Products
- Products
  
  Platform
  ShadowPlex Advanced Threat Defense
  Deception for early detection of cyber threats with precision and speed
  
  ShadowPlex Identity Protection
  Visibility, management and protection of identity stores and attack paths
  Acalvio Active Defense Platform
  Comprehensive and Award-winning Distributed Deception Platform
  
  What is Active Defense?
  Active defense detects and diverts attacks.
  
  Why do I need Acalvio Active Defense?
  Active Defense deceives and disrupts attackers.
Solutions
- Technology Solutions
  
  Industry Solutions
  Early Threat Detection
  Detect cyber threats early in the attack lifecycle to prevent adversary breakout
  
  Identity Threat Detection & Response
  Detect identity threats with precision and protect the identity architecture
  
  OT Security
  Protect OT environments from cyber threats with an easy-to-deploy and non-intrusive solution
  
  Red Teaming
  Strengthen defenses to detect red team activities
  
  Threat Hunting
  Active threat hunting to confirm latent threats and gain visibility to attacker TTPs
  
  Ransomware
  AI-driven deception to protect against known and zero-day ransomware variants
  
  Honeytokens for CrowdStrike
  Enterprise-scale honeytokens to protect against current and evolving identity threats
  
  Active Directory Protection
  Visibility to AD attack surface and detection of AD attacks
  
  Zero Trust
  Advance Zero Trust maturity through improved cyber visibility
  
  Insider Threats
  Unmask hidden dangers. Cyber deception for high-fidelity insider threat detection
  Public Sector
  Targeted solution for protecting Federal agencies in conformation with NIST and CISA recommendations
  
  Financial Services
  Transform Financial Cybersecurity with Innovative Cyber Deception and Active Defense
  
  Healthcare
  Active defense solutions thwart healthcare attacks before they can inflict real damage.
Resources
Partners
Company

Technical Analysis of Petya

by Team Acalvio | June 30, 2017

Acalvio Threat Research Labs

Petya is the most recent ransomware strain. It originated in Ukraine [1] and is spreading across Europe. This blog summarizes our technical analysis of Petya.

Technical Analysis

In addition to the encryption and ransomware functionality, the Petya malware has very aggressive spreading capabilities. The dropper analyzed was a VB6 packed binary which contains the malicious DLL. All of the functionality is executed from the DLL’s unnamed and only exported function.

All of the file encryption is located in the MBR code. The MBR is overwritten and the old MBR is saved on the physical disk at location 0x4400 (xor’ed with 0x07).

A fixtool could easily clean up the overwritten MBR on any Petya infected machine.

The ransomware’s aggressive spreading behavior is performed via the ETERNALBLUE smb exploit. The binary uses a global object containing dynamically populated entries for attackable targets. This global object is populated by several methods and is used by a thread which enumerates the object attacking each entry in the object/array synchronously.

The malware also attempts to propagate via WMI (presumably network share copy/execute remote task) to adjacent network hosts.

Credentials for spreading via WMI are obtained via CredEnumerate calls which are stored in a global object, accessed by the spreading WMI function

The targets are chosen exhaustively:

All IP addresses in the current system’s subnet are checked for Smb (port 139, 445)
If the system is a domain controller, then for every DHCP subnet in the DC, every current DHCP client from the subnet is target for spreading.

Every 3 minutes, the network is enumerated for additional targets:

All connected TCP endpoints in the Windows extended TCP table
All entries in the Address Resolution Protocol (ARP) mapping table
All network adjacent workstations, servers, and primary domain servers visible to the current host becomes target for spreading.

The malware sets a shutdown task with a timer counting down and after an interval, shutting down the system after attempting to spread, encrypting filtered files in the filesystem, and overwriting the MBR.
The malware cleans up the event log via a CLI command
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c
Conclusion:
The severity of the infection gets multiplied due to the lateral movement techniques. Petya is not a new ransomware. However, it could increase the damage caused by using spreading techniques. Deception based detection are designed for timely, accurate and cost-effective detection of ransomware like Petya. To prevent worms like Petya, we would recommend not only to keep machines updated with the latest patches but also to deploy deception based detection solutions so that effective remediation steps can be taken in a timely fashion.

Reference:

[1] Petya Cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shutdown. http://www.telegraph.co.uk/news/2017/06/27/ukraine-hit-massive-cyber-attack1/

IOC of the Analyzed Samples

MD5 af2379cc4d607a45ac44d62135fb7015

SHA-256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

MD5 17c25c8a7c141195ee887de905f33d7b

SHA-256 e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660

MD5 d0a0e16f1f85db5dfac6969562923576

SHA-256 03da4e05d9d8c0c28d1acbb4056d041fa6fc740bacb47d46083c9da469237404

MD5 71b6a493388e7d0b40c83ce903bc6b04

SHA-256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745