New Ransomware Follows WannaCry Exploits

Credit to Author: Aamir Lakhani| Date: Tue, 27 Jun 2017 17:00:00 +0000

We are currently tracking a new ransomware variant sweeping across the globe known as Petya. It is currently having an impact on a wide range of industries and organizations, including critical infrastructure such as energy, banking, and transportation systems.

This is a new generation of ransomware designed to take timely advantage of recent exploits. This current version is targeting the same vulnerabilities that were exploited during the recent Wannacry attack this past May. This latest attack, known as Petya, is something we are referring to as a ransomworm. In this variant, rather than targeting a single organization, it uses a broad-brush approach that targets any device it can find that its attached worm is able to exploit.

It appears that this attack started with the distribution of an Excel document that exploits a known Microsoft Office exploit. Once a device is infected through this vector, Petya begins to take advantage of the same vulnerability used by WannaCry to spread to other devices. The worm-like behavior exhibited by this malware is due to its active probe for an SMB server. It appears to be spreading thru EternalBlue and WMIC. 

Once a vulnerable device has been targeted, Petya appears to impair the Master Boot Record (MBR) during the infection cycle. It then provides the user with a ransom note stating, “Your files are no longer accessible because they have been encrypted,” and demanding approx. $300 ransom in the Bitcoin digital currency. It then specifies that shutting down the computer will result in the complete loss of the system.

This is a different tactic than a countdown clock or the gradual erasing of data files as seen in other versions of ransomware. With most ransomware attacks, the only potential loss is data. Because Petya alters the Master Boot Record, the risk is the loss of the entire system. In addition, it initiates a reboot of the system on a one-hour cycle, adding an additional denial of service element to the attack.

Curiously, in addition to Microsoft Office exploits, Petya uses the same attack vector as Wannacry, exploiting the identical Microsoft vulnerabilities that were uncovered by the Shadow Brokers earlier this year. However, because additional attack vectors were used in this exploit, patching alone would have been inadequate to completely stop this exploit, which means that patching needs to be combined with good security tools and practices. Fortinet customers, for example, were protected from all attack vectors as they were detected and blocked by our ATP, IPS, and NGFW solutions. In addition, our AV team issued a new antivirus signature within a few hours of the discovery to enhance the first line of defense.

There are a couple of really interesting aspects to this attack. The first is that, in spite of the highly publicized disclosure of the Microsoft vulnerabilities and patches, and the world-wide nature of the follow-up Wannacry attack, there are apparently still thousands of organizations, including those managing critical infrastructure, that have failed to patch their devices. The second is that this may simply be a test for delivering future attacks targeted at newly disclosed vulnerabilities.

Second, from a financial perspective, Wannacry was not very successful, as it generated very little revenue for its developers. This was due, in part, because researchers were able to find a kill switch that disabled the attack. Petya’s payload, however, is much more sophisticated, though it remains to be seen if it will be more financially successful than its predecessor.

So far, two things are clear: 1) far too many organizations practice poor security hygiene. When an exploit targets a known vulnerability for which a patch has been available for months or years, victims only have themselves to blame. Key elements of this attack targeted vulnerabilities for which patches had been available for some time. And 2), these same organizations also do not have adequate tools in place to detect these sorts of exploits.

Ransomware is Here to Stay

The rise of ransomware, along with a surprising array of variants over the past year has been dramatic. We now see and track several types of ransomware.

Traditionally, ransomware is a targeted attack, meaning that the victim is selected beforehand and the attack is designed to specifically target that individual organization or network. In this case, critical resources are encrypted, such as data, and a ransom is demanded in order to provide a key to unlock them.

We have also seen the rise denial of service-based ransomware. This can take several forms. In the first, a denial of service attack is aimed at an organization that overwhelms services, making them unavailable to customers and users. A ransom is demanded to turn it off.

Mirai, which was launched last August and September, was the largest denial of service attack in history, in part because in leveraged hundreds of thousands of exploited IoT devices. Recently, a new Mirai-like IoT-based botnet called Hajime used exploited DVR devices to target organizations with an overwhelming DDoS attack combined with a demand for ransom to turn it off. Hajime is a next-generation IoT exploit. It is cross-platform, and currently supports five different platforms, and includes a toolkit with automated tasks, includes dynamic passwords lists making it dynamic and updatable, and it tries to mimic human behavior to make less noise so it can stay under the detection radar.

An interesting twist has been the development of ransomware as a service (RaaS), allowing less technical criminals to leverage ransomware technology to start their own extortion businesses in exchange for providing the developers with a cut of any profits. Within this family we recently saw the very first RaaS ransomware targeting MacOS, which has thus far largely remained under the radar of attackers. However, since the profile of Mac users tends to include both engineers and corporate executives, the advent of attacks targeting these devices should not come as a surprise.

What we are seeing now are two additional exploits being added to the family of ransomware threats. With Wannacry, we saw ransomware designers for the first time combine ransomware with a worm to speed its delivery and expand the scale and scope of the attack. And now, with Petya, we see the addition of targeting the Master Boot Record to up the ante on the consequences of failing to pay the demanded ransom, from simply losing personal files, which may have been backed up, to potentially losing the entire device.

What protections does Fortinet provide?

AV Signature:

W32/Petya.EOB!tr

W32/Agent.YXH!tr

Other signatures are being investigated.

IPS Signature:

MS.Office.RTF.File.OLE.autolink.Code.Execution

(released June 27th, 2017)

MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution

(released March 14th, 2017, updated May 10th, 2017)

In addition, Fortinet’s WannaCry IPS rules appear to protect against exploits targeting thse vulnerabilities. Fortinet teams are verifying this claim.

Sandbox Detection:

            Fortinet Sandbox (FSA) detects this attack.

TOR Communications:

Block TOR Outbound traffic via AppControl signatures.

 

More on Petya and WannaCry

https://blog.fortinet.com/feed