On June 27th 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to Petya ransomware.
Based on initial information, this variant of the Petya ransomware appears to be spreading via the EternalBlue exploit used by Russia in the WannaCry attack last month.
Ukraine was the primary target of the latest attack and it came on the same day a military leader was assassinated in the country by car bomb. He had been leading counter offensives against Russian operations.
Trusted sources and open-source reporting have suggested that the initial infection vector for this campaign was a poisoned update for the MeDoc software suite, a software package used by many Ukrainian organizations.
Experts at cyber security firm FireEye have analysed the attack, noting “the timing of a MeDoc software update, which occurred on June 27th, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC.”
Additionally, the MeDoc website currently displays a warning message in Russian, stating “on our servers is occurring a virus attack. Our apologies for the temporary inconvenience!”
Initial analysis of the malware and traffic on victim networks indicates, the experts say, that a modified version of the NSA’s EternalBlue SMB exploit was used, at least in part, to spread laterally along with WMI commands, MimiKatz, and PSExec to propagate other systems.
“Analysis of the artefacts associated with this campaign is still ongoing and we will update [our] blog as new information come available,” FireEye told me.
The Russian attack on Ukraine, which spread to other countries and targeted critical infrastructure, comes in the wake of a hack on Westminster’s parliamentary email system and follows the pattern established in my previous reports going back to the original Wannacry attack which was falsely attributed to North Korea.
John Miller, senior manager of analysis at FireEye, told me “FireEye is continuing to investigate the reports of the threat activity involved in these disruptive incidents. Based on our initial analysis the ransomware used in this campaign mimics Petya in some ways and the MBR reboot page is identical. However, there are some notable changes to include the propagation mechanism and an hour delay to encrypting files, which may be intended to allow propagation to occur. We believe that one infection vector used in this campaign was the M.E.Doc software, which is reportedly used for tax accounting purposes in Ukraine. Additionally, payloads associated with the campaign exhibit self-propagation behavior. Further, it is possible that other initial infection vectors are also involved. This activity highlights the importance of organizations securing their systems against the EternalBlue exploit and ransomware infections.”
“We have detected these attacks on organizations located in the following countries: Australia, United States, Poland, Netherlands, Norway, Russia, Ukraine, India, Denmark and Spain,” he added.
The latest Russian attack targeted transport systems, banks, and other critical infrastructure.