Petya Ransomware Outbreak
In just a month after the WannaCry outbreak, we are seeing another widespread ransomware outbreak involving possible Petya ransomware family variant. The details on the initial delivery vector are sparse and as expected there is lot of speculation, just like WannaCry during the early hours, but we wanted to share a quick snippet of what we know so far about the Petya Ransomware Outbreak. As we learn more, we will continue to update our blog.
- Businesses from several countries including Ukraine, India, France, Russia, and Spain have been impacted by this ransomware outbreak
- The malware family involved is being claimed as a variant of the Petya ransomware family; however from the analysis we have done till now, we are seeing very little resemblance between this code and previous Petya variants
- This ransomware variant is highly virulent and once a user is infected, it spreads rapidly across a corporate network via SMB.
- There are reports of the payload using the EternalBlue (MS17-010) exploit when it it not able to spread through a network using the credentials of the logged-in user.
- The ransomware payload encrypts the Master Boot Record (MBR) of an infected system, making it unusable.
- The ransomware payload is also using Windows Management Instrumentation Command-line (WMIC) interface for lateral movement over SMB. This explains why the attack has been successful more than a month after WannaCry outbreak that leveraged EternalBlue (MS17-010) exploit which should have been patched on most systems by now.
Take Protective Action
- Apply Microsoft Windows security update MS17-010 and CVE-2017-0199
- Block legacy protocols like SMBv1 on local network
- Disable WMIC on local network
- Block connection to ports 139 and 445 on your firewall
How Zscaler Can Help with Preventative Measures
Zscaler had generic signature coverage on one of the payloads involved and also added multiple signatures and indicators for blocking other known payloads related to this attack.
Advanced Threat Signatures:
- Win32_ransomware_Petya_116628
- CVE_2017_0199
In-line AV signatures:
- W32/Petya.VUNZ-1981
- W32/Ransom.Petya.J!Eldorado
Zscaler Cloud Sandbox provides the best line of defense in a proactive manner against these evolving ransomware strains.
Technical Analysis of the Payload
This section will be updated shortly