Petya Cyber attack which has created havoc across nations, turns out, is not just a ransomware, but is also a very destructive Wiper malware according to security researchers.
According to a new analysis, the virus was designed to look like ransomware, but does additional steps making it a wiper malware – that wipes computers outright; destroying all records from the targeted systems. As such, one cannot decrypt victim’s disk even if the payment is made. Further, the email address provided by the attackers have been disabled by the email provider hence preventing any communications with the attackers.
How Petya Wiper is different from Ransomware ?
Petya is a type of malware that, unlike other traditional ransomware, does not only encrypt files on a targeted system one by one, it also does more nasty things.
Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Then, Petya ransomware takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot.
However, this new variant of Petya does not keep a copy of replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if victims get the decryption keys.
Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.
Don’t Pay Ransom; You Wouldn’t Get Your Files Back
So far, nearly 45 victims have already paid total $10,500 in Bitcoins in hope to get their locked files back, but unfortunately, they would not.
It’s because the email address, which was being set-up by the attackers to communicate with victims and send decryption keys, was suspended by the German provider shortly after the outbreak.
The virus primarily and massively targeted multiple entities in Ukraine, including the country’s local metro, Kiev’s Boryspil airport, electricity supplier, the central bank, and the state telecom.
Other countries infected by the Petya virus included Russia, France, Spain, India, China, the United States, Brazil, Chile, Argentina, Turkey and South Korea.
Technical details of the attack
- Initial infection vector
Symantec and others have confirmed that MEDoc, a tax and accounting software package, is used for the initial insertion of Petya into corporate networks. MEDoc is widely used in Ukraine, indicating that organizations in that country were the primary target.
After gaining an initial foothold, Petya then uses a variety of methods to spread across corporate networks.
- Spread and lateral movement
Petya is a worm, meaning it has the ability to self-propagate. It does this by building a list of target computers and using two methods to spread to those computers.
IP address and credential gathering
IP address and credential gatheringPetya builds a list of IP addresses to spread to, which includes primarily addresses on the local area network (LAN) but also remote IPs. The full list is built as follows:
- All IP addresses and DHCP servers of all network adaptors
- All DHCP clients of the DHCP server if ports 445/139 are open
- All IP addresses within the subnet as defined by the subnet mask if ports 445/139 are open
- All computers you have a current open network connection with
- All computers in the ARP cache
- All resources in Active Directory
- All server and workstation resources in Network Neighborhood
- All resources in the Windows Credential Manager (including Remote Desktop Terminal Services computers)
Once the list of target computers has been identified, Petya builds out a list of user names and passwords it can use to spread to those targets. The list of user names and passwords is stored in memory. It uses two methods to gather credentials:
- Gathers user names and passwords from Windows Credential Manager
- Drops and executes a 32bit or 64bit credential dumper.
Petya uses two primary methods to spread across networks:
Execution across network shares: It attempts to spread to the target computers by copying itself to [COMPUTER NAME]\\admin$ using the acquired credentials. It is then executed remotely using either PsExec or the Windows Management Instrumentation Command-line (WMIC) tool. Both are legitimate tools.
SMB exploits: It attempts to spread using variations of the EternalBlue and EternalRomance exploits.
However, as per Symantec advisory, it does not use the EternalBlue or EternalRomance exploits if Symantec products are in use.
Once installed, Petya proceeds to modify the master boot record (MBR). This allows it to hijack the normal loading process of the infected computer during the next system reboot. The modified MBR is used to encrypt the hard disk while simulating a CHKDSK screen. It then displays a ransom note to the user.
MBR modification does not succeed if the threat is executed as a normal user but the threat will still attempt to spread across the network.
Petya performs encryption in two ways:
– After Petya has spread to other computers, user-mode encryption occurs where files with a specific extension are encrypted on disk.
– The MBR is modified to add a custom loader which is used to load a CHKDSK simulator. This simulator is used to hide the fact that disk encryption is occurring. This is done after user-mode encryption occurs and thus encryption is twofold: user mode and full disk.
As such, the MBR is only encrypted if the user has admin privileges. However, if a system with a domain administrator is compromised, the malware will use that credential to infect all the other systems MBR using the domain administrator credentials. Encryption of the MBR is done without any recovery mechanism and hence, all data is destroyed.
If logged in user does not have admin privileges or the malware does not obtain domain admin credentials, it will still spread and perform user-mode encryption (which could technically be recovered using a decryption key, but since the communications with the attacker is not available, it is unlikely to get the decryption keys).
- Some quick measures to prevent infection are:
Use AppLocker to create policy to prevent the execution of PsExec.exe and perfc file and push to all computers in the domain.
How Instasafe could help your enterprises?
InstaSafe Secure Access solution is based on Software Defined Perimeter fundamentals. Secure Access authenticates the user and his devices together before giving ‘need-to-know’ level of access to applications. As such, InstaSafe Secure Access helps prevent the spread of such malware and therefore reduce the impact of the attack vastly.
InstaSafe Secure Access creates a private network in any enterprise and can limit all network connections to specific ports and protocols between the endpoint and the target application.
This ensures that end user computers get access only to specific applications based on their job role and not to the entire network. Current enterprise LAN security deployments cannot limit access to ONLY the application (on a specific port, say 443) and so, such malware can spread. WannaCry and Petya (or NotPetya, etc.) spread using SMB and other ports that are open within the LAN (or VLAN), but with InstaSafe Secure Access in place, all access is limited to specific systems on specific ports thereby reducing the spread vastly.
Key benefits of InstaSafe SDP based Secure Access:
Malware spread is blocked as all computers network access is limited to specific application on specific port
Infected systems can be blocked from all access to network with one click configuration
SDP based Secure Access by InstaSafe can prevent spread of any and all malware – today it is Petya; tomorrow, something else. Prevent spread of even zero day attacks.
Instasafe can assist you with preventive measures. For more information, email us at firstname.lastname@example.org