
Today, 27 June2017, a massive Ransomware attack, PetrWrap variant of Ransomware/Petya, has been identified world wide.
Firsts data revelaed that threat has been distributed in particular in Ukraine, Russia, Poland, Italy and Germany and some sources confirm also an infection in the USA, England, France, India and Spain.
Technical Analysis
PetrWrap is part of Malware Ransomware macro-family, threats able to crypt users’ and organizations’ victim data and ask a ransom in BTC (Bitcoin) for decrypting them.
Unlike WannaCry or other Ransomware, PetrWrap, once PC has been rebooted, crypts the entire Hard Disk, in particular it attacks the File System NTFS’s Master File Table (MTF) and makes unusable the MBR (Master Boot Record).
In this way, PetrWrap is able to block the entire PC, without loading at all the Operating System to victim user.
Actually there aren’t enough information to determine the real vector attack used by attackers to distribute malware, but probably it could happen via e-mail.
Threat is critical because malware exploits an SMB v1 vulnerability to spread over internal network, throught exploit published by “ShadowBroker” during toolkit NSA leakage: the exploit name is EternalBlue.
This Exploit is the same that has been alredy used by Ransomware/WannaCry to spread inside local network and via Internet.
Microsoft patched vulnerability in March 2017 on Microsoft Windows systems thanks to security bulletin MS17-010.
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
PetrWrap, in addition to use EternalBlue Exploit to spread over internal network, can exploits also native Windows tools like WMIC or PSEXEC tool; this last one infection method is successful only in case of victim PC has administrative permissions on remote PCs.
Actually, attackers which lie behind this global Ransomware/PetrWrap distribution are identified by e-mail address: wowsmith123456@posteo.net.
Until now alredy 29 BTC payments have been registered, associated to previous e-mail address, for a total of 3,15 BTC.
How you can defend yourself?
You can defend your internal infrastructure adopting following countermeasures:
- (Recommended)
Install patch released in Microsoft security bulletin of March MS17-010.
- (Alternative)
Disable SMB v1 protocol: protocol SMB version 1 is old and not secure. If it’s possibile, disable it.
It is also recommended to update to the last available version Antivirus signatures on EndPoints.
Next Generation Antivirus SentinelOne, thanks to its dynamic threat anlysis engine is alredy able to protect EndPoint without update signatures.
IoC – Indicators of Compromised
IOC Type | Value |
FileHash-MD5 | 71B6A493388E7D0B40C83CE903BC6B04 |
FileHash-MD5 | 0df7179693755b810403a972f4466afb |
FileHash-MD5 | 42b2ff216d14c2c8387c8eabfb1ab7d0 |
FileHash-MD5 | E595c02185d8e12be347915865270cca |
FileHash-MD5 | e285b6ce047015943e685e6638bd837e |
CnC IP | 185.165.29.78 |
CnC IP | 111.90.139.247 |
CnC IP | 84.200.16.242 |
CnC IP | 95.141.115.108 |
FileHash-SHA256 | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 |
FileHash-SHA1 | 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d |
FileHash-SHA256 | 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1 |
FileHash-SHA256 | 752e5cf9e47509ce51382c88fc4d7e53b5ca44ba22a94063f95222634b362ca5 |
FilePath | dllhost.dat |
Managed Next Generation EndPoint Protection
As Network & Security Company, Sorint.SEC is able to offer information security services in order to guarantee an advanced protection to different and complex infrastructures.
In particular Sorint.SEC offers Managed Next Generation EndPoint Protection services in order to increase company protection against advanced threats direct to EndPoints.
More information about managed protection, offered by Sorint.SEC, are available to following links:
https://sec.sorint.it/en/managedendpointprotection
References
https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
http://thehackernews.com/2017/06/petya-ransomware-attack.html
You must be logged in to post a comment.