Threat Advisory: Petya/ NotPetya/ GoldenEye

A new ransomware has spread across the globe the past 24 hours. Due to fake news postings, the facts surrounding this spread remain unclear.

There is some confusion about the actual naming of the ransomware. Petya is a ransomware family, with several capabilities similar to the ransomware that started spreading yesterday (27.06.17). Kaspersky claims that yesterday’s variant is not based on Petya, naming it NotPetya instead. Others claim that this is a combination of several ransomwares, calling it GoldenEye. We refer to it as Petya in this advisory update, until another name is commonly agreed-upon.

What we can confirm so far

The only confirmed initial infections comes through a malicious software update for a Ukrainian tax accounting software called MeDoc.
The ransomware attempts to spread to other hosts in the internal LAN using different mechanisms:
- It uses two tools (ETERNALBLUE and ETERNALROMANCE) from the ShadowBrokers dump in April that exploit vulnerabilities in SMBv1, that was patched by Microsoft in March.
- It also contains a lightweight version of Mimikatz. It is used to dump valid credentials from memory, which are used together with WMI and PsExec to spread itself to other hosts in the LAN.
The ransomware encrypts files on disk and overwrite the MBR (Master Boot Record) if it has the necessary privileges.
The ransomware also erases the EventLog on infected machines.
There are currently no available solutions for decryption. Sending bitcoins to the address will not give you any decryption tools or keys. The email account used for receiving information for decryption has been closed down by the email service provider.

What we do not know

Who is behind the attack – there are various rumors.
Whether Petya spreads by any other mechanisms than the MeDoc software update (spear-phishing, exploit kits etc.).

What is it?

Petya is a ransomware with functionality for spreading to other hosts in the LAN of an infected host. It consists of several tools, and a successful infection makes the machine unusable.

How does it affect me?

Most organizations have Windows installations that can be affected if they get an initial infection. If you have not observed the ransomware as of now – you might be lucky and avoid it. If you do not have any MeDoc installations, or control of the update process, we currently have no indicators that the ransomware will affect your organization.

Technical details

Several organizations have produced preliminary analyses of the ransomware. We recommend Microsoft’s article on the threat.

After initial infection, the ransomware will drop a tool in the %temp% folder, of what seems to be a lightweight version of Mimikatz that comes in both 32-bit and 64-bit flavors. The tools are used to steal valid credentials to spread to other hosts in the network.

If Petya finds valid credentials, it will use either PsExec or WMIC to infect other computers connected to the LAN. It will scan for admin$ shares and connect to shares available for it to access.

In addition to using dumping credentials, it also uses a Windows function called “CredEnumerateW” to find credentials in the local credential store.

The ransomware can also perform lateral movement by using two exploits that came with the ShadowBrokers dump in April, called ETERNALBLUE and ETERNALROMANCE. These tools exploit vulnerabilities in SMBv1 (CVE-2017-0144 and CVE-2017-0145). Read more about the ShadowBrokers dump here.

Indicator of Compromise

File indicators:

34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
9717cfdc2d023812dbc84a941674eb23a2a8ef06
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
56c03d8e43f50568741704aee482704a4f5005ad

Commans lines:

schtasks /Create /SC once /TN "" /TR "<system folder>\shutdown.exe /r /f" /ST <time>
cmd.exe /c schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST <time>

Lateral movements (remote WMI):

"process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1"

Encrypted files

If the ransomware has sufficient privileges it will try to overwrite the MBR, preventing the operating system from loading after reboot.

It will also try to encrypt files on the disk/shares with the following file extensions:

.3ds	.7z	.accdb	.ai
.asp	.aspx	.avhd	.back
.bak	.c	.cfg	.conf
.cpp	.cs	.ctl	.dbf
.disk	.djvu	.doc	.docx
.dwg	.eml	.fdb	.gz
.h	.hdd	.kdbx	.mail
.mdb	.msg	.nrg	.ora
.ost	.ova	.ovf	.pdf
.php	.pmf	.ppt	.pptx
.pst	.pvi	.py	.pyc
.rar	.rtf	.sln	.sql
.tar	.vbox	.vbs	.vcb
.vdi	.vfd	.vmc	.vmdk
.vmsd	.vmx	.vsdx	.vsv
.work	.xls	.xlsx	.xvd
.zip

Recommended Actions

To increase protection/reduce consequences:

Limit access to SMB and Microsoft-DS across your network. Do not allow access between endpoints that do not need it (example client to client)
Avoid using administrative shares if possible
Disable WMIC if not needed - “net stop winmgmt”
Disable SMBv1 (https://support.microsoft.com/kb/2696547)
Make sure you have backup of all your valuable data
Install available Microsoft patches
Update your endpoint protection
We also recommend enabling Device Guard on Windows 10 systems, which most likely will prevent the exploits from working as well as the credentials theft.

What to do if you are infected:

Restore backup of encrypted files
If you see the “CHKDSK” message during boot – power off. Your files may not have been encrypted yet. You can then use a liveCD to recover your files.
To prevent further infections within your network you can add a file to c:\windows named the same as the infecting dll-file without the extension (perfc). This is a quick workaround and other mechanisms may be more efficient.