Link to home
Start Free TrialLog in
Avatar of Mark
Mark

asked on

Identifying wannacry and petya threats

I've been researching these recent ransomware attacks, but have not found what I'm looking for, maybe because there's so much out there I just haven't gotten to it all. Cutting to the chase ...

I've found that petya encrypts files with certain file types (of course). Does it retain or change the modification time of the encrypted file?

Does either petya or wannacry create ransom message files like cryptowall's HELP_DECRYPT?

Are there any additional indicator files these malware will create on e.g. a shared NAS storage device (versus simply on the infected computer itself).

According to what I've read this variant uses the Windows Management Instrumentation Command-line (WMIC) interface for lateral movement over SMB (Server Message Block) and using the EternalBlue (MS17-010) exploit. Questions:

Is it possible for a pure Linux system which does use CIFS?

Is it possible for Windows workstations peers to infect each other in a system that does use Samba for file sharing on Linux hosted Samba mounts?

Is it possible for this malware to infect Linux workstations?

Can anyone provide some references on more details on Wannacry and Petya?

--more information ...

I found this at https://blog.barracuda.com/2017/06/29/notpetya-both-more-and-less-than-it-seems

A typical NotPetya attack we observed starts its life as an RTF file with a .doc extension attached to an email ... In the RTF attack vector, using a .doc file extension helps ensure that Microsoft Word is used to open the RTF file ... Attempting to ensure Word opens the file is important in this case due to the use of CVE-2017-0199 for this part of the attack ... in this case a block of obfuscated JavaScript.

Questions:

Is the referenced "JavaScript" normal javascript or Microsoft's .js? I have the latter disabled on all Windows workstations.

If running LibreOffice on Windows workstations instead of Word, does this vulnerability still exist?

I did find that Wannacry creates files with .WNCRYT AND .WNCRY endings.

Thanks in advance for any help.
SOLUTION
Avatar of Davis McCarn
Davis McCarn
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mark
Mark

ASKER

btan:
Petya drops a text file called README.TXT in each fixed drive.
Would a mapped network drive, e.g. X:, be considered a "fixed drive"?
Yes as long as there is drive letter. Note also the AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.
First; though, and again, PETYA is a very poorly chosen name for this attack.  PETYA is over a year old and the current version is a melding of PETYA AND WANNACRY.  PETYA encrypts the MFT's on the machines it gets launched on.  WANNACRY uses a vulnerability in the SMB1 network protocol to spread the Trojan to every PC available on the network.  Luckily, SMB1 is from the 1980's, was patched by the January 2017 updates, and is probably only in use with some multifunction devices where the "scan to PC" option was setup.
Avatar of Mark

ASKER

Yes, I understand about the confusion over the name. The Homeland Security US-CERT site/list initially called it Petya. Later, others called it various things like notPetya, PetrWrap (Kaspersky), etc.

One thing I'm trying to do is look for indicator files which the malware drop in infected folders. We were hit by CryptoWall a couple of years back (we had backups), which infected the NAS shared files from a network attachment on the patient-zero computer. This malware puts the file HELP_DECRYPT.* in each encrypted directory. WannaCry puts *WNCRYT or *WNCRY in the folders. We only found out about the CryptoWall attack when a user tried to open an encrypted file. So, one mitigation thing I'm doing is searching users' redirected folders and one of the NAS directories for such known files. As with "petya", these malware have a way of mutating and reappearing again in the future. So, if the mutators happen to use the same indicator files, at least we'll have some relatively quick notification.

[not]Petya's use of README.TXT is clever in that it's not distinctive, making it difficult to search on that uniquely. I also run a scanner looking for any important file changes on users' C: between scans. This scan flags on content change or time change. If, as btab says, the timestamp does not change on the file, that's another bit of cleverness, although the scanner should show the md5sum changing on a massive number of files.

So, given that dll's and Windows specific elements are involved it appears that Linux and Apple computer cannot be affected by this, although their email clients could serve as infection vectors to Windows recipients.

I'll investigate turning off scripting/macros in Word and LibreOffice. A bit more difficult for Excel since formulas can be an important part of a spreadsheet. However, our clamav anti-virus program does detect and quarantine message with Excel attachments containing macros, and the spamassassin program is programmed to reject messages with .docm, .xlsm, .js, .exe, etc. attachment.

Carbon Black also provided a pretty detailed investigation into this latest *Petya* malware: https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/

Any last comments before I close this?
If you read that article I posted in my first post, it says to inspect the Windows folder for files named perfc and, especially a file named perfc.dll is a prime indication of infection.  The BAT file which can be downloaded from it creates dummy perfc files which then prevents an attack from creating/replacing the dummy files.  It won't stop future mutations; but, is a step in the right direction.....
For detection, you would need to have a GPO startup script that would report any PC's where the perfc files were found.
Since we know it is targeting SMB V1, thus would also be part of the scanning criteria.
In particular, a related scanner is shared. But do note this tool will also be sending anonymous usage statistics, i.e.  # of responsive & SMBv1-enabled computers). Nothing else about your host, IPs, or anything else.
http://omerez.com/eternalblues/
Avatar of Mark

ASKER

Davis McCarn: Yes, I did see that perfc[.dll] comment. However, at the moment, I don't have scan programs running on each individual workstation. Probably something to consider. I have a scanner running from the domain controller which mounts and scan each workstation's C: drive, and that *would* reveal a new file: perfc. I can possibly look for that in my current scanner. However, to make the rounds of the office this way takes a while so it may be an "after the horse leaves the barn" kind of late if I get notified from that source. On the other hand, it takes less than a minute to scan the NAS shared folders and not much longer to scan the redirectedFolders from the AD/DC, so if these indicator files appear in those places I'll get immediate notification.
This year (2017) the cybercriminals will generate revenues in excess of one trillion dollars worldwide and, at that scale, about all we can do is to be hyper reactive and vigilant.
Keep Windows updates current. Have routine backups that are either offline or inaccessible as a network share.  Pray that none of your users will try to open a malicious attachment or fall for a phishing scam (according to an article I read recently, this is the main form of successful attack).
I don't really know how to implement it; but, it seems to me that detecting a sudden, major uptick in read/write activity from a workstation and then being able to isolate it, thereby minimizing the damage, is the only way to prevent encrypting ransomware from devastating your network.
Avatar of Mark

ASKER

Davis McCarn: Yes, we do have local-offline and offsite backup and can restore the shared drive to within 20 minutes of the attack. We also have Acronis on all workstations so those can be restored to end-of-day from the day before. All of which we did when hit with the CryptoWall a couple of years ago -- yes, it was from a user going to a website with an infected flash (flash is no longer permitted on user workstations).

You're right, something to detect massive writes to lots of different files would be useful, but potentially tough on system resources. The scanner I have running will detect that (md5sum changes), but may not report for many minutes.

Thanks all for your feedback on this.