Petya ransomware appears with SMB propagation capabilities
June 2017 by Forcepoint
The Petya outbreak recorded on 27 June 2017 has had a significant impact on a number of global organisations, with media outlets reporting impacts as significant as the cessation of activity at the Port of Rotterdam in the Netherlands .
While many may be loath to think back six weeks to the trauma of May’s WannaCry outbreak (https://blogs.forcepoint.com/securi...), there are a number of parallels between the two incidents ranging from the global reach of the outbreak to the techniques by which the malware is spread.
At the time of writing, Forcepoint Security Labs has analysed one sample associated with the outbreak (SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745). Details of this are shown in the table below.
We are in the process of confirming an analysing additional samples and variants as they become available.
SHA1 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d SHA256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Timestamp 2017-06-18 07:14:36 Size 353.9 KB
The sample itself is a DLL file, launched with the hard-coded parameter ‘#1’.
Upon execution, it attempts to spread via an SMBv1 exploit before ultimately rebooting the machine, presenting a faked ‘CHKDSK’ screen, and showing the ransom message. The reboot and subsequent messages are typical of previously observed Petya behaviour.
Comment: As in the early stages of the WannaCry infection, the initial infection vector for a given organisation is unclear.
Comment: There appears to be a significant delay between running the malware and the beginning of the encryption process. Given that the malware reboots the machine, this is almost certainly to allow a reasonable amount of time to propagate across networks.
A large number of strings are hard-coded within the file, including the Bitcoin wallet used for payments, the ‘support’ email address used by the perpetrators, and the targeted file extensions. The targeted file extensions are shown below.
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
Comment: In a further echo of WannaCry, the use of a single hard-coded BitCoin wallet for the receipt of payments is an unusual choice in that it allows easy third-party tracking of the number of ransom payments received . Conclusion & Recommendations
Conclusions and assessments of any far-reaching implications of an outbreak can be hard to draw early in a campaign, however it seems unlikely that this will be the last attempt to deploy a self-propagating piece of ransomware.
As ever, Forcepoint Security Labs will continue to monitor this threat.
The use of an SMBv1-based exploit to move laterally within networks ultimately means that a large number of recommendations made during the WannaCry outbreak are also applicable now. In particular:
Ensure that available security updates are installed on all Windows machines within the organisation.
In line with Microsoft’s guidance from 2016 , customers should consider disabling SMBv1 on all Windows systems  where this will not negatively impact the function of legacy systems within the environment. If you are a Forcepoint customer please consult the following Knowledge Base Article to identify what course of action may be suitable for your product: https://support.forcepoint.com/KBAr...
Update: We have confirmed through internal testing that Forcepoint NGFW is capable of both detecting and blocking use of the SMB exploit leveraged by this attack (see image), however the initial vector used for propagation is still being investigated.