A massive attack erupted yesterday (June 27) worldwide, with a high concentration of hits in Ukraine – including the Ukrainian central bank, government offices and private companies.
While the malware used is yet undetermined, some researchers are speculating it to be a variant of Petya, a ransomware that encrypts the entire hard-drive rather than each file individually. Check Point analysis also shows involvement of Loki Bot for credential theft. Our analysis shows that the ransomware spreads laterally, exploiting SMB vulnerabilities.
From the Check Point research lab
- Infection chain for the Loki-Bot malware is : RTF file downloads corrupted xls which contains malicious js script, which in turn pulls an executable from another drop zone. The executable is Loki Bot.
- The Petya ransomware exploits an SMB vulnerability for lateral movement, which is a bit different from the exploit used in WannaCry. We will update with the specifics.
- Loki Bot’s infection vector is as following: Malicious email containing RTF file. The RTF exploits CVE-2017-0199 to downloads an xlsx decoy file. The binary of the “xlsx” file includes a js script, which is executed by the RTF file. When it runs, the script downloads Loki’s exe file and executes it.
- Still no confirmation that the Loki-Bot is related to the ransomware attack
- Petya’s lateral movement leverages both SMB protocol and HTTP traffic; an infected machine scans the internal network by sending ARP requests. It will then start SMB communication with machines that answer, later adding HTTP communication. Eventually, both machines are encrypted and communication stops.
Kaspersky Lab statement on NotPetya ransomware
Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. That is why we have named it NotPetya.
The company’s telemetry data indicates around 2,000 attacked users so far. Organizations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries.
This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.
Kaspersky Lab detects the threat as UDS:DangeroundObject.Multi.Generic.
Kaspersky Lab experts aim to release new signatures, including for the System Watcher component as soon as possible and to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can.
We advise all companies to update their Windows software, to check their security solution and ensure they have back up and ransomware detection in place.
Kaspersky Lab corporate customers are also advised to:
- Check that all protection is activated as recommended; and that they have enabled the KSN/System Watcher component.
- Use the AppLocker feature to disable the execution of any files that carry the name “perfc.dat”; as well as the
- PSExec utility from Sysinternals Suite.