Alert Stop Bad Rabbit Ransomware In Its Tracks. Learn more

Protect Your Organization from Petya / NotPetya Ransomware with Carbon Black

Petya_Blog_CarbonBlack_Blog
logo
June 27, 2017 / Threat Research Team

Organizations from Russia to Britain were hit by a ransomware attack on Tuesday in a hack with similarities to the recent WannaCry attacks.  

Initial analysis showed that the malware seen is a recent variant of the Petya ransomware family based upon how it encrypts files and displays its ransom note. Analysis showed that this sample follows the encryption and ransom note functionality seen in Petya samples. If run with administrative privileges, this includes the overwriting of the Master Boot Record (MBR) by the malware to replace it with customized, malicious code.

However, additional analysis from Carbon Black Threat Research team and from the security community shows that the overall malware is largely dissimilar from known Petya samples and may be construed as a wholly different family of malware.

Upcoming Webinar: Stop Petya/NotPetya Ransomware

Analysis 

File Size: 362,360
MD5: 71b6a493388e7d0b40c83ce903bc6b04
SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Fuzzy: 6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Magic: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
Import Hash: 52dd60b5f3c9e2f17c2e303e8c8d4eab
Compiled Time: Sun Jun 18 07:14:36 2017 UTC
PE Sections (5): Name Size MD5
.text 48,640 c5bd3bb710ae377938b17980692b785b
.rdata 34,304 46418e52b546c1f696eb8a524f18c56e
.data 20,992 5216f0c62d1fd41b1d558e129e18d0fe
.rsrc 247,808 f07e68575f50a62382d99e182baa05d5
.reloc 3,584 c5d1d4cdade7dcfbe14ec10dcf66cfb1
+ 0x57000 6,008 da2b0b17905e8afae0eaca35e831be9e (Authenticode Signature)

Initial analysis showed that the malware seen is a recent variant of the Petya family of ransomware. Analysis showed that this recent sample follows the encryption and ransom note functionality seen from Petya samples. If run with administrative privileges, this includes the overwriting of the Master Boot Record (MBR) by the malware to replace it with customized, malicious code.

The malware then forces a shutdown of Windows to force the system to boot from this new MBR code. Upon bootup, the code begins encrypting every sector of the hard drive while displaying a “chkdsk” output that shows a hard drive repair in progress. Upon completion, a ransom note is displayed to the user.

The malware also has the ability to clear Windows event logs by using the Windows wevtutil command. This is seen in action as:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D

Example of fake chkdsk screen as files are encrypted
Example of ransom note displayed after encryption

Notable from this example is the recent compile date and time of June 18, 2017, less than two weeks prior to the initial attack. Also, notable, is the authenticode digital signature of Microsoft Corporation, copied from the Microsoft System Internals tools. However, this signature is seen as not valid as it has long since expired.

Customer Protection

Carbon Black customers have multiple defenses against Petya ransomware.

Cb Protection with a Medium or High enforcement policy will prevent this file from being executed on a protected system. In Low Enforcement, known hashes have been classified as malware by SRS (reputation service), and will be blocked. Customers in Low Enforcement can also create custom rules that prevent C:\windows\perfc.dat from being written to disk or executed, to further improve coverage. Customers in Low Enforcement can also manually ban the known hashes for this malware.

Executables known to this attack are currently classified as high threats within the CDC-R and, as such, will be detected immediately by Cb Defense policies that include Delay Execution for Cloud Scan.

In Cb Response, this attack can be detected by creating a watchlist for filemod:C:\windows\perfc.dat. The VirusTotal and CDC Threat feeds will detect the known hashes for this malware. Customers can blacklist known MD5 hashes, the most prominent of which is 71b6a493388e7d0b40c83ce903bc6b04.

Possible mitigations include not only patching the know exploit, MS17-010, but also using Group Policy to disable local admin shares on systems.

Known hashes include:

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

4ee2ae805c31ec4f11f3f6ecf56e9c6e2f59dcd517a5a73210b5e5015f63beea

b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690

17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd

02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

71b6a493388e7d0b40c83ce903bc6b04

e8fb95ebb7e0db4c68a32947a74b5ff9

da2b0b17905e8afae0eaca35e831be9e

TAGS: Carbon Black / Eternal Blue / Petya / ransomware

Related Posts