Article written by Claude Khoury

Businesses and government systems have been hit in a global ransomware attack. The malware, a variation of the Petya ransomware which some analysts are calling ‘GoldenEye’ or ‘NotPetya’, has so far encrypted files and hard drives on 2,000 machines. PetrWrap is a new variant of Petya which was discovered in 2016.   

High-profile victims include Danish shipping giant Maersk, US pharmaceutical company Merck, international advertising conglomerate WPP, global law firm DLA Piper, and multiple private and public institutions in the Ukraine and Russia. This is the second global ransomware attack in the last two months. It follows the WannaCry outbreak in May that affected more than 150 organisations, including the UK’s National Health Service, German railways and Spanish telephone firm Telefonica.

What is Petya and PetrWrap?

PetrWrap uses the same encryption method as Petya that targets the Windows Master File Table to deny access to all files at once, with new protections. The protections are the patches to the vulnerabilities in the original Petya Malware that allowed it to be detected.

This ransomware employs the same exploits as WanaCrypt. So far, there is no kill switch found and there have been no weaknesses like those seen in WanaCrypt.

How does it infect?

The infection occurs in the same way as WanaCrypt and takes advantage of 2 attack vectors. One is a modified version of the NSA’s stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency’s EternalRomance SMB exploit. The second consists of phishing emails with infected attachments and links that contain the hidden PetrWrap ransomware.

PetrWrap exploits a vulnerability in unpatched Windows operating systems that allows remote access into your computer. Once it does this, it then begins scheduling tasks to run in the background. It also uses a code that allows it to spread via the Windows file sharing service SMB with the current user’s credentials, thus allowing it to copy itself. It does this by stealing the login information of the computer it infects. It spreads inside a network by stealing administrative credentials to instruct other PCs to run the malware as well.

Like WannaCry, it has spread quickly, and hit high-profile targets including Ukrainian critical infrastructure providers. While WannaCry’s many design flaws caused it to falter after a few days, this latest ransomware threat has evolved and it does not have the kill-switch that allowed researchers to neuter WannaCry.

PetrWrap unfortunately exploits a core function of Windows and is something that may not be able to be patched.

What does it do to your computer once infected?

The first thing that PetrWrap does is create scheduled tasks, with the first one being to schedule your computer to shutdown and reboot. Once it shuts down and reboots, it then loads CHKDSK and displays that your drive has errors that need to be checked. This in fact is the ransomware taking hold by encrypting files. Once the process is done, it displays a black screen with red text stating that the files are encrypted and a ransom must be paid in order to unlock the files.

PetrWrap also runs a string whereby it begins to delete/remove all Windows Security Event Logs.

The current extent of infection worldwide.

At the time of writing this article, firms across Europe and the United States have been infected. This includes numerous companies and government departments in the Ukraine, drug manufacturer Merck, Russia’s largest oil company Rosneft, TNT Express in Netherlands, DLA Piper in the USA, UK, and Australia, and Cadbury/Mondelez in Australia.

What measures to take before infection?

Avast reported around 38 million computers have not had the appropriate patches applied to their systems yet. In actuality this number is much higher as this only detects Avast connected computers.

Judging by how many companies ignored the EternalBlue patch, even after the WannaCry threat, the attack is likely to persist for some time. This is particularly acute given the fact there are no decryption keys to restore PCs with infected filesystems. There is no way to pay the ransom, and the diversity of delivery options means that no single patch can necessarily provide complete protection against it. Notwithstanding this, you should still install the relevant patches as a matter of urgency.

Further mitigation advice includes:

• FIRST AND FOREMOST, PERFORM A BACK-UP TODAY, AND EVERY FOLLOWING BUSINESS DAY;
• Ensure you (and your company) have a robust backup regime so that all important files are backed-up. This includes ensuring that any external storage devices are not always connected to your network to prevent any infections from spreading.
• Your computers need to be patched with the latest updates from Microsoft.
• Ensure you are suspicious of any unexpected documents or link attachments you receive via email. No matter how enticing an attachment or embedded link may be (especially when sent from people that you know). Always verbally verify the source whenever possible before taking any further action;
• Consider awareness campaigns and staff training to ensure your employees are aware of the risks;
• Ensure that you have an effective anti-virus and anti-malware solution
• Ensure that you conduct regular penetration tests on your systems.
• Administrators may stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\perfc.dat from running. Administrators can use Microsoft’s Local Administrator Password Solution to protect credentials that grant network privileges.

In the event of an infection:

The ransomware runs on boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “Check Disk” message, you MAY avoid having your files encrypted by quickly powering down and removing the hard drive to perform a forensic data extraction. NSI can assist with Forensic Data Extraction on unencrypted files.
What are the motivations of the attackers?

The attributes of this latest campaign narrow the type of actors motivated to instigate an attack of this type. While the original variant, Petya, was a money making criminal enterprise, most of the mechanisms put in place to collect the ransom are no longer available. Instead, it is designed to spread fast and cause damage, with plausible deniability of ransomware. The attack has a targeted approach to infection suggesting that this campaign is possibly a proof of concept operation against a variety of industries and platforms.

Alternatively, it could be a diversionary tactic to facilitate the prepositioning of additional malware onto systems by harvesting credentials to gain lateral movement within a network. It is likely, given the success of the last two campaigns, that there will be more ransomware attacks to follow.