Global Petya Ransomware Attacks involve Modified EternalBlue Exploit

Global Petya ransomware attacks are underway with the campaign bearing similar hallmarks to the WannaCry ransomware attacks in May. The attackers are using the a modified EternalBlue exploit that takes advantage of the same SMBv1 vulnerability used in WannaCry. The ransomware variant bears a number of similarities to Petya ransomware, although this appears to be a new variant.

Petya ransomware was first discovered last year, with the latest variant using a similar encryption process. In contrast to WannaCry, Locky and CryptXXX, this ransomware variant does not encrypt files. Instead, it encrypts the master file table (MFT) which is what computer use to locate files on hard disks. Without the MFT, the computer cannot locate files. Stored files are not encrypted but they still cannot be accessed.

The latest global ransomware attack is understood to be worse than WannaCry. For a start, there is no kill switch so it is not possible to disable the ransomware to prevent further MFT encryptions. Second, the attacker is using an email account that a German email provider has now disabled, which means even if the $300 ransom is paid, the attacker will not be able to deliver the decryption keys. Also, the tactics used in this ransomware attack are more advanced than the WannaCry campaign with additional layers of complexity.

As with WannaCry, the Petya ransomware attacks involve remote exploitation of the SMBv1 vulnerability on unpatched devices. If the MS17-010 patch has not been applied, systems will be vulnerable to attack.

Kaspersky Lab reports that this attack actually involves several vectors, another being MeDoc, a Ukrainian tax accounting package with the attackers taking advantage of its software update function. It is possible that email is also being used, with malicious spreadsheets exploiting the CVE-2017-0199 vulnerability to install the ransomware.

Even servers that have been patched and do not have the SMBv1 vulnerability can still be attacked if one server on the network has not had the MS17-010 patch applied. Those attacks use PSEXEC Windows SysInternals in pass-the-hash attacks, while the Windows Management Instrumentation (WMIC) command line scripting interface is also being used to spread the ransomware. In contrast to WannaCry, there is no network worm involved, instead only internal subnets are scanned for other devices to infect.

The Petya ransomware attacks appeared to start in Russia and the Ukraine, but rapidly spread around Europe and further afield. Some of the companies affected include the pharmaceutical firm Merck, shipping firm Maersk, French manufacturing firm Saint Gobain, the Russian oil company Rosneft, steel maker Evraz, Kiev’s Borispol airport, aviation form Antonov and WPP. The Ukraine has been hit particularly hard with power companies, postal services, the central bank, government and the radiation monitoring station at Chernobyl nuclear power plant all affected. Kaspersky Lab reports there have been at least 2,000 attacks, most of which were in Ukraine, Russia and Poland.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news