For the second time in as many months, networks around the world have been attacked using a worming ransomware that gains new infections by exploiting a recently-patched Windows SMB vulnerability among other proven techniques. What has been described a ransomware bearing significant similarities to the Petya encryption ransomware ravaged numerous companies and networks around the world with disproportionate impact in Ukraine and Eastern Europe but also inflicted harm to significant numbers of victims in Western Europe and North America.
Супермаркет в Харькове pic.twitter.com/H80FFbzSOj
— Mikhail Golub (@golub) June 27, 2017
Tweet depicts ransomware’s impact on supermarket in Ukrainian city of Kharkov
After the dust begins to settle after the furor of investigations, some facts have become clearer and provided a fuller understanding of the ransomware in play, its origin, and how it was spread.
This scenario, and the apparent use of the EternalBlue exploitation methodology created another enhanced risk to organizations, enterprises, and networks that have not been patched against the SMB vulnerability described in MS17-010. It is now evident that in addition to leveraging now-patched vulnerabilities, the ransomware also wormed using file-shares across a local network, session and user impersonation, and remote execution of newly-spread ransomware executables using the PsExec SysInternals utility. In much the same fashion as the WannaCry ransomware in May 2017, once one computer on a network becomes infected by this Petya derivative, the destructive ransomware can then spread throughout that local network. Furthermore, should a network have the SMB service available for external access, the ransomware worm could conceivably use this as a point of entry as well.
Previous PhishMe® reporting has documented how threat actors do not necessarily need to leverage new, bleeding edge exploits to successfully gain a foothold on a victim’s computer or within an enterprise network. Instead, reliance on accessible tools and clever social engineering in phishing attacks can be very effective. However, as high-profile stories about exploitation tools and software vulnerabilities come to light, some threat actors may be tempted, or inspired, to return to older and readily-accessible means of exploitation or to take advantage of newer vulnerabilities as they are disclosed. It is also clear that another interesting attack vector was also employed to deliver this ransomware.
The alleged initial source for this Petya-like ransomware is likely the most surprising aspect of this crisis. Microsoft reports that this ransomware was delivered to its first victims through a software supply chain attack that derailed an updater process for tax accounting software called MEDoc used widely in Ukraine.
Furthermore, the software company that produces and distributes this accounting software acknowledged in a post on their website that their update server pushed a “virus.
Кіберполіцією попередньо установлено, що перші вірусні атаки на українські компанії могли виникнути через вразливості ПЗ M.E.doc. pic.twitter.com/MXV7ODtaoM
— Cyberpolice Ukraine (@CyberpoliceUA) June 27, 2017
Ukrainian Cyberpolice post statement linking distribution of “virus” to MEDoc “vulnerability”
The ransomware that sparked a global crisis yesterday is remarkably similar to the Petya ransomware. Petya became notorious for encrypting hard drives and modifying the master boot record to not only lock users out of their files, but their machine more generally. Victims were then compelled to interact with this “stub” application to find instructions for paying the Bitcoin ransom, obtaining their decryption key, and inputting it to initiate the decryption process.
While much of this behavior was seen in the ransomware used on June 27, 2017, researchers have pointed out that this new ransomware differs from Petya in some important ways, including the targeted files and makeup. These differences, plus the remarkable integration of new lateral movement features, have given rise to various naming conventions including “notPetya” and “Petna”.
The fact remains: the SMB vulnerability leveraged by WannaCry that is also believed to be in use for lateral movement by this ransomware has been fixed in recent Windows updates. These security updates for operating systems are an important part of any enterprise defense strategy and essential software patching is among the basic best practices for companies of all sizes.
Taking all of this into account demonstrates more fully that, once again, threat actors have found another successful means for delivering malware to enterprises. The WannaCry incident provided a proof of concept while the Petya derivative/notPetya crisis drove home the effectiveness with a more adept implementation of similar techniques.
Stay protected – Read our blog post featuring 6 tips on what you can do about WannaCry ransomware.