[SingCERT] Technical Advisory on Petya/Petna Ransomware

Published on Wednesday, 28 June 2017 22:07

Background
On 27th June 2017, SingCERT was alerted to the occurrence of a Petya variant also known as Petna, which has impacted organisations in Ukraine and other parts of Europe. Petya/Petna works by modifying Window’s Master Boot Record (MBR), causing the system to crash. It uses the ETERNALBLUE exploit tool to accomplish this, which is a similar exploit to that of the WannaCrypt/WannaCry ransomware.

Details
Delivery/Exploitations
According to Palo Alto Networks, there was speculation that a Ukrainian Tax software package was compromised and delivered the Petya/Petna DLL via an update on June 27th 2017.

Installation
Petya/Petna is spread as a DLL file, requiring the execution by another process to compromise the system.

After execution, it modifies the Window’s system’s Master Boot Record (MBR), causing the system to crash.

Upon reboot, the modified MBR prevents Windows from loading and a ransom note will be displayed, requiring the user to send US$300 in Bitcoins to a specific Bitcoin address in order for their files to be decrypted.

Payment 

Users should not pay the ransom. The email account that is associated to disseminate the decryption key had been shut down and users will not be able to get their files decrypted even after the payment.

Lateral Movement
Petya/Petna uses the Management Instrumentation Command-line(WMIC) tool, establishing connections to hosts on the local subnet and attempts to execute itself remotely on these hosts.

Petya/Petna uses ETERNALBLUE exploit tool on the local subnet to spread to additional hosts. The vulnerability exists because of the SMB version 1 server in various versions of Microsoft Windows accepting specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

Petya/Petna scans the local network to discover enumerate ADMIN$ shares on other systems. If the infected system has sufficient rights to write and execute files, it then copies itself and executes the malware using PSEXEC.

Enabling Petna/Petya Vaccine
Bleeping Computer describes how to vaccinate your computer manually:
https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/

It is also stated that a batch file can be used to perform the task and can be obtained from:
https://download.bleepingcomputer.com/bats/nopetyavac.bat


Affected Systems
The following Microsoft operating systems are currently suspected to be vulnerable

  • Windows 10
  • Windows RT 8.1
  • Windows 8.1
  • Windows 7
  • Windows XP
  • Windows Vista
  • Windows Server 2016
  • Windows Server 2012 and Windows Server 2012 R2
  • Windows Server 2008 and Windows Server 2008 R2

Recommendations
SingCERT recommends taking the following steps to secure your system

  • Ensure that your Windows-based systems are fully patched. In particular, security update (MS17-010) should be applied.
  • Ensure that your anti-virus software is updated with the latest malware definitions
  • Perform file backups and store them offline so that it can be used to restore your systems if an attack occurs
  • Block inbound connections on TCP Port 445
  • Disable all unrequired services
  • Monitor your systems for privilege escalation

References
https://twitter.com/HackingDave
https://www.bleepingcomputer.com/news/security/email-provider-shuts-down-petya-inbox-preventing-victims-from-recovering-files/
https://www.reddit.com/r/pcmasterrace/comments/6ju1mp/psa_new_ransomware_campaign_petyagoldeneye_being/
https://researchcenter.paloaltonetworks.com/2017/06/unit42-threat-brief-petya-ransomware/