New Petya Ransomware Discovered: How Juniper protects
Juniper Networks is aware of a new variant of the Petya malware family. The malware combines a number of existing techniques to spread across vulnerable clients. We have begun the process of analysing today’s samples of Petya in the lab and can report that we are able to detect and prevent infection using our SkyATP and IDP technologies. Juniper will continue to update this blog as additional information becomes available.
The Petya family of malware is not new and one of our researchers previously blogged about this malware in the past. This ransomware is available to cybercriminals to purchase as a service rather than developing their own malware.
The ransomware demands that the infected user can only recover their data by paying a ransom of the equivalent of $300 worth of bitcoins. It’s important to note that no payments thus far have resulted in successful decryption (source: Posteo blog).
How the malware spreads
This latest variant uses three primary means of attack to spread:
- CVE-017-0199 (Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API) – a client based vector to spread via email. (Most likely as an attachment – initial attachment seen named Order-20062017.doc.)
- Once executed, the infected computer attempts a connection to 126.96.36.199/myguy.xls which is a MS HTA file. This results in connection to french-cooking[.]com that downloads and drops another executable (myguy.exe, saved) on the local system <random>.exe, where <random> is a random number between 0 and 65535).
- Once infected, the ransomware will attempt to use the second vector, using MS017-010 (Windows SMB Remote Code Execution Vulnerability) using the ‘ETERNALBLUE’ exploit – a network based vector to spread across internal networks – the same vulnerability used by the recent ‘WannaCry‘ malware.
- The malware appears to leverage Windows WMI (Microsoft Windows Management Interface) to spread across internal networks if administrative credentials are available.The method of privilege escalation and/or credential theft that facilitates this is still being researched.
Impact of infection
Initially, it appeared that this ransomware might have centered its efforts on targets in the Ukraine via accounting software, though more recent reports seem to confirm that it is also affecting systems in Spain, France, Russia and India. Indeed, more organisations across the globe may be affected as governments and businesses around the world find themselves locked out of their own machines.
This malware is more malicious than most varieties of Ransomware, in that Petya does not just encrypt files on a targeted system one by one – it also encrypts the hard drive’s master file table (MFT) which renders the master boot record (MBR) useless and the system unable to boot.
On rebooting the infected system, the ransomware displays a fake CHKDSK error, whilst it’s encrypting the system.
However, the Petya ransomware has actually replaced the system’s MBR with custom malicious code that displays a ransom note, leaving the device unable to start:
Note that once the infected system has been rebooted, it is no longer trying to spread the infection (as the infected computer stops booting) and thus is likely to spread much slower than the WannaCry ransomware.
How Juniper protects
For Juniper SRX and IDP customers, MS17-010 is covered by multiple CVEs and their corresponding signatures. You should ensure the following IDP signatures are enabled in your environment.
|SMB:CVE-2017-0145-RCE||SMB: Microsoft Windows CVE-2017-0145 Remote Code Execution|
|SMB:CVE-2017-0146-OOB||SMB: Microsoft Windows SMB Server CVE-2017-0146 Out Of Bounds Write|
|SMB:CVE-2017-0147-ID||SMB: Microsoft Windows SMB Server CVE-2017-0147 Information Disclosure|
|SMB:CVE-2017-0148-RCE||SMB: Microsoft Windows CVE-2017-0148 Remote Code Execution|
|SMB:ERROR:MAL-MSG||SMB: Malformed Message|
Additionally, the MS Office exploit is covered by IDP Signature HTTP : STC : DL : CVE-2017-0199-RCE available within signature pack 2860.
As Petya has been historically distributed via spam campaigns, Juniper Networks SkyATP email inspection techniques will identify this malware, as shown below.