Wednesday, 28 June 2017

EternalPetya / NotPetya Ransomware Analysis



The new modification of Petya, which we named EternalPetya (because of using EternalBlue and EternalRomance exploits), caused surprisingly big infection outbreak in Ukraine and Russia.


This can be explained by using several attack vectors:
  • In a local network, using EternalBlue and EternalRomance exploits targeting SMB services running on 139 and 445 ports. Both vulnerabilities were fixed in March 2017: CVE-2017-0144/MS17-010).
  • In a local network, EternalPetya leverages Microsoft's PSExec and WMIC tools that are used to connect to a remote computer with user's credentials to start a new process remotely.
  • Similar to Mimikatz tool embedded into the ransomware DLL harvests on a host user logins and passwords, which PsExec and WMIC tools require.
  • X-Factor - delivery through a fake update for M.E.Doc program used by many accountants in Ukraine to submit tax e-reports. Probably, social engineering techniques were used tricking a user to execute malware, for example, delivered as an email attachment or downloaded by the link provided in a spear phishing email.






















How to prevent the infection?
Once you are infected, your computer is locked, and data are encrypted by EternalPetya, there is no way to decrypt your data and unlock your system other than restoring it from backup.

Contact us if you need to defend your cloud or enterprise network against ransomware and targeted attacks.

For the attack details, see our analysis report published in the Acronis blog.

UPDATE:
Microsoft and Ukrainian Cyberpolice have the evidence showing it was the MEDoc software that executed EternalPetya: https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

No comments:

Post a Comment