On June 27, 2017, multiple organizations – many in Europe – reported
disruptions they are attributing to Petya ransomware. Based on
initial information, this variant of the Petya ransomware may be
spreading via the EternalBlue
exploit used in the WannaCry
attack from last month.
Trusted sources and open-source reporting have suggested that the
initial infection vector for this campaign was a poisoned
update for the MeDoc software suite, a software package used by
many Ukrainian organizations. The timing of a MeDoc software update,
which occurred on June 27, is consistent with initial reporting of the
ransomware attack, and the timing correlates to lateral movement via
PSExec we observed in victim networks starting around 10:12 UTC.
Additionally, the MeDoc website currently displays a warning message
in Russian stating: “On our servers is occurring a virus attack.
Our apologies for the temporary inconvenience!”
Our initial analysis of the artifacts and network traffic at victim
networks indicate that a modified version of the EternalBlue SMB
exploit was used, at least in part, to spread laterally along with WMI
commands, MimiKatz, and PSExec to propagate other systems. Analysis of
the artifacts associated with this campaign is still ongoing and we
will update this blog as new information come available.
FireEye has confirmed the following two samples related to this attack:
FireEye has mobilized a Community Protection Event and is continuing
to investigate these reports and the threat activity involved in these
disruptive incidents. FireEye as a Service (FaaS) is actively engaged
in monitoring customer environments.
While FireEye detection leverages behavioral analysis of malicious
techniques, our team has created a YARA rule to assist organizations
in retroactively searching their environments for this malware, as
well as detecting future activity. Our team has focused on the
malicious attacker techniques that are core to the operation of the
malware: SMB drive usage, ransom demand language, the underlying
functions and APIs, and the system utilities used for lateral
movement. The thresholds can be modified in the condition section that follows.
// FUNCTIONALITY, APIS
FireEye has read reports that the malware is spread by an email lure
containing a malicious Office document attachment or links to infected
documents exploiting CVE-2017-0199. We are confident that this
document is unrelated to the current outbreak of activity, and we have
seen no other indicators that CVE-2017-0199 is related. While FireEye
detects these campaigns, we have not observed any correlation with
known victims of the Petya attacks.
This activity highlights the importance of organizations securing
their systems against the EternalBlue exploit and ransomware
has provided a guide for securing Windows systems against the
EternalBlue exploit in the context of the WannaCry ransomware. A
robust back-up strategy, network segmentation and air gapping where
appropriate, and other defenses against ransomware can help
organizations defend against ransomware distribution operations and
quickly remediate infections.
from Petya Ransomware Spreading Via EternalBlue Exploit