On 27 June 2017 one day before Ukraine public holiday, noted as the beginning attack of another variant of Petya ransomware attacking Ukraine business. Ukrainian Vice Prime Minister Rozenko Pavlo tweeted a picture of a computer that had been infected by ransomware also of “network felt down” message. This attack time noted as the beginning of new variant of Petya ransomware attack. It is believed having targeting business in Ukraine, Russia, and Western Europe. All though all variant of Petya denies access to an entire system by attacking low-level structures on the disk. Improved version of Petya is using the EternalBlue and EternalRomance vulnerabilities (believed to have been developed by the NSA), and there is a belief that these hackers unwittingly used ME-Doc to unleashed the attack. When performing an attack, Petya not only overwrites disk Master Boot Record (MBR). Petya is also making a XOR encrypted backup of the original MBR data, restoring the MBR with Windows Recovery tools belief will destroy the system. There is no evidence found mentioning Petya attacking other than Drive C or boot-disk. Due to its source code modifications, researchers and media are giving several names such as Petrwrap, NoPetya, Goldeneye, and exPetr).
The spread of Petya across the world on Tuesday has taken out business, transforming Ukraine to ground-zero for the attack. This well-oiled ransomware program its way to penetrate from computer to computer to denied access to the entire system. The contagion was affecting Boryspil Airport and ATMs in Ukraine and hampering various international business from shipping giant Maersk to drug company Merck. The Chernobyl nuclear power plant is had to switch to manual for its radiation monitoring.
The Stage of Attack
Currently, there is no evidence found that Petya using Internet-spreading mechanism as found on WannaCry. Petya ransomware originally uses a phishing email to spread the attack in form malware attachments. On 27 June 2017, Petya start unleashed unwittingly with the ME-Doc update (from host upd.me-doc.com.ua using “medoc1001189” as user-agent) which unpacked an RUNDLL32.EXE using fake Microsoft Digital Signature to fool antivirus software. The shell on Petya has similarity over WannaCry ransomware (EternalBlue or EternalRomance exploits) which heavily target on machine SMB vulnerability to spread. Petya only spread through internal networks. Crucially, during a situation when Petya not able to exploits through SMB; Petya then tries to use PsExec under currently logged user credential follow by using Mimikatz LSADump tool to find all possible users credentials in memory aim at the Administrator level. Petya then proceeds with SMB attack using PsExed and ADMIN$ share, even on the patched endpoints. Petya continues to use the Windows Management Instrumentation Command-line (WMIC) to deploy and remotely execute the payload on each of found host use proper credential found during LSADump exploit process. This combination of attack using PsExec, WMIC, and LSADump increase possibilities for Petya to infect fully patched machine located on the local network, including Windows 10 (still theoretically, no evidence found up to this post release).
Having the administrator privilege, Petya continue to rewrite the local machine Master Boot Record (MBR). This modification will cause the ransomware to start on next reboot, overriding the usual Operating System to runs. In a few hours after doing MBR rewriting, Petya will force a BSOD. Pushing the machine to restart to proceed to next stage of an attack, displaying the ransom note and demand for the payment using cryptocurrency in exchange for the unlock key for decryption process. During this juncture, Petya also encrypts filesystem table and files on the boot drive using AES-128. Needlessly, there is no way to get the keys for decryption process to start.
The Kill Switch
The major question in the security industry is whether there is a kill switch to shut down the infection. There are kill switch stage we can do, but none of these will stop the spread across the local network.
- Creating the “Perfc” file (without extension name) on Windows directory (i.e. when your boot drive is Drive C:, then it should be in C:Windows).
- Set “Read-Only” file attribute on the newly created file. When Petya found this file, it tricked into quit and stopping the routine code to the encryption process.
Obtaining Decryption Key
The ransom note request to pay $300 in BitCoin cryptocurrency and required confirmation to be sent to an email address [email protected] which hosted by German email provider. Immediately after found this email address, Posteo block access to this email address. The blackmailers are no longer able to use this email; unfortunately, this condition renders the victims were not able to obtain the decryption key upon the payment.
How to Stop the Spread
- Apply the patch MS17-010 and CVE-2017-0144.
- Disable the SMBv1 while you were installing the patch.
- Block outside access to either from the Internet or your local network segment for Incoming TCP port 137, 138, 139 and 445.
- Ransomware will typically spread using email. It is highly advisable not to open any attachments from unknown or untrusted sources.
- Perform a regular offline backup for all important files.
Ransomware will always use multiple techniques to spread and attack. There is nothing much change on how to mitigate the loss on post ransomware infection. It is highly advisable to have a proper backup (preferably offline). Gaining understanding and leverage awareness toward cybersecurity situation will always help. Create yourself a lean computing system by limiting the open access ports (not only TCP, but also UDP) and installed applications. If you must use a software application, do not forget to keep the patch on the latest one. Even though this does not remove the possibility of getting infected, at least you already put the chance to its lowest point.