Breaking: Petya Ransomware Attack Spreading Worldwide

Breaking: Petya Ransomware Attack Spreading Worldwide

This morning, a major ransomware attack similar to last month’s WannaCry attack began spreading worldwide. The GreatHorn security team is currently monitoring this attack and providing automated support to clients.

Currently, here is what we know about this attack:

  • The initial point of infection is via a phishing email from the sender [email protected]. The email includes a Word attachment infected with a strain of the Petya malware identified (specifically know as Petrwrap); initial indicators of compromise suggest that the Word file is entitled “Order-20062017.doc”, exploiting CVE-2017-0199. Once initiated, the ransomware uses the same remote vulnerability (ETERNALBLUE) as WannaCry to distribute itself to other Windows machines on the same network.
  • The Word file itself connects to a variety of compromised endpoints (the most common appear to be french-cooking.com and coffeinoffice.xyz) to download the Petya variant being used in this attack, launches the binary, encrypts the local hard drive, wipes the system log, and forces a reboot.
  • As of 12:30PM EST, no kill switch to this attack has been identified.

Our specific recommendations:

  • Install Microsoft’s patch for this vulnerability if you have not done so already: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Block inbound connections on TCP Port 445
  • Block incoming email from [email protected]; GreatHorn clients of Inbound Email Security are automatically being provided with Policy-level support to move these messages to a “Danger-Phishing” folder.
  • Update all instances of Office on your local network, to minimize the risk of infection should the phishing email vector change

We are continuing to monitor for evidence of this malware, and will provide additional information and remediation support as our investigation continues.

If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].

Subscribe to the GreatHorn Blog

We'll email you when we publish new content, but we'll never spam you or share your information. 

Worldwide Ransomware Attack Brings Down NHS, Telefonica

A major ransomware attack hit the UK’s National Health Service, Spain’s Telefonica mobile telephone network, and various smaller companies across 74 countries on May 12, 2017. One of the largest global cyberattacks to date, it relied upon a modified version of a known ransomware kit (Wanna Decrypt0r, also known as WannaCry or WCRY), and at its peak, spread at an estimated rate of 5 million infected emails per hour.

As of this writing (May 13, 2017), the attack has been neutralized for some systems, by way of a DNS sinkhole. The initial malware contained code that caused the attack to terminate if a specific website was online (likely part of the development process for the file), and the destination has now been sinkholed and redirected to a site that causes the infection to shut down instead of spreading. However, systems running behind a proxy are still susceptible to attack.

Creating a local DNS entry that redirects www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (the check URL used by the worm that spreads the malware) to a local IP is a critical step, should the sinkhole fail.

Interestingly, the malware used was described in NSA documents that were stolen and leaked in April of 2017, by a group known as the Shadow Brokers.

Infected Windows machines around the world were being used to propagate the attack. The initial infection vector was via a Word file, which deployed the WCRY malware; once opened, the ransomware encrypts a Windows machine’s files, and then uses a remote vulnerability through Windows’ network file share protocol (SMB) to distribute itself to other Windows machines on the same network.

What was critically different here was that due to the nature of the exploit, if even one machine were infected, it would automatically spread to all other vulnerable machines on the same network. This self-propagation is why the attack was so widespread, and while the Windows exploit which this attack uses was patched on March 14, 2017 (full details are here), many networks and companies had not yet patched their systems to prevent exploit.

Once infected, these machines’ desktop wallpaper was changed, and the malware would then display a message requiring BitCoin payment within a certain timeframe or else the encrypted data would supposedly be deleted:

wanna decryptor

Along with the warning message above, users were also presented with a readme file, explaining what they need to do in order to regain access to their files (namely, transfer $300 USD via BitCoin to the attackers):

The encryption routine in the malware targets the following file types, and adding an extension (.WCRY) to the end of each file’s name:

.lay6
.sqlite3
.sqlitedb
.accdb
.java
.class
.mpeg
.djvu
.tiff
.backup
.vmdk
.sldm
.sldx
.potm
.potx
.ppam
.ppsx
.ppsm
.pptm
.xltm
.xltx
.xlsb
.xlsm
.dotx
.dotm
.docm
.docb
.jpeg
.onetoc2
.vsdx
.pptx
.xlsx
.docx

Why This Attack Was So Dangerous:

The most significant threat here was from unpatched machines with a recent vulnerability. While a patch existed at the time of infection, it was not universally deployed. Coupled with the auto-propagating nature of the attack, a large number of machines were compromised rapidly.

The primary attack vector for this attack is believed to have been a non-targeted phishing campaign. Increasingly, phishing scams combine malware distribution with advanced deception tactics, designed to trick users with a variety of social engineering techniques, including:

  • Display Name Spoofs, which use a valid email address (such as a newly registered account with Gmail, Yahoo, Outlook, or similar service) in combination with the Display Name, or “friendly” first and last name that most email clients display, to deceive a user into believing that they have received a message from a known contact.
  • Identifying Display Name spoofs manually requires that every email for every user be analyzed at the mail header level. Automated analytics (including GreatHorn’s Inbound Email Security platform) will highly any email from a Display Name / From: combination that may be a deception attack.

  • Lookalike / Cousin Domain Attacks, where the attacker combines fully registered and validated domains that are visually similar to a company’s own domain with the actual attack payload, in this case, the malware.

    Again, manually reviewing all of the mail headers can be helpful here, although training users to do so with every single email they receive can be difficult at best. Automated analytics can identify look-alike domains and automatically alert users to fraud attempts.

Mitigation and Response

  • Implement infection prevention within email systems, focused on identifying infected files (especially Word documents) and unusual senders, spoofs, and impersonation attempts. Rapidly changing malware can often circumvent legacy email gateway defenses, especially if the attack does not directly attach the infected file within the email itself, but instead delivers it via URL or link. Post-delivery protection is essential for both detection and response while endpoint and anti-malware tools catch up, and being able to rapidly identify and remove infected messages even if they get past the perimeter is critical to protecting against threats.
  • Patch all potentially vulnerable machines for MS17-010 (“ETERNALBLUE” and “DOUBLEPULSAR”). 
  • Remove outdated Windows NT, Windows 2000, Windows XP, and Windows Server 2000-2003 machines from production.
  • Disable SMB shares (especially on machines that cannot be removed) with the following command:
Set-ItemProperty -Path “HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters” SMB1 -Type DWORD -Value 0 -Force.
  • Filter SMB (TCP/445), NetBIOS (TCP/139), and RDP (TCP/3389) traffic at the firewall level, ensuring that infected machines cannot spread the malware if present within your network.

What To Expect Next

This is the second time a major attack has propagated over email within the past two weeks, and it’s highly likely that the criminals behind these attacks are in the process of improving the sophistication of both their primary attack tools (the malware and ransomware they use) as well as their techniques and tactics.

More generally, this attack demonstrates the importance of not relying on security awareness training alone; as the scope and efficacy of this incident reveal, training (traditionally a compliance effort) cannot adequately modify the behavior of every user at every company in the world — and given the rapid spread of an attack that spreads in the way that WCRY does, it only takes a single compromised account to bring down millions of machines and organizations in minutes.