Petya GDATA Ransomware

The cause of yesterday’s widespread Petya ransomware attack has been partly solved by Microsoft. Security teams originally believed the attack to have started through a corrupt MEDoc updater. In support, Microsoft says it has good evidence that a software supply-chain attack method was used.

In a blog post, the company says this ransomware wave started with a legitimate MEDoc process. This is a tax accounting software developed by Ukraine-based company M.E.Doc.

With this evidence, Microsoft has been able to solve how the initial attack started. Petya brought down airports, banks, and other institutions across Europe. While it was first believed the attack would be bigger than the recent WannaCry wave, it was more limited. However, it did particularly affect institutions in Ukraine, including Kiev airport.

Microsoft explains how Petya initiated:

“Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, software supply chain attacks are a recent dangerous trend with attackers, and it requires advanced defense.

We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.”

As mentioned, the Ukraine was hit hard. Microsoft says 12,500 machines in the country were exploited by the ransomware. Other countries did not escape Petya, with significant reports in the US, Brazil, Russia, Denmark, and Germany. In total, 64 countries were affected.

Regarding the Petya name, the cyber community is now debating whether it should get that title. Petya is an existing malware, but this latest attack was distinct enough that some say it should receive its own moniker.

Microsoft describes the uniqueness of the malware to be able to have multiple lateral movement. This means it can spread across a network when only a single machine is infected. Similar to WannaCry, “Petya” used SMB vulnerabilities, while also utilizing credential-dumping techniques. This means it can target passwords across machines.

“Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call DhcpEnumSubnets() to enumerate DCP subnets all hosts on all DHCP subnets before scanning for tcp/139 and tcp/445 services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.”

Ransomware Details

As we discussed yesterday, the latest attack did not did not target encrypt files on a system. Instead, it replaces the PC MBR with a malicious code that locks the machine at the pre-boot stage and displays the ransom message.

For individuals, the cost of unlocking (paying the ransom) was $300 in bitcoin currency. It is unclear how much the hackers were charging companies.

Mikko Hypponen, a researcher for F-Secure, said Petya is attacking the following file formats: *.pdf, *.pptx, *.ppt, *.ova, *.php and many more. “Nothing is stopping Petya now. This could hit the U.S.A. pretty bad,” he said.

Hypponen said “Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.”