On June 27, 2017, a “wormed” ransomware outbreak started being reported by several companies in the Ukraine and around Europe. Bringing back bad memories of WannaCry from May, PetrWrap (Petya, NotPetya, GoldenEye) has spread quickly, affecting several Ukrainian companies – the Ukrainian national bank, their largest airport, the state power company, metro system, and others – as well as companies located in the UK, Russia, Spain, France, and India. One US target has also been confirmed: pharmaceuticals company Merck.
Other research teams are classifying PetrWrap as a wiper (eg. Kaspersky Labs), but Alert Logic has not seen this behavior via our own research. What we have observed is very similar to the WannaCry ransomware that impacted health organizations in May 2017 with respect to the attack vectors and propagation techniques it uses. However, unlike WannaCry, the infected host must first be rebooted before encryption may begin.
Once the system starts again after the reboot a ChkDsk-like screen is displayed. Victims are then directed to an email address after the ransom has been paid in order to get the decryption key. However, the mechanism for collecting payment was not very robust; the German company that hosts the email account (posteo.net) disabled the account very soon after the outbreak. Victims who have already paid into the account – and others who surely will do the same – are left unable to receive the key that would unlock their files.
More recent infections completely wipe the infected disk, with no ransom workflow present.
Infection Vectors and Lateral Movement
PetrWrap’s initial infection vectors have been reported as phishing emails and a tainted update for an accounting software popular with Ukranian companies called MeDoc. Once it has infected a system it modifies the Windows Master Boot Record (MBR) and instigates a sleep function to force a reboot. Once a reboot occurs this causes a fake ChkDsk window to display on the screen as the encryption begins. Once the encryption is completed, the modified MBR displays an ASCII message demanding payment from the victim.
Lateral proliferation of the wormed malware is achieved by using the SMB protocol EternalBlue exploit to spread (Microsoft published a patch for EternalBlue in MS17-010 in March 2017). It appears to be primarily spreading on internal networks, though variations have been observed spreading more rapidly across the open Internet.
Various researchers have also reported that the SMB exploit is not the only vector for proliferation. For lateral movement across a network, PetrWrap also attempts to plant an older version of PsExec (a Windows Sysinternals tool used for executing processes across different Windows systems) and WebDAV. Lateral movement is facilitated by using a modified version of mimikatz (an open-source tool used by security researchers) to extract passwords from memory or the local filesystem.
Protecting yourself and your organization from PetrWrap
- Patch your systems—all vulnerable versions of Windows are effectively patchable (Microsoft also release patches for unsupported systems with the original WannaCry outbreak). The patch for this vulnerability applies to Windows Vista systems and newer and can be found in the Microsoft Security Bulletin MS17-010 - Critical security update.
- Run a detailed vulnerability scan against all systems in your environments to identify systems missing the MS17-010 security update.
- Disable SMBv1 in Windows unless it is absolutely necessary. If necessary, ensure it isn’t accessible via open internet.
- Lock down administrative privileges as much as possible on individual machines and user accounts to prevent infection using Windows internal tools.
- Placing the file perfc.dat in the C:\Windows\ directory will stop encryption of files provided that the infected user does NOT have administrative privileges.
- Establish strict needs-based access to network resources and segment networks where possible.
- Backup your data using offline media options as the ransomware worm attempts to infect any connected resources (USB drives, mapped network drives etc.)
- If you are already an Alert Logic customer, keep current with our network, web application, scanning and log alerts.
The Path Ahead
As with WannaCry, there will undoubtedly be variants of PetrWrap very soon. Alert Logic® ActiveWatch™ Managed Detection and Response experts will monitor activity across more than 4,000 organizations worldwide to identify new variants or the next new threat bad guys throw at our customers.