The Petya Ransomware/Wiper has been creating havoc in Europe, and a glimpse of the infection was first seen in Ukraine when more than 12,500 machines were compromised. The worst part was that the infections had also spread across to Belgium, Brazil, India and also the United States. The Petya has worm capabilities which will allow it to spread laterally across the network. Microsoft has issued a guideline on how it will tackle Petya,
After the spread of the initial infection, Microsoft now has evidence that a few of the active infections of the ransomware were first observed from the legitimate MEDoc update process. This made it a clear case of software supply chain attacks which has become pretty common with the attackers since it needs a defense of very high level.
The picture below above shows how the Evit.exe process from the MEDoc executed the following command line, Interestingly similar vector was also mentioned by the Ukraine Cyber Police in the public list of indicators of compromise. That being said the Petya is capable of
- Stealing credentials and making use of the active sessions
- Transferring malicious files across machines by using the file-sharing services
- Abusing SMB vulnerabilities in a case of unpatched machines.
Lateral movement mechanism using credential theft and impersonation happens
It all starts with the Petya dropping a credential dumping tool, and this comes in both 32-bit and 64-bit variants. Since users usually log in with several local accounts, there is always a chance that one of an active session will be open across multiple machines. Stolen credentials will help Petya to gain a basic level of access.
Once done the Petya scans the local network for valid connections on ports tcp/139 and tcp/445. Then in the next step, it calls subnet and for every subnet users the tcp/139 and tcp/445. After getting a response, the malware will then copy the binary on the remote machine by making use of the file transfer feature and the credentials it had earlier managed to steal.
The psexex.exe is dropped by the Ransomware from an embedded resource. In the next step, it scans the local network for admin$shares and then replicates itself across the network. Apart from credential dumping the malware also tries to steal your credentials by making use of the CredEnumerateW function in order to get all the other user credentials from the credential store.
The malware decides to encrypt the system depending on the malware process privilege level, and this is done by employing an XOR-based hashing algorithm that checks against the hash values and uses it as a behavior exclusion.
In the next step, the Ransomware writes to the master boot record and then sets up the system to reboot. Furthermore, it also uses the scheduled tasks functionality to shut down the machine after 10 minutes. Now Petya displays a fake error message followed by an actual Ransom message as shown below.
The Ransomware will then attempt to encrypt all the files with different extensions across all the drives except for C:\Windows. The AES key generated is per fixed drive, and this gets exported and uses the embedded 2048-bit RSA public key of the attacker, says Microsoft.