Organizations from Russia to Britain were hit by a ransomware attack on Tuesday in a hack with similarities to the recent WannaCry attacks.
Initial analysis showed that the malware seen is a recent variant of the Petya ransomware family based upon how it encrypts files and displays its ransom note. Analysis showed that this sample follows the encryption and ransom note functionality seen in Petya samples. If run with administrative privileges, this includes the overwriting of the Master Boot Record (MBR) by the malware to replace it with customized, malicious code.
However, additional analysis from Carbon Black Threat Research team and from the security community shows that the overall malware is largely dissimilar from known Petya samples and may be construed as a wholly different family of malware.
File Size: 362,360
Magic: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Import Hash: 52dd60b5f3c9e2f17c2e303e8c8d4eab
Compiled Time: Sun Jun 18 07:14:36 2017 UTC
PE Sections (5): Name Size MD5
.text 48,640 c5bd3bb710ae377938b17980692b785b
.rdata 34,304 46418e52b546c1f696eb8a524f18c56e
.data 20,992 5216f0c62d1fd41b1d558e129e18d0fe
.rsrc 247,808 f07e68575f50a62382d99e182baa05d5
.reloc 3,584 c5d1d4cdade7dcfbe14ec10dcf66cfb1
+ 0x57000 6,008 da2b0b17905e8afae0eaca35e831be9e (Authenticode Signature)
Initial analysis showed that the malware seen is a recent variant of the Petya family of ransomware. Analysis showed that this recent sample follows the encryption and ransom note functionality seen from Petya samples. If run with administrative privileges, this includes the overwriting of the Master Boot Record (MBR) by the malware to replace it with customized, malicious code.
The malware then forces a shutdown of Windows to force the system to boot from this new MBR code. Upon bootup, the code begins encrypting every sector of the hard drive while displaying a “chkdsk” output that shows a hard drive repair in progress. Upon completion, a ransom note is displayed to the user.
The malware also has the ability to clear Windows event logs by using the Windows wevtutil command. This is seen in action as:
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D
Example of fake chkdsk screen as files are encrypted
Example of ransom note displayed after encryption
Notable from this example is the recent compile date and time of June 18, 2017, less than two weeks prior to the initial attack. Also, notable, is the authenticode digital signature of Microsoft Corporation, copied from the Microsoft System Internals tools. However, this signature is seen as not valid as it has long since expired.
Carbon Black customers have multiple defenses against Petya ransomware.
Cb Protection with a Medium or High enforcement policy will prevent this file from being executed on a protected system. In Low Enforcement, known hashes have been classified as malware by SRS (reputation service), and will be blocked. Customers in Low Enforcement can also create custom rules that prevent C:\windows\perfc.dat from being written to disk or executed, to further improve coverage. Customers in Low Enforcement can also manually ban the known hashes for this malware.
Executables known to this attack are currently classified as high threats within the CDC-R and, as such, will be detected immediately by Cb Defense policies that include Delay Execution for Cloud Scan.
In Cb Response, this attack can be detected by creating a watchlist for filemod:C:\windows\perfc.dat. The VirusTotal and CDC Threat feeds will detect the known hashes for this malware. Customers can blacklist known MD5 hashes, the most prominent of which is 71b6a493388e7d0b40c83ce903bc6b04.
Possible mitigations include not only patching the know exploit, MS17-010, but also using Group Policy to disable local admin shares on systems.
Known hashes include: