One month after the WannaCry outbreak, we have seen another widespread ransomware outbreak, possibly involving the Petya ransomware family variant. The initial vector has been confirmed to be a compromised software update package from MeDoc. As we learn more, we will continue to update our blog.

Businesses from several countries, including Ukraine, India, France, Russia, and Spain, have been impacted by this ransomware outbreak
The malware family involved is purported to be a variant of the Petya ransomware family; however, from our analysis up to this point, we are seeing very little resemblance between this code and previous Petya variants
This ransomware variant is highly virulent and, once it infects a user, it spreads rapidly across a corporate network via SMB
There are reports of the payload using the EternalBlue (MS17-010) exploit when it is not able to spread through a network using the credentials of the logged-in user
The ransomware payload encrypts the Master Boot Record (MBR) of an infected system, making it unusable
The ransomware payload is also using the Windows Management Instrumentation Command-line (WMIC) interface for lateral movement over SMB. This explains why the attack has been successful more than a month after the WannaCry outbreak that leveraged the EternalBlue (MS17-010) exploit, which should have been patched on most systems by now

Protective Actions

Apply Microsoft Windows security update MS17-010 and CVE-2017-0199
Block legacy protocols like SMBv1 on your local network
Disable WMIC on your local network
Block connection to ports 135, 139, and 445 on your firewall

How Zscaler Can Help with Preventative Measures

Zscaler had generic signature coverage on one of the payloads involved and added multiple signatures and indicators for blocking other known payloads related to this attack.

Advanced Threat Signatures:

Win32_ransomware_Petya_116628
CVE_2017_0199

Inline AV Signatures:

W32/Petya.VUNZ-1981
W32/Ransom.Petya.J!Eldorado

Zscaler Cloud Sandbox provides the best line of proactive defense against these evolving ransomware strains. A Cloud Sandbox report for a sample payload run is shown below:

Figure 1: Zscaler Cloud Sandbox report of Petya ransomware

Initial Delivery Vector

The initial infection vector was via a compromised custom software update package delivered over HTTP from MeDoc. The ransomware has a worm component that uses the Windows Management Instrumentation Command-line (WMIC) interface and the MS17-010 (EternalBlue and EternalRomance) exploits to propagate laterally over SMB.

Figure 2: Initial infection and propagation

Technical Analysis of the Payload

We analyzed two unique payloads from this attack, both of which were Windows Dynamic-Link Library (DLL) files. These DLLs have an export function without a name; it is invoked using the ordinal value “#1” as shown below:

<System32>\rundll32.exe "%s",#1

It is also important to note that these files were recently compiled as shown in the screenshot below:

Figure 3: Recently compiled DLL payload

Once executed, the ransomware payload will perform the following activity on the victim's machine:

There is a check in the ransomware routine to look for an infection marker, which, if found, will terminate the execution. This essentially serves as a killswitch for the ransomware payload, preventing further propagation within the network:

 Infection Marker or Killswitch file => C:\Windows\MalwareDLLFileName where MalwareDLLFileName is the name of main DLL

The malware looks for files with following extension on the user machine and encrypts them:

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora

The encrypted files will have same extension as before.

Figure 4: Enumerating files for encryption

If the user is logged in with administrator privileges, the malware payload will also encrypt the Master Boot Record (MBR) and essentially make the system unusable upon system reboot
The malware then creates a scheduled task to reboot the infected system as seen below:

Figure 5: Scheduled task to reboot the system in one hour

Once the system reboots, the infamous ransom note appears, demanding $300 in Bitcoins

Figure 6: Ransom note

The delay in rebooting the compromised system and showing the ransom note is probably done to provide a complete hour for the spreading module to propagate laterally in the network without any indication to the end user
We are still analyzing the propagation module but as previously reported, there is a new propagation vector involving WMIC which is possibly the reason this attack has been successful

Figure 7: Leveraging WMIC for lateral movement

We did not observe any network C&C activity associated with these samples

Conclusion

WannaCry started a new era of ransomware variants weaponized with a mechanism for lateral movement. Petya authors went one step further by adding the WMI interface vector and we expect to see more variants in the coming months. This attack shows the importance of a multilayered security approach, and it highlights the gap that exists in applying security patches and securing internal systems (via network segmentation).

Zscaler ThreatLabZ is actively monitoring this threat and will continue to ensure coverage for Zscaler customers.

Indicators of Compromise

DLLs