By Alex Cox, Christopher Elisan and Erik Heuser, RSA Research
A Ransomware variant known as "Petya/NotPetya" began making the rounds on June 27, 2017. This ransomware takes a different approach to denying access to the victim's files. Instead of the usual displaying of a message and letting the victim browse to really see that the target files are encrypted, this ransomware locks the user out of the whole system. It does so by modifying the system's Master Boot Record (MBR) and making the first boot sector code jump to the malicious code. This is a classic trick employed by boot-sector malware. As a result, the system is under the control of the ransomware and cannot be rebooted back to the Microsoft Windows operating system.
After every reboot or startup, the boot sector code is passed to the malware, displaying a splash page as seen in Figure 1.
Figure 1: "Petya/NotPetya" splash page
After the victim presses a key, it displays the message as seen in Figure 2.
Figure 2: "Petya/NotPetya" Ransomware
Unlike other ransomware attacks, wherein the victim can still use the system to purchase the decryption key, the only way for a "Petya/NotPetya" victim to do this is to use another system.
RSA Research traced the initial infection vectors to these primary sources:
- A subverted update file for a Ukrainian accounting software package that is mandated for use by the Ukrainian Government, which infects the machine that pulls the subverted file from the software company's update site.
- Propagation via the EternalBlue (also used in WannaCry) and EternalRomance exploits.
- Lateral movement via credentials stolen from the target host (on like configured hosts, this would allow infection of patched hosts).
Below is a detailed analysis of "Petya/NotPetya" ransomware.
|File Name: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1.dll
File Size: 362360 bytes
PE Time: 0x5945EFBD [Sun Jun 18 03:13:01 2017 UTC]
Name Entropy MD5
.text 6.55 ac2bb78f4833ba7912cc59cf212ccbe5
.rdata 6.99 dd0dc0f90617202ff84c3bfe64150483
.data 5.43 5216f0c62d1fd41b1d558e129e18d0fe
.rsrc 8.0 f07e68575f50a62382d99e182baa05d5
.reloc 4.77 facab7a1f0a7f93668b076a8c88dbb8f
"Petya/NotPetya" uses a single ordinal to begin execution and, as engineered, is tracked by RSA NetWitness® Endpoint. It immediately opens the disk and overwrites the MBR and the NTFS boot record (discussed below). It then schedules a task to shut down and reboot the computer exactly one hour after the malware first launched. There are no persistence mechanisms other than the MBR and NTFS boot record.
Figure 3 "Petya/NotPetya" Execution Process
RSA NetWitness Endpoint is also designed to discover floating DLL's roughly the same size as the original DLL allocated inside the RunDLL32.exe's address space and four suspicious threads. RSA NetWitness Endpoint is built to tag these as suspicious due to the allocated segments of memory having the execute bit turned on and not part of the regular code segments mapped into memory by the Windows loader. In fact, instead of shellcode, an entire DLL has been mapped and run.
Figure 4 Floating DLL with Suspicious Threads
By digging into the binary itself, we find code appearing to ask the discovered DHCP server, as well as the IP address 255.255.255.255 information on the DHCP address range.
Figure 5 Enumeration of DHCP address space
This is detected in RSA NetWitness Endpoint and RSA NetWitness® Packet suite in several ways. RSA NetWitness Packet is designed to identify this as a rogue DHCP server given this behavior is uncommon for a client application.
Figure 6 Rogue DHCP Server
Figure 7 Malware Sending Request Parameter List Option
RSA NetWitness Endpoint is engineered to identify this through the SMB/RPC connections to all the machine IPs available in the DHCP servers' configured range.
Figure 8 Network Tracking Data for NEW
RSA NetWitness Endpoint is also built to pull the MBR and the NTFS boot record to see the changes this malware has made. The MBR appears to be destroyed, the code areas, partition tables, boot signatures and other portions of the modern MBR are replaced with the Figure 9.
Figure 9 OverWritten MBR
This is an ongoing investigation, and more will be posted as we continue our research.
Author: RSA Research
Category: Research and Innovation, Blog Post
Keywords: Ransomware, RSA FirstWatch, RSA NetWitness Endpoint, RSA Research