PetrWrap: A new Ransomware attack

petrwrap

Today, 27 June2017, a massive Ransomware attack, PetrWrap variant of Ransomware/Petya, has been identified world wide.

 

Firsts data revelaed that threat has been distributed in particular in Ukraine, Russia, Poland, Italy and Germany and some sources confirm also an infection in the USA, England, France, India and Spain. 

 

Technical Analysis

PetrWrap is part of Malware Ransomware macro-family, threats able to crypt users’ and organizations’ victim data and ask a ransom in BTC (Bitcoin) for decrypting them.

Unlike WannaCry or other Ransomware, PetrWrap, once PC has been rebooted, crypts the entire Hard Disk, in particular it attacks the File System NTFS’s Master File Table  (MTF) and makes unusable the MBR (Master Boot Record).

In this way, PetrWrap is able to block the entire PC, without loading at all the Operating System to victim user.

 

Actually there aren’t enough information to determine the real vector attack used by attackers to distribute malware, but probably it could happen via e-mail.

Threat is critical because malware exploits an SMB v1 vulnerability to spread over internal network, throught exploit published by “ShadowBroker” during toolkit NSA leakage: the exploit name is EternalBlue.

This Exploit is the same that has been alredy used by Ransomware/WannaCry to spread inside local network and via Internet.

Microsoft patched vulnerability in March 2017 on Microsoft Windows systems thanks to security bulletin MS17-010.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

PetrWrap, in addition to use EternalBlue Exploit to spread over internal network, can exploits also native Windows tools like WMIC or PSEXEC tool; this last one infection method is successful only in case of victim PC has administrative permissions on remote PCs.

Actually, attackers which lie behind this global Ransomware/PetrWrap distribution are identified by e-mail address: wowsmith123456@posteo.net.

Until now alredy 29 BTC payments have been registered, associated to previous e-mail address, for a total of 3,15 BTC.

 

How you can defend yourself?

You can defend your internal infrastructure adopting following countermeasures:

  • (Recommended)

Install patch released in Microsoft security bulletin of March MS17-010.

  • (Alternative)

Disable SMB v1 protocol: protocol SMB version 1 is old and not secure. If it’s possibile, disable it.

 

It is also recommended to update to the last available version Antivirus signatures on EndPoints.

Next Generation Antivirus SentinelOne, thanks to its dynamic threat anlysis engine is alredy able to protect EndPoint without update signatures.

 

IoC – Indicators of Compromised

IOC Type

Value

FileHash-MD5

71B6A493388E7D0B40C83CE903BC6B04

FileHash-MD5

0df7179693755b810403a972f4466afb

FileHash-MD5

42b2ff216d14c2c8387c8eabfb1ab7d0

FileHash-MD5

E595c02185d8e12be347915865270cca

FileHash-MD5

e285b6ce047015943e685e6638bd837e

CnC IP

185.165.29.78

CnC IP

111.90.139.247

CnC IP

84.200.16.242

CnC IP

95.141.115.108

FileHash-SHA256

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

FileHash-SHA1

34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

FileHash-SHA256

64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1

FileHash-SHA256

752e5cf9e47509ce51382c88fc4d7e53b5ca44ba22a94063f95222634b362ca5

FilePath

dllhost.dat

 

Managed Next Generation EndPoint Protection

As Network & Security Company, Sorint.SEC is able to offer information security services in order to guarantee an advanced protection to different and complex infrastructures.

In particular Sorint.SEC offers Managed Next Generation EndPoint Protection services in order to increase company protection against advanced threats direct to EndPoints.

More information about managed protection, offered by Sorint.SEC, are available to following links:

https://sec.sorint.it/en/managedendpointprotection

https://sec.sorint.it/en/soc

 

 References

https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759

http://thehackernews.com/2017/06/petya-ransomware-attack.html

https://securelist.com/schroedingers-petya/78870/

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

https://www.bleepingcomputer.com/news/security/petya-ransomware-outbreak-originated-in-ukraine-via-tainted-accounting-software/