Subject: TA17-181A: Petya Ransomware
From: "US-CERT" <US-CERT@ncas.us-cert.gov>
Date: 7/1/2017 2:14 AM

TA17-181A: Petya Ransomware

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:


TA17-181A: Petya Ransomware
07/01/2017 01:41 AM EDT

Original release date: July 01, 2017
Systems Affected

Microsoft Windows operating systems
Overview

On June 27, 2017, NCCIC was notified of Petya ransomware events occurring in 
multiple countries and affecting multiple sectors. Petya ransomware encrypts 
the master boot records of infected Windows computers, making affected machines
 
unusable.

The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) 
to provide in-depth technical analysis of the malware. In coordination with 
public and private sector partners, NCCIC is also providing additional IOCs in 
comma-separated-value form for information sharing purposes.

Available Files:

    MIFR-10130295.pdf
    TA-17-181A_IOCs.csv

The scope of this AlertÆs analysis is limited to the newest ôPetyaö variant 
that surfaced June 27, 2017, and this malware is referred to as ôPetyaö 
throughout this Alert.
Description

Based on initial reporting, this Petya campaign involves multiple methods of 
initial infection and propagation, including exploiting vulnerabilities in 
Server Message Block (SMB). Microsoft released a security update for the 
MS17-010 vulnerability on March 14, 2017. Background information on ransomware 
infections is provided in US-CERT Alert TA16-091A.
Technical Details

US-CERT received a sample of this Petya ransomware variant and performed a 
detailed malware analysis. The team found that this Petya variant encrypts the 
victimÆs files with a dynamically generated, 128-bit key and creates a unique 
ID of the victim. However, there is no evidence of a relationship between the 
encryption key and the victimÆs ID, which means it may not be possible for the 
attacker to decrypt the victimÆs files even if the ransom is paid.

This Petya variant spreads using the SMB exploit as described in MS17-010 and 
by stealing the userÆs Windows credentials. This variant of Petya is notable 
for installing a modified version of the Mimikatz tool, which can be used to 
obtain the userÆs credentials. The stolen credentials can be used to access 
other systems on the network. This Petya variant will also attempt to identify 
other hosts on the network by checking the compromised systemÆs IP physical 
address mapping table. Next, it scans for other systems that are vulnerable to 
the SMB exploit and installs the malicious payload.

The compromised systemÆs files are encrypted with a 128-bit Advanced Encryption
 
Standard (AES) algorithm during runtime. This Petya variant writes a text file 
on the ôC:\ö drive with the Bitcoin wallet information and RSA keys for the 
ransom payment. It modifies the master boot record (MBR) to enable encryption 
of the master file table (MFT) and the original MBR, then reboots the system. 
Based on the encryption methods used, it appears unlikely that the files can be
 
restored even if the attacker received the victimÆs unique ID.
Impact

According to multiple reports, this Petya ransomware campaign has infected 
organizations in several sectors including finance, transportation, energy, 
commercial facilities, and healthcare. While these victims are business 
entities, other Windows systems without patches installed for the 
vulnerabilities in MS17010, CVE-2017-0144, and CVE-2017-0145 are at risk of 
infection.

Negative consequences of ransomware infection include the following:

    temporary or permanent loss of sensitive or proprietary information,
    disruption to regular operations,
    financial losses incurred to restore systems and files, and
    potential harm to an organizationÆs reputation.

Solution

NCCIC recommends against paying ransoms; doing so enriches malicious actors 
while offering no guarantee that the encrypted files will be released. In this 
incident, the email address for payment validation was shut down by the email 
provider, so payment is especially unlikely to lead to data recovery.[1] 
According to one NCCIC stakeholder, the below sites are C2 payment sites for 
this activity. These sites are not included in the CSV package as IOCs.

hxxp://mischapuk6hyrn72[.]onion/
hxxp://petya3jxfp2f7g3i[.]onion/
hxxp://petya3sen7dyko2n[.]onion/
hxxp://mischa5xyix2mrhd[.]onion/MZ2MMJ
hxxp://mischapuk6hyrn72[.]onion/MZ2MMJ
hxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJ
hxxp://petya3sen7dyko2n[.]onion/MZ2MMJ
Network Signatures

NCCIC recommends that organizations coordinate with their security vendors to 
ensure appropriate coverage for this threat. Because there is overlap between 
the WannaCry and Petya activities, many of the available rulesets can protect 
against both malware strains when appropriately implemented. The following 
rulesets provided in publically available sources may help detect this 
activity:

    sid:2001569, ôET SCAN Behavioral Unusual Port 445 traffic Potential Scan or
 
Infectionö[2]
    sid:2012063, ôET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID? 
Function Table Dereference (CVE-2009-3103)ö[3]
    sid:2024297, ôET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010ö[4]

Recommended Steps for Prevention

    Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 
14, 2017.[5]
    Enable strong spam filters to prevent phishing emails from reaching the end
 
users and authenticate in-bound email using technologies like Sender Policy 
Framework (SPF), Domain Message Authentication Reporting and Conformance 
(DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
    Scan all incoming and outgoing emails to detect threats and filter 
executable files from reaching the end users.
    Ensure anti-virus and anti-malware solutions are set to automatically 
conduct regular scans.
    Manage the use of privileged accounts. Implement the principle of least 
privilege. No users should be assigned administrative access unless absolutely 
needed. Those with a need for administrator accounts should only use them when 
necessary.
    Configure access controls including file, directory, and network share 
permissions with least privilege in mind. If a user only needs to read specific
 
files, they should not have write access to those files, directories, or 
shares.
    Disable macro scripts from Microsoft Office files transmitted via email. 
Consider using Office Viewer software to open Microsoft Office files 
transmitted via email instead of full Office suite applications.
    Develop, institute, and practice employee education programs for 
identifying scams, malicious links, and attempted social engineering.
    Run regular penetration tests against the network, no less than once a 
year. Ideally, run these as often as possible and practical.
    Test your backups to ensure they work correctly upon use.
    Utilize host-based firewalls and block workstation-to-workstation 
communications.

Recommendations for Network Protection

    Disable SMBv1 and
    Block all versions of SMB at the network boundary by blocking TCP port 445 
with related protocols on UDP ports 137-138 and TCP port 139, for all boundary 
devices.

Note: disabling or blocking SMB may create problems by obstructing access to 
shared files, data, or devices. The benefits of mitigation should be weighed 
against potential disruptions to users.

Review US-CERTÆs Alert on The Increasing Threat to Network Infrastructure 
Devices and Recommended Mitigations [6] and consider implementing the following
 
best practices:

    Segregate networks and functions.
    Limit unnecessary lateral communications.
    Harden network devices.
    Secure access to infrastructure devices.
    Perform out-of-band network management.
    Validate integrity of hardware and software.

Recommended Steps for Remediation

    Contact law enforcement. We strongly encourage you to contact a local FBI 
field office upon discovery to report an intrusion and request assistance. 
Maintain and provide relevant logs.
    Implement your security incident response and business continuity plan. 
Ideally, organizations should ensure they have appropriate backups so their 
response is simply to restore the data from a known clean backup.

General Advice for Defending Against Ransomware

Precautionary measures to mitigate ransomware threats include:

    Ensure anti-virus software is up-to-date.
    Implement a data backup and recovery plan to maintain copies of sensitive 
or proprietary data in a separate and secure location. Backup copies of 
sensitive data should not be readily accessible from local networks.
    Scrutinize links contained in emails, and do not open attachments included 
in unsolicited emails.
    Only download softwareùespecially free softwareùfrom sites you know and 
trust.
    Enable automated patches for your operating system and Web browser.

Report Notice

DHS encourages recipients who identify the use of tools or techniques discussed
 
in this document to report information to DHS or law enforcement immediately. 
To request incident response resources or technical assistance, contact DHSÆs 
National Cybersecurity and Communications Integration Center (NCCIC) at 
NCCICcustomerservice@hq.dhs.gov or 888-282-0870. Cyber crime incidents can also
 
be reported to the Internet Crime Complaint Center (IC3) at 
https://www.ic3.gov/default.aspx.
References

    [1] Bleeping Computer: Email Provider Shuts Down Petya Inbox Preventing 
Victims From Recovering Files
    [2] Emerging Threats 2001569
    [3] Emerging Threats 2012063
    [4] Emerging Threats 2024297
    [5] Microsoft: Security Bulletin MS17-010
    [6] US-CERT: The Increasing Threat to Network Infrastructure Devices and 
Recommended Mitigations
    [7] F-Secure: (Eternal) Petya from a DeveloperÆs Perspective
    [8] Microsoft |TechNet: New ransomware, old techniques: Petya adds worm 
capabilities
    [9] US-CERT: Ransomware and Recent Variants

Revision History

    July 1, 2017: Initial version

This product is provided subject to this Notification and this Privacy & Use 
policy.
A copy of this publication is available at www.us-cert.gov. If you need help or
 
have questions, please send an email to info@us-cert.gov. Do not reply to this 
message since this email was sent from a notification-only address that is not 
monitored. To ensure you receive future US-CERT products, please add 
US-CERT@ncas.us-cert.gov to your address book.

=== Cut ===


.- Keep the faith, --------------------------------------------------.
|                                                                    |
|    Ben  aka cMech  Web: http|ftpinkp|telnet://cmech.dynip.com    |
|                  Email: fido4cmech(at)lusfiber.net                 |
|              Home page: http://cmech.dynip.com/homepage/           |
`----------- WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1 ---'

... I won't attend your parole hearings.
--- GoldED+/W32-MSVC v1.1.5-b20170303 under Win32/VM via Mystic BBS!
 * Origin: FIDONet - The Positronium Repository (1:393/68)