One month after the WannaCry outbreak, we have seen another widespread ransomware outbreak, possibly involving the Petya ransomware family variant. The initial vector has been confirmed to be a compromised software update package from MeDoc. As we learn more, we will continue to update our blog.
Protective Actions
How Zscaler Can Help with Preventative Measures
Zscaler had generic signature coverage on one of the payloads involved and added multiple signatures and indicators for blocking other known payloads related to this attack.
Advanced Threat Signatures:
Inline AV Signatures:
Zscaler Cloud Sandbox provides the best line of proactive defense against these evolving ransomware strains. A Cloud Sandbox report for a sample payload run is shown below:
Figure 1: Zscaler Cloud Sandbox report of Petya ransomware
Initial Delivery Vector
The initial infection vector was via a compromised custom software update package delivered over HTTP from MeDoc. The ransomware has a worm component that uses the Windows Management Instrumentation Command-line (WMIC) interface and the MS17-010 (EternalBlue and EternalRomance) exploits to propagate laterally over SMB.
Figure 2: Initial infection and propagation
Technical Analysis of the Payload
We analyzed two unique payloads from this attack, both of which were Windows Dynamic-Link Library (DLL) files. These DLLs have an export function without a name; it is invoked using the ordinal value “#1” as shown below:
It is also important to note that these files were recently compiled as shown in the screenshot below:
Figure 3: Recently compiled DLL payload
Once executed, the ransomware payload will perform the following activity on the victim's machine:
Infection Marker or Killswitch file => C:\Windows\MalwareDLLFileName where MalwareDLLFileName is the name of main DLL
The malware looks for files with following extension on the user machine and encrypts them:
.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora
The encrypted files will have same extension as before.
Figure 4: Enumerating files for encryption
The malware then creates a scheduled task to reboot the infected system as seen below:
Figure 5: Scheduled task to reboot the system in one hour
Figure 6: Ransom note
The delay in rebooting the compromised system and showing the ransom note is probably done to provide a complete hour for the spreading module to propagate laterally in the network without any indication to the end user
We are still analyzing the propagation module but as previously reported, there is a new propagation vector involving WMIC which is possibly the reason this attack has been successful
Figure 7: Leveraging WMIC for lateral movement
We did not observe any network C&C activity associated with these samples
Conclusion
WannaCry started a new era of ransomware variants weaponized with a mechanism for lateral movement. Petya authors went one step further by adding the WMI interface vector and we expect to see more variants in the coming months. This attack shows the importance of a multilayered security approach, and it highlights the gap that exists in applying security patches and securing internal systems (via network segmentation).
Zscaler ThreatLabZ is actively monitoring this threat and will continue to ensure coverage for Zscaler customers.
Indicators of Compromise
DLLs
Research by ThreatLabZ team
By submitting the form, you are agreeing to our privacy policy.