{"id":84476,"date":"2017-06-30T17:24:55","date_gmt":"2017-06-30T11:54:55","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84476"},"modified":"2017-06-30T17:28:09","modified_gmt":"2017-06-30T11:58:09","slug":"technical-analysis-recent-petya-ransomware-attack","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/technical-analysis-recent-petya-ransomware-attack\/","title":{"rendered":"A technical analysis of the recent Petya ransomware attack"},"content":{"rendered":"

Earlier this week, a new variant of Petya Ransomware was spotted which was creating havoc all over Europe as well as major parts of Asia including India. The major target for Petya has been Ukraine as its major banks and also the power services were hit by the attack.<\/p>\n

It\u2019s a new version of the old Petya ransomware which was spotted back in 2016. The new variant seems to have hit the world with a bang and is following the Wannacry propagation technique.<\/p>\n

This new version of Petya is more dangerous than other ransomware in a way that it doesn’t just encrypt user\u2019s data, it also encrypts master file table (MFT<\/a>) & overwrites the Master boot record (MBR<\/a>). Let\u2019s take a look at the details of this attack.<\/p>\n

Petya Ransomware<\/strong><\/p>\n

The ransomware upon execution drops two components. Both the components are present in the resource section of the ransomware binary in a compressed form.<\/p>\n

Dropped components<\/strong><\/p>\n\n\n\n\n\n
Component<\/td>\nDescription<\/td>\n<\/tr>\n
c:\\windows\\dllhost.dat<\/td>\nPSEXEC utility from Sysinternals toolkit<\/td>\n<\/tr>\n
%TEMP%\\<random name>.tmp<\/td>\nCustom built password dumper tool similar as Mimikatz<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Fig 1. Dropped components of Petya ransomware<\/p>\n

The ransomware acquires required privileges and steals the credentials of active sessions using a custom built password dumper tool similar to Mimikatz.<\/p>\n

\"petya-analysis-1\"<\/p>\n

Fig 2. Acquires required privileges<\/p>\n

The first method used for spreading is exploiting the vulnerability reported in MS17-010<\/a> security bulletin. The exploit \u2019ETERNALBLUE\u2019 is fired on unpatched machines. If SMB vulnerability is patched then it uses PSEXEC and WMIC technique as described below for the propagation on the network. It scans the local network for \u2018admin$\u2019, shares and copies itself across the network. It also executes the newly copied malware binary remotely using PSEXEC as shown below.<\/p>\n

\"Fig
Fig 3. Ransomware propagation using PSEXEC<\/figcaption><\/figure>\n

One more method for remote process execution used by the ransomware is using Windows Management Instrumentation Command-line (WMIC) for executing the ransomware remotely with stolen credentials. The command used for WMIC is shown in the below code snippet.<\/p>\n

\"Fig
Fig 4. Ransomware propagation using WMIC<\/figcaption><\/figure>\n

Where \u201c%ws\u201d is wide string for the current machine name and the user credentials.<\/p>\n

Encryption<\/strong><\/p>\n

The ransomware writes its own malicious code to the master boot record (MBR<\/a>) and encrypts MFT<\/a>. Below code snippet shows how it writes to MBR.<\/p>\n

\"Fig
Fig 5. Ransomware writes to MBR and encrypts MFT<\/figcaption><\/figure>\n

Once MBR is infected, it schedules a restart of the computer after 10 to 60 minutes from current time. For restarting, it uses \u2018shutdown.exe\u2019 in combination with service creation or \u2018at\u2019 command.<\/p>\n

\"Fig
Fig 6. The ransomware schedules a restart of affected system<\/figcaption><\/figure>\n

Once the affected system restarts, the ransomware displays a CHKDSK message and continues encryption in the background as shown below.<\/p>\n

\"Fig
Fig 7. CHKDSK message after restart<\/figcaption><\/figure>\n

The ransomware encrypts following types of files present on the system<\/p>\n\n\n\n\n\n\n\n\n\n
.3ds<\/td>\n.7z<\/td>\n.accdb<\/td>\n.ai<\/td>\n.asp<\/td>\n.a<\/td>\nspx<\/td>\n.avhd<\/td>\n.back<\/td>\n.bak<\/td>\n<\/tr>\n
.c<\/td>\n.cfg<\/td>\n.conf<\/td>\n.cpp<\/td>\n.cs<\/td>\n.ctl<\/td>\n.dbf<\/td>\n.disk<\/td>\n.djvu<\/td>\n.doc<\/td>\n<\/tr>\n
.docx<\/td>\n.dwg<\/td>\n.eml<\/td>\n.fdb<\/td>\n.gz<\/td>\n.h<\/td>\n.hdd.<\/td>\ndbx<\/td>\n.mail<\/td>\n.mdb<\/td>\n<\/tr>\n
.msg<\/td>\n.nrg<\/td>\n.ora<\/td>\n.ost<\/td>\n.ova<\/td>\n.ovf<\/td>\n.pdf<\/td>\n.php<\/td>\n.pmf<\/td>\n.ppt<\/td>\n<\/tr>\n
.pptx<\/td>\n.pst<\/td>\n.pvi<\/td>\n.py<\/td>\n.pyc<\/td>\n.rar<\/td>\n.rtf<\/td>\n.sln<\/td>\n.sql<\/td>\n.tar<\/td>\n<\/tr>\n
.vbox<\/td>\n.vbs<\/td>\n.vcb<\/td>\n.vdi<\/td>\n.vfd<\/td>\n.vmc<\/td>\n.vmdk<\/td>\n.vmsd<\/td>\n.vmx<\/td>\n.vsdx<\/td>\n<\/tr>\n
.vsv<\/td>\n.work<\/td>\n.xls<\/td>\n.xlsx<\/td>\n.xvd<\/td>\n.zip<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Fig 8. File extension list<\/p>\n

The files are encrypted with AES-128 algorithm. One AES key is used to encrypt files of one drive only. The AES-128 key used for file encryption is further encrypted with RSA-2048 encryption algorithm. The public key used for RSA is present in binary itself in base64 encoded form.<\/p>\n

Upon the complete execution, the below ransom screen is displayed.<\/p>\n

 <\/p>\n

\"Fig
Fig 9. Petya ransom screen<\/figcaption><\/figure>\n

Quick Heal Detection<\/strong><\/p>\n

\"Fig
Fig 10. Prompt by Quick Heal Virus Protection<\/figcaption><\/figure>\n

 <\/p>\n

\"Fig
Fig 11. Prompt by Quick Heal Behavior Detection System<\/figcaption><\/figure>\n

Quick Heal users are protected from the Petya ransomware attack.<\/strong><\/p>\n

Indicators of compromise:<\/strong><\/p>\n

71B6A493388E7D0B40C83CE903BC6B04
\nE285B6CE047015943E685E6638BD837E
\nc:\\windows\\dllhost.dat
\nc:\\windows\\perfc.dat<\/p>\n

 <\/p>\n

\u00a0<\/strong><\/p>\n

Also Read<\/strong><\/p>\n

https:\/\/blogs.quickheal.com\/petya-ransomware-affecting-users-globally-things-can\/<\/a>
\nhttps:\/\/blogs.quickheal.com\/wannacrys-never-say-die-attitude-keeps-going\/<\/a>
\nhttps:\/\/blogs.quickheal.com\/ms17-010-windows-smb-server-exploitation-leads-ransomware-outbreak\/<\/a>
\nhttps:\/\/blogs.quickheal.com\/wannacry-ransomware-creating-havoc-worldwide-exploiting-patched-windows-exploit\/<\/a><\/p>\n

 <\/p>\n

 <\/p>\n

Acknowledgment<\/strong><\/p>\n

Subject Matter Expert:<\/p>\n