Petya, PetrWrap, ExPetr, GoldenEye, and WannaCry: a ransomware pandemic scorecard.
By The CyberWire Staff
Jun 29, 2017

Petya, PetrWrap, ExPetr, GoldenEye, and WannaCry: a ransomware pandemic scorecard.

When WannaCry broke out in May, a number of security experts warned that there was more, and worse, to come, and not necessarily from the same threat actors. That more and worse has now arrived.

On Tuesday a new ransomware campaign broke out of its initial infestation in Ukraine and spread worldwide. The code is a variant of the familiar Petya strain of ransomware security companies have been tracking at least since March of 2016. It had hitherto appeared mainly in targeted attacks—phishing with malicious Word documents as bait—but now it's acquired new features that have made it fast, dangerous, and indiscriminate.

Petya's code has been updated with worm functionality and the EternalBlue exploit the ShadowBrokers released on April 14, 2017. These enhancements strike some observers as sufficiently novel to warrant a new name, so one sees the campaign called, variously, "Petya," PetrWrap," "NotPetya," and "Goldeneye." They're the same threat—we'll call it "Petya" for convenience, at least until another name gains currency. Kaspersky's name makes a point about difference firmly. They call the malware "ExPetr," because while it shares strings with Petya, the new variant is in their view really a wiper, not crypto ransomware. 

Update, 6.29.17: Consensus has grown that this instance of Petya, while it reused some code from the original ransomware, in fact represents quite a different threat. It's nowmore wiper than ransomware; its goal disruption as opposed to extortion.

The current Petya infestation is regarded as better crafted code. It doesn't exhibit WannaCry's botched Bitcoin wallets, and its attack on master boot records renders it more dangerous. It also doesn't appear to have WannaCry's convenient kill switch.

WannaCry has been widely associated with North Korea's Lazarus Group, but speculation about this instance of Petya focuses on Russia. Ukraine, the original and principal victim, thinks the ransomware is Russia's work. And like WannaCry, the return on the hackers' investment has been trivial in comparison with the scope of the attack: less than $10,000, according to recent reports.

Early reports said this time Petya spread by phishing with malicious Word files, but that seems incorrect. Tanium says the initial vector was a maliciously crafted update to widely used MeDoc accounting software.

A convenient account of the latest Petya that places it in context and summarizes its effects and mode of operation may be found in Recorded Future's report. We've heard from a number of security experts who've offered their take on Petya.

Petya and WannaCry: comparison and contrast.

Tom Pageler, Chief Risk Officer and Chief Security Officer at Neustar, said, "The Petya cyber-attack appears to be similar to WannaCry, but more advanced and lacking the 'kill switch' that was discovered in WannaCry. This cyber-attack was predicted by many experts, a beefed-up WannaCry. Organizations should be diligent about patching systems, as up-to-date systems are not susceptible to this type of attack."

Morey Haber, vice president of technology at BeyondTrust, notes that Petya differs from WannaCry in that it attacks "the whole file system at a very low level rather than file-by-file." He says, "Once the malware is installed, it looks for other systems to exploit using EternalBlue," and it can "exploit any system via lateral movement." Haber adds, "Petya also contains malware to scrape memory and the file system for passwords and execute psexec against remote targets to propagate the infection. This will compromise hosts even if they are patched for EternalBlue and leverage administrator credentials it discovers during its interrogation of the system.

Encryption is at a low level using the Master File Tree tables for NTFS and overwrites the Master Boot Record (MBR) with a ransomware warning." 

Paul Edon, director of international customer services at Tripwire, explained how the EternalBlue exploit functions. “EternalBlue exploits a known vulnerability within the Microsoft Server Message Block (SMB v1) protocol, which allows attackers to execute arbitrary code using specially crafted packets," he said. "Microsoft originally released a patch for supported Microsoft Operating Systems in mid-March 2017. After the WannaCry ransomware attacks, which also used EternalBlue to traverse networks, Microsoft released a further patch for legacy operating systems such as Windows XP and Windows Server 2003." (Another reason, if more were needed, to pay close attention to patch management.)

Exploiting a known vulnerability.

Jake Kouns, Chief Information Security Officer at RiskBased Security, offered the following summary:

"It has been reported that Petya is spreading by using a code execution vulnerability in Microsoft Office and WordPad (CVE-2017-0199) and then taking advantage of EternalBlue (CVE-2017-0145), which is the same vulnerability exploited by WannaCry.

"Most people would agree that WannaCry was a pretty big event, and it should have served as a big wake-up call as to the risks and importance of patching or - if not possible - apply proper workarounds to mitigate risk. Unfortunately, the fast spread of Petya makes it pretty clear that regardless of the reasons for not updating systems were valid or not, many companies were unable to properly address things the first time around.

"Neither of the vulnerabilities exploited by Petya are new. The vulnerability in Microsoft Office and WordPad, which exploits how OLE 2 Link objects in documents are permitted to request and execute HTA code, is known to have been exploited as far back as October of 2016 to deliver Finspy spyware and later the Dridex banking trojan. This vulnerability was patched April 2017. EternalBlue, as we know, was also previously disclosed via NSA leaks and exploited by WannaCry. Microsoft provided a solution in March 2017 and even released special fixes for older, unsupported OS (Windows XP, Windows 8, and Windows Server 2003) in May 2017.

"There have been a lot of conversations recently concerning the ability to patch for many organizations, and how it is not always possible. No matter where you stand in this debate, if your organization is running unpatched software you are at serious risk and not only to these ransomware events. It is critical that all organizations, which are able, apply patches for these known vulnerabilities. If there is some legit reason for this not being possible, it is imperative to take other precautions and implement compensation controls to protect their systems and mitigate the risk. One such approach would be to stop using antiquated protocols such as SMBv1. It is 30 years old and even Microsoft have been warning against using it for a while - well before WannaCry.

"This is not the first and will not be the last systemic ransomware event to occur, and expect the next one to be an improvement of previous versions," is how Kouns concluded his glum assessment.

We also heard from researchers at Alien Vault. Chris Doman, security researcher at the company, described the outbreak this way: "This is an ongoing ransomware campaign that is spreading quickly, reportedly through the EternalBlue exploit. The ransom note and code match a ransomware known as Petya. Initial reports were initially from Ukraine; however telemetry indicates the attacks are seen in many other locations." Dorman says the sample he analyzed hit in four stages. It "writes a message to the raw disk partition, clears the Windows event log using Wevtutil, shuts down the machine, leverages PsExec (dllhost.dat) to spread, [and] encrypts files matching a list of file extensions."

Dorman, writing to us Tuesday afternoon, noted that at the time of his communication the attackers had received $3000 from their victims, and that he expected that tally to rise. He noted darkly that he'd seen no confirmation that any victim who paid the ransom had recovered their files.

There's some complexity in the attack that await resolution. Dorman said, "The samples exploiting CVE-2017-0199 were initially shared by an infected organization in Ukraine. These deploy a piece of malware called Loki. We have not seen these subsequently install Petya. It's possible they do; however at this point it's likely unrelated malware that coincidentally targeted an organization at the same time. Similarly, when WannaCry first came out many people mistakenly linked it to the delivery of an entirely different piece of malware called Jaff.”

Dorman's colleague at Alien Vault, Security Advocate Javvad Malik, noted the effect the campaign is having on manufacturers. “It appears to be a new ransomware campaign impacting multiple countries and some major businesses with some manufacturing reportedly stopped. The ransomware appears to be a Petya variant that may be spreading via EternalBlue; although this is not confirmed yet" Alien Vault is collecting and posting developments here.

Evolution of a ransomware strain.

Eldon Sprickerhoff, founder and chief security strategist at eSentire, is among those calling the infestation "Goldeneye." He told us in an email, “GoldenEye is a particularly virulent strain of the Petya ransomware that leverages the bones of Petya, but course-corrects weak spots in the original Petya strain. Like its predecessor, GoldenEye makes decryption very difficult. Creators improved the effectiveness of the strain by leveraging exploits associated with WannaCry. Early indicators show that companies who failed to update system patches are most susceptible. Businesses relying solely on anti-virus will also face increased risk, as most AV systems will be incapable of detecting GoldenEye - new hashes are emerging quickly, which means AV will have difficulty keeping up."

He added, “Our threat intelligence team has seen at least three different ransomware flavors emerge recently: the rapid deletion of files, exfiltration of data, and a new variant which works to lock down passwords before encryption, making backup restoration particularly tricky. GoldenEye, in particular, amplifies the rapid evolution of ransomware. Attacks are becoming more widespread, are moving faster, and are harder to kill. Businesses worldwide should treat this attack as an early warning: take this as an opportunity to ensure that backups and system patches are up-to-date, and tested. Ransomware is not going away; attacks like this will increase in frequency and sophistication.”