A month has barely passed since Wannacry’s proliferate campaign, and now we find ourselves receiving another international ransomware attack that makes the above pale in comparison. The new malware attack has affected multiple countries all over the globe with a vast number of state and private organizations being affected. The ransomware used is a variant of the Petya virus that exploits a formerly unknown Windows vulnerability and implements a modified version the NSA exploit EternalBlue.
The spread of the ransomware was spotted in Ukraine earlier this Tuesday. The initial vector of infection is suspected to be a Ukranian accounting system, MeDoc, by means a fake update using a forged digital signature. The scope of the outbreak ranged from major infrastructure systems to governmental and private institutions. The National Bank reported that several Ukrainian banks and corporations were affected which resulted in operations brought to a halt.
Transportation services were also impacted throughout various sectors. Kiev’s metro services stated they are currently unable to accept card payments. The Borispol Airport also reported that they would experience delays while the issues are addressed. Even though energy companies, like Ukrenergo, were also infected, the scope seems limited to their computer networks; the power grid remains functional. The most mortifying of all the affected industries had to be the radiation monitoring systems for the Chernobyl power plant which had to switch to manual monitoring.
In the beginning, it seemed that the outbreak was an isolated incident happening only Ukraine. However, early this morning the spread of Petya reached an international scale. Danish shipping company Maersk stated that their IT systems were down across multiple sites and business units. Servers of the Russian oil company Rosneft and its subsidiary, Bashneft, were also infected by the outbreak. Instances of the malware have also been detected in Europe with British marketing company WPP reporting that it was forced to suspend work on computers. Other European countries affected include France, Spain, Germany, Poland and the Netherlands.
The spread of the Petya has also reached the United States with some institutions reporting the virus in their systems. The Heritage Valley Health System, a local hospital in Pittsburg, had its IT infrastructure compromised. This forced the health provider to implement downtime and operational adjustments to ensure safe patient care. Other American Companies affected so far include the Pharmaceutical company Merck and the law offices of DLA Piper.
General Malware Information
Initially, suspicions of the origin of the malware landed on Wannacry due to its scope and similarities. However, after further analysis from the InfoSec community, it was discovered that the virus is a new strain altogether. The new malware is a variant of the Petya ransomware family. Petya, also known as Petrwrap, was spotted on the dark web offered as a “ransomware as a service”. To decrypt the infected computer, a user must forward payment of $300 in BitCoin to a specified e-wallet address. This variant does more damage than the typical ransomware because it encrypts not only user files but also the computer’s file table(FAT) and Master Boot Record.
How Petya infects a system
So far, initial infections to a system have been shown to take two routes. One is by the use of forged digital signatures to deliver its payload through infected system patches as in the case of MeDoc. Another avenue of delivery is through the use of infected Microsoft Office RTF documents. These documents take advantage of an undisclosed vulnerability, CVE-2017-0199, to allow the hacker to download and execute scripts remotely.
Petya also uses a modified version of the infamous NSA exploit EternalBlue utilized by Wannacry. You are probably thinking “Wait! But Microsoft already patched the vulnerability! Whats going on?!”. While Microsoft did in fact patch the vulnerability, it is very likely that some organizations have yet to implement the patch. Also, as previously stated, Petya uses other network vulnerabilities to spread itself. Given that this is a modified version, once the ransomware is on a network it might provide it with a broader infection scope.
How Petya spreads through a system
Petya takes advantage of tools like Windows Management Instrumentations(WMIC) and PsExec to infect computers in the same network. These are tools usually used by system administrators for task automation and remote access. According to an analyst from Kaspersky Labs, the ransomware uses custom tools to extract credentials from the Isass.exe process and uses them to distribute the virus in a network through PsExec or WMIC. Once infected, Petya will wait up to an hour before it reboots the system and begins encrypting the MTF tables and NTFS partitions. When completed the user will be presented with the ransom note.