Detecting Petya Ransomware

Today SC Magazine and other news organizations are reporting a large number of global cyber infections connected with a new variant of the Petya ransomware.

For instance, Ukraine is reported to be particularly hard hit, including key infrastructure.

This ransomware has also impacted the Danish shipping company Maersk, who have publicly confirmed that it’s “IT systems are down across multiple sites and business units due to a cyber attack”. American pharmaceutical company Merck & Co have also confirmed that it had been impacted.

Earlier today the BluVector Threat Research Team obtained a sample of the Petya ransomware involved in this incident. This sample (MD5: 71B6A493388E7D0B40C83CE903BC6B04, SHA256: 027CC450EF5F8C5F653329641EC1FED91F694E0D229928963B30F6B0D7D3A745) was flagged at a high confidence score as likely malicious by our supervised machine learning-based networking monitoring & analytics platform, without relying on any signature or rule. The sample was then submitted to VirusTotal, where only 12 out of 61 products treated it as a known bad (a 20% hit rate), meaning the ransomware was likely to evade perimeter defenses of a large number of organizations. A later sample (MD5: E285B6CE047015943E685E6638BD837E, SHA256: 64B0B58A2C030C77FDB2B537B2FCC4AF432BC55FFB36599A31D418C7C69E94B1) was also flagged as very likely malicious.

The Petya samples attempted to encrypt 65 file extensions:

.3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl,
.dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg,
.nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar,
.rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx,
.vsv, .work, .xls, .xlsx, .xvd, .zip

The rapid spread of this malware is being attributed to its use of both WMIC and PSEXEC to move laterally through a network, in addition to its use of the EternalBlue SMB exploit, as previously seen in the recent WannaCry ransomware. This means that Windows systems patched with MS17-010 are still potentially at risk of being compromised since the ransomware has these other avenues to propagate. Petya also uses the wevtutil utility to clear the Windows system event logs to avoid post event detection.

Beyond machine learning detection, our integration with major SIEM and analytic solutions assists the security operations team in correlating BluVector’s network detection with affected, host-based activity. Security teams can automate the attribution of Petya’s malicious log clearing activities and scheduled task creation with this ransomware variant by using either our published Splunk Enterprise Security or IBM QRadar applications.

Since BluVector is not a closed-box appliance, our customers have access to the underlying Bro configuration; thus, they are free to use its SMB Analyzer to detect this ransomware’s lateral movement over TCP port 445. Those organizations that have yet to obtain a baseline of their internal networks can leverage the same to identify unwanted occurrences of the vulnerable SMB version 1 protocol for disabling or remediation.

Once a malicious campaign is detected, vendors and researchers race to produce host and network-based signatures. For example, Snort and ProofPoint/Emerging Threat signatures were released for its MS17-010 underlying exploit shortly after the WannaCry outbreak. BluVector accepts these signatures, such as EmergingThreats signatures’ 2001569, 2012063, and 2024297 for detection of unwanted SMB activity and the EternalBlue exploit. Our ability to ingest both host and network-based indicators of compromise facilitates identification by more junior analysts; thus, freeing up senior engineers’ and analysts’ time for prioritized projects.

Introducing Network Threat Assessment

BluVector finds threats that other malware detection solutions don’t. Many of our customers find those threats after adding BluVector to their detection process, typically within the first two weeks. So we’ve created the Network Threat Assessment as a way to prove BluVector’s machine learning superiority by using their network to find threats within their environments that they don’t already know about.

All Threat Reports