Huawei Weiran Labs Comprehensively Analyzes the Petya Ransomware Attack Sweeping Across Ukraine
On the evening of June 27 (China Standard Time), a ransomware attack swept across Europe, and reports of infection were heard from other countries and regions as well. Over 2,000 computers were infected in the United Kingdom, France, the United States, and Germany, but Ukraine was hit especially hard. The ransomware attacked the computers of major banks and government leaders.
Effects of the Attack
As soon as a system is infected, the ransomware encrypts the Master File Table (MFT) on its hard drive and modifies the master boot record (MBR). It then adds a system restart to the Task Scheduler. After a certain time, the system displays the following dialog box and restarts.
While restarting, the ransomware runs a fake hard drive check, during which it actually encrypts the content of the hard drive.
It then displays a message indicating that the user must pay $300 in bitcoin or will be unable to use the computer.
Method of Attack
The ransomware first infects local network users through email — specifically, through a phishing email including an RTF file that exploits the CVE-2017-0199 vulnerability. If a user opens the file, malicious code that downloads the ransomware is automatically run on the computer.
Once the ransomware is on a local host, it transmits itself throughout the local network in the following two ways:
- Breaking a weak system password
- Exploiting the EternalBlue vulnerability (MS17-010)
The following diagram shows how the ransomware is transmitted.
Measures for Mitigation
Do Not Open Suspicious Emails
Ransomware is commonly spread through phishing emails. Users must be more aware of security risks and avoid opening emails whose source is unknown or that contain suspicious links or attachments.
Change System Passwords
To prevent system passwords from being cracked, users with weak passwords must configure stronger passwords immediately.
Install Security Patches
Install the update located at the following link to address the CVE-2017-0199 vulnerability:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
Install the update located at the following link to address the EternalBlue (MS17-010) vulnerability:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Provisional Measures
1. Close ports 139 and 445. Users were also instructed to close these ports in response to WannaCry.
2. Stop the WMI Service.
The procedure to disable this service is as follows:
Run services.msc.
Double-click Windows Management Instrumentation.
Stop the service.
3. Enable the kill switch.
Researchers have discovered that this ransomware also includes a kill switch. When the ransomware is run, it first searches for a local file. If the file can be found, the ransomware does not proceed with encryption. To enable the kill switch, create a plain text file called perfc in the c:\windows directory and set it to read-only.
A script to perform these actions has been developed and is available at the following link:
https://download.bleepingcomputer.com/bats/nopetyavac.bat
Huawei Security Prevents Attacks
This ransomware attack exploits two major vulnerabilities to transmit itself: CVE-2017-0199 and MS17-010. These are known vulnerabilities, and Huawei security products can effectively detect files containing code that exploits CVE-2017-0199 and traffic that exploits MS17-010.
Traditional defense-oriented security systems are no longer able to effectively protect against unknown threats, and relying on updated signatures to stop ransomware is insufficient. For these reasons, it is necessary to create new security systems centered on the detection of unknown threats.
Using virus- and reputation-based scanning, static analysis, and virtual execution technologies, as well as Huawei’s unique behavior pattern library, the FireHunter6000 series is capable of detecting unknown malicious files and providing accurate detection reports accordingly. It interworks with other security devices to quickly block advanced malicious files, preventing unknown threats from spreading and protecting core information assets for enterprises. The FireHunter is especially applicable to finance and government agencies, energy providers, and high-tech enterprises.
Huawei's FireHunter6000 reproduces email traffic and tests the attachments extracted from emails to effectively capture any malicious RTF files contained in them. It identifies ransomware attacks like Petya as well as suspicious network communications.
Huawei's intrusion prevention products can also detect attacks that exploit CVE-2017-0199 and MS17-010. To ensure full protection, users are advised to update their IPS signature databases.
|
Item |
Description |
Notes |
|
IPS signature database version |
20170628xx |
The last two characters xx differ based on product model. All signature databases released on or after the date specified (June 28, 2017) can protect against these vulnerabilities. |
|
IPS signature ID |
372910 372912 372913 |
Microsoft Office OLE2link remote code execution vulnerability |
|
Supported devices |
USG6000/9500 series, Eudemon 8000E series, and NIP6000 series or higher |
For details, see the website containing the IPS signature database. |
|
IPD signature database link |
|
|
|
Update method |
Devices connected to the Internet can update themselves automatically. To perform a manual update, visit the preceding address and download the offline update package. |
|
In addition, we strongly recommend that users install system patches as described in the previous section. Installing these patches removes the vulnerability and eliminates the possibility of attack.