On June 27, we have seen yet another wave of ransomware with worm spreading capability hit various countries around the world. This one, dubbed PetrWrap, seem to be similar to Petya but retrofitted with a few modules for indiscriminate lateral spread using EternalBlue SMB exploit as well as WMIC and PsExec.

Initial Infection

One of the initial infection vectors that is confirmed is through the update web site of a Ukrainian accounting software company hosted at http://www.me-doc.com.ua/. The update server was compromised and a malware dropper was implanted and distributed to the users of the EzVit Tax software that companies in Ukraine must run. Cyphort was unable to corroborate any other method of initial infection.

Malware Payload

Once the malware runs, it drops a dll which is started using rundll32.exe. It overwrites the Master Boot Record and replaces it with it’s own bootloader. The BootLoader will start encrypting the hardrive upon Startup/Reboot of the machine.

 

 

 

 

 

 

 

 

 

It then schedules a reboot of the system approximately one hour later. This may be an attempt to let it infect as many hosts as possible before the first signs of infection in an organization. After reboot, it displays a screen that fakes a windows process trying to repair the disk when in fact it is encrypting it.

Then the malware displays a ransom note to send $300 to a bitcoin wallet, then send the the user’s bitcoin wallet ID and personal key displayed to a hardcoded email address: wowsmith123456@posteo.net. This email address has been disabled by the ISP and therefore, no victim can recover any decryption keys anymore.

Note that if the logged in user does not have Admin privileges, a different ransom note is dropped in C:\README.txt as shown below. This note is always created after encryption of the files, but with Admin privileges you don’t get to see it because of the reboot and the replacement of the MBR that locks the screen.

Lateral Spread

This ransomware embeds a worm spreading capability using the SMB exploit Eternal Blue previously used by WannaCry and which was made public by the Shadow Brokers group after being stolen from the NSA. We see in the image below a pcap of the attempt.

Additionally, the malware will also attempt to spread using psexec which it drops from the main dll and calls it Windows\dllhost.dat. But it first needs to copy itself to the remote machine in the %ADMIN% folder.

But before it does so, it needs to steal credentials using another tool that it drops and execute in the TEMP folder and gives it a random 4 character name, like %TEMP%\47A3.tmp.

Also, the stolen credentials must belong to the Administrator group on the target remote machine for this method to work as shown below:

 

File Encryption

Immediately upon launch, the malware searches for and encrypts files with the following extensions using AES128 encryption:

.3ds
.dbf .nrg .rtf .work
.7z .disk .ora .sln .xls
.accdb .djvu .ost .sql .xlsx
.ai .doc .ova .tar .xvd
.asp .docx .ovf .vbox .zip
.aspx .dwg .pdf .vbs
.avhd .eml .php .vcb
.back .fdb .pmf .vdi
.bak .gz .ppt .vfd
.c .h .pptx .vmc
.cfg .hdd .pst .vmdk
.conf .kdbx .pvi .vmsd
.cpp .mail .py .vmx
.cs .mdb .pyc .vsdx
.ctl .msg .rar .vsv

Unlike other ransomware, it doesn’t change the filename or file extension of the encrypted files nor it leaves encryption markers on the file. It also seems this ransomware is not interested in home computers as it does not encrypt photos, videos and music files. It only goes for business documents and databases.

Impact

It seems that NotPetya targeted specifically Ukrainian organizations using the EzVit tax software, and attempted to spread laterally using various methods. Unlike WannaCry, we have not seen any attempt to spread across networks towards routable IP addresses that may still be vulnerable to EternalBlue. It is a bit of a mystery how this method of spreading has reached so many countries in so little time.

It is critically important for organization to have safe backups stored offsite to quickly recover from this kind of attacks. Since the ISP hosting the ransom email address disabled the account fairly soon after discovery, it left victims unable to pay the ransom and try to recover their files.

Cyphort detects this threat as TROJAN_PETRWRAP, ransom_petya or EXPLOIT_ETERNALBLUE.

IOCs:

SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745