXE|cefeb349970c7d7f1bdef4123b4cb71f1a76c4ce8197d9dbb10c5f5d0bb0e86cffe51829f0a9c7590e4072194a503eb4bff507dcdb992df08c154c818fb4f431
Payload delivery x509-fingerprint-sha1 3036e3b25b88a55b86fc90e6e9eaad5081445166
Payload delivery x509-fingerprint-sha1 3ea99a60058275e0ed83b892a909449f8c33b245
Payload delivery x509-fingerprint-sha1 9617094a1cfb59ae7c1f7dfdb6739e4e7c40508f
Payload installation filename|sha512 C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|e8ebf30488b9475529d3345a00c002fe44336718af8bc99879018982bbc1172fc77f9fee12c541bab9665690092709ef5f847b40201782732c717c331bb77c31
Payload delivery filename|sha512 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745|072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
Payload installation filename|md5 C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|9a7ffe65e0912f9379ba6e8e0b079fde
Payload installation filename|md5 \\192.168.56.11\ADMIN$\PSEXESVC.EXE|5f6e775124efbd810c58f349d3f96400
Payload installation filename|sha1 \\192.168.56.11\ADMIN$\PSEXESVC.EXE|766d70566b38c5fbf8b2e891c2f70f146561789f
Payload installation filename|sha256 \\192.168.56.11\ADMIN$\PSEXESVC.EXE|eccd88bfc2be71e0ee7926fa4bed4e72a2db864328f2351d301f67bfe19e26bc
Payload installation filename|sha256 C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll|4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651
Payload installation filename|sha256 %TEMP%\FE04.tmp|41cb22109da26a6ff5464d6915db81c1c60f9e0808d8dbd63df1550b86372165
Payload installation filename|md5 %TEMP%\FE04.tmp|5733d78651a308b8dfacb41a7ec2b99a
Payload installation filename|sha256 %WINDIR%\dllhost.dat|f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
Payload installation filename|sha1 %TEMP%\FE04.tmp|98f9ade6d75c887d06b0343b506aebd948a61818
Payload installation filename|sha512 %TEMP%\FE04.tmp|a10227d5090014f7c5e9ed8911823a622fb599683ab6a1e18706138e49dda98d3228ce4a74e3e8f0dfe2c6f8f81a6811eedf8d17f589f22cfcd60fe2c895c272
Payload installation filename|sha512 %WINDIR%\dllhost.dat|e7c0b64ca5933c301f46dc3b3fd095bcc48011d8741896571bf93af909f54a6b21096d5f66b4900020dcaece6ab9b0e1d1c65791b8b5943d2e4d5bab28340e6f
Payload installation filename|sha1 %WINDIR%\dllhost.dat|cd23b7c9e0edef184930bc8e0ca2264f0608bcb3
Artifacts dropped pdb c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb
Persistence mechanism regkey|value HKCU\SOFTWARE\SYSINTERNALS\PSEXEC\EULAACCEPTED|01000000
Artifacts dropped pdb c:\src\Pstools\psexec\EXE\Release\psexec.pdb
Artifacts dropped yara <yara><yarahits><rule author=”Florian Roth” description=”Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)” name=”Tiny_Network_Tool_Generic”><strings><hit><value>KERNEL32.DLL</value></hit><hit><value>LoadLibraryA</value></hit><hit><value>GetProcAddress</value></hit><hit><value>ADVAPI32.DLL</value></hit><hit><value>USER32.DLL</value></hit><hit><value>FreeSid</value></hit><hit><value>To</value></hit></strings></rule></yarahits></yara>

Affected Countries:

Russia, Ukraine,France, Netherlands, USA, UK, India, Japan

Affected Sectors:

Financial Institutions, Telecoms, Power and Utility, Airlines and Transportation, Energy , Oil & Gas

References:

https://labs.bitdefender.com/2017/06/massive-goldeneye-ransomware-campaign-slams-worldwide-users

 http://www.independent.co.uk/news/world/europe/ukraine-cyber-attack-hackers-national-bank-state-power-company-airport-rozenko-pavlo-cabinet-a7810471.html

https://www.nytimes.com/reuters/2017/06/27/business/27reuters-ukraine-cyber-attacks-ukrenergo.html

http://www.bbc.com/news/technology-40416611

Header image from: https://3.bp.blogspot.com/-Z9KXBRVMLAg/WVJqrHoMqdI/AAAAAAAAtWc/daYeKHPIzwoiwG30oaiSWGhJkkT39PjmQCLcBGAs/s1600/petya-ransomware.png

Recommended Posts

Start typing and press Enter to search