On June 27th the AlienVault Labs Team became aware of a new ransomware, a variant of the Petya malware, that is spreading rapidly and is known to have affected organizations in Russia and the Ukraine, and some other parts of Europe. A pulse detailing the Indicators of Compromise for this variant of Petya can be found in the AlienVault Open Threat Exchange (OTX) at https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/.
Once it has compromised a system, the ransomware will:
- Overwrite the Master Boot Record (MBR), encrypt individual files that match a list of file extensions (including documents, archives, and more), and after a reboot of the system will present the user a message requesting a ransom of $300 in Bitcoin to decrypt the system. To date, we understand that over $3000 has been paid in ransom, but we have not heard of any affected organizations having successfully decrypted their files.
- Attempt to replicate itself to other systems on your network.
Understanding how this ransomware variant works is first in understanding how to protect your existing assets, and in detecting when any of your systems have been compromised. In addition to this blog we've also created a short white paper detailing the facts behind this ransomware. You can access it here.
What We Know About this Ransomware Campaign
What we know is that, like WannaCry, this variant of Petya affects Microsoft Windows computers and is technically a 'compute worm', meaning that it replicates itself in order to spread to other computers. In addition, the campaign does not rely on a user clicking on an attachment to infect the host, nor is it known to communicate with a Command & Control (C2 or C&C) server in order to get instructions.
What this variant of Petya is known to use to distribute itself to other systems are the PsExec service (PsExec is dropped as dllhost.dat by the ransomware) and WMI services. In addition, the ETERNALBLUE exploit toolkit (which was released by the Shadow Brokers group in April 2017 and used to such great success by WannaCry) is suspected to be a key part of the attack.
There are also reports that some organizations were infected through a software update for a Ukrainian tax accounting package called MeDoc, which given the locations of many of the attacked organizations and the below data from Kapersky is likely
Once a system has been compromised, the ransomware takes the following steps:
- Writes a message to the raw disk partition
- Clears the Windows Event log using Wevtutil
- Restarts the machine
Encrypts files matching a list of file extensions (including .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf .ppt, .pptx, .pst, .pvi, .py .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, and .zip)
- Leverages WMI or PsExec to spread (PsExec is dropped as dllhost.dat)
- Presents a text message on the screen of the user, similar to the following:
Protecting Against this Variant of Petya Ransomware
There are some critical steps that you should follow to mitigate against an attack by this variant of Petya:
- Update Windows software to install any missing patches, like those included within Microsoft Bulletin MS17-010
- Ensure malware protection is installed, running, and up to date
- Ensure you have systems and critical data backed up, should you need to restore a compromised system
- Understand what services and applications are running on each of your critical assets, and disable any that are not required (including SMB v1)
- Block ports 445 (SMB) and 139 (file and printer sharing) from any user or entity outside of your organization
If you're an existing customer of AlienVault USM Anywhere or USM Appliance, Indicators of Compromise were reported in the AlienVault Open Threat Exchange (OTX) within an hour of the attack, and IDS signatures already within USM Anywhere and USM Appliance are able to detect and alarm on the ransomware and its different methods. USM can also help you identify critical vulnerabilities as well as detect if your organization is under attack by this ransomware variant. In addition, I wanted to highlight:
- The AlienVault Threat Intelligence for USM Anywhere and USM Appliance were updated in March 2017 to include new IDS signatures that detect ETERNALBLUE in a customer network.
- AlienVault ensures that USM Anywhere and USM Appliance customers are assured protection against that variant of Petya, and other malware and ransomware like it, through the continuously updated AlienVault Threat Intelligence subscription that provides USM customers the ability to detect both vulnerabilities (often in advance of the actual attack) as well as generate alarms when the threat is in-motion.
- USM Anywhere ships with several AlienApps that are immediately available to orchestrate responses to incidents, directly from within the USM Anywhere console, including:
- The Forensics and Response AlienApp enables customers to investigate the network and systems as needed, and disable networking on infected systems.
- The AlienApp for Carbon Black includes a response action that allow customers to isolate infected systems from their network and prevent further spread.
- The AlienApp for Palo Alto Networks includes a response action to block domains and ports using the Palo Alto next generation firewall.
What to do if a system becomes compromised
The steps to mitigate any compromised system on your network is similar for most malware and ransomware threats.
- Isolate the system from your network, to prevent spread of the ransomware to other systems.
- Run forensics and anti-malware software on the infected system, confirming that the anti-malware is running with its latest update. Depending on the severity of the compromise, this may require you attach the drives of the infected system as external disks, but this should be a last resort.
- Run additional forensics on your network data, to better understand the scope of the compromise. This may require use of specialist tools for the compromised system, and you can also search events gathered from across your network and any cloud environments and SaaS services (e.g. Office 365) using a log management tool like USM Anywhere.
- Report the ransomware incident to the respective authority. For example, US organizations should report any incident to the Internet Crime Compliance Center (IC3).
Advanced Ransomware Detection with AlienVault
To detect threats like ransomware, AlienVault USM unifies the power of asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, SIEM, and log management in one console, giving you complete security visibility of your on-premises and cloud infrastructure. This unified approach is the most effective way to combat advanced threats like ransomware, and gives you all the threat context you need to detect, investigate, and respond to an emerging threat—all in a single pane of glass.
This Thursday (June 29th @ 9AM CDT) we're hosting a special webcast on how to detect Petya variant with USM Anywhere. Reserve your spot, or watch a recording of the webcast HERE.