NH-ISAC Alert :TLP White distribution regarding ongoing Petya attack

This information is marked TLP White: Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit / attribution to NH-ISAC.

Summary

This new ransomware attack was first observed on June 27, 2017. The impacted entities are mostly focused in the EU at this time but we do have reports of a US healthcare entity being impacted as well. Multiple sectors including financial, telecom, transportation, healthcare and energy have reported that their operations are impacted.

The initial infection vector is still unknown at this time.

There are public reports that Petya is using ETERNALBLUE/DOUBLEPULSAR for lateral movement, and that seems to be a part of it.  We can’t confirm this yet (still looking for code or behavior that would indicate eternalblue).

There is a lateral movement component that performs the following:

  1. Enumerate active connections using WNetOpenEnum (enumerate currently active connections)
  2. Enumerate current users credentials using CredEnumerateW
  3. Attempt to establish connection to enumerated machines using enumerated credentials using WNetAddConnection2

After the malware executes, it will establish a scheduled task to reboot the machine after 1 hour. This will allow it time to infect other victims on the network. Once the reboot occurs, a fake CHKDSK screen appears and encrypts the master file table and displays the ransom message.

Technical Indicators

Targeted extensions:

.3ds,.7z,.accdb,.ai,.asp,.aspx,.avhd,.back,.bak,.c,.cfg,.conf,.cpp,.cs,.

ctl,.dbf,.disk,.djvu,.doc,.docx,.dwg,.eml,.fdb,.gz,.h,.hdd,.kdbx,.mail,.

mdb,.msg,.nrg,.ora,.ost,.ova,.ovf,.pdf,.php,.pmf,.ppt,.pptx,.pst,.pvi,.

py,.pyc,.rar,.rtf,.sln,.sql,.tar,.vbox,.vbs,.vcb,.vdi,.vfd,.vmc,.vmdk,.

vmsd,.vmx,.vsdx,.vsv,.work,.xls,.xlsx,.xvd,.zip,.

IOCs:

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

Drops….

02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

https://www.virustotal.com/en/file/02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f/analysis/

Attacker Email:

wowsmith123456@posteo.net

Bitcoin Wallet:

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

……………………………………………………………………………

Ransomware Note:

Ooops, your important files are encrypted. If you see this text, then

your files are no longer accessible, because they have been encrypted.

Perhaps you are busy looking for a way to recover your files, but don’t

waste your time. Nobody can recover your files without our decryption

service.

We guarantee that you can recover all your files safely and easily. All

you need to do is submit the payment and purchase the decryption key.

Please follow the instructions:

Send $300 worth of Bitcoin to following address:

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Send your Bitcoin wallet ID and personal installation key to e-mail

wowsmith123456@posteo.net. Your personal installation key:

*************

If you already purchased your key, please enter it below/ Key:

…………………………………………………………………………………………………….

*Any reproduction or reposting of this content requires proper credit / attribution to NH-ISAC.