Security Alert: New ransomware outbreak combines attack vectors, delivers malware cocktail
Andra-Larisa Zaharia
Cybersecurity communication manager focused on organic growth. Cyber Empathy creator (CyberEmpathy.org). I help repair the disconnect between infosec specialists and the people they serve.
These last hours have been crucial in the Internet landscape with a new ransomware outbreak starting to propagate and impacting many large companies from all over the globe.
Cyber security researchers from our team and various others (Kaspersky, Palo Alto Networks, Malwarebytes, McAfee) have reported that this ransomware strain, suspected to be Petya (Petya.A, Petya.D, or PetrWrap), is spreading fast, generating an outbreak similar to WannaCry. The resemblance is also based on the fact that this strain uses the EternalBlue exploit to infect computers and also has self-replicating abilities.
But there’s also something different about this ransomware epidemic: it uses multiple attack vectors and drops a malware cocktail meant to encrypt and then harvest and exfiltrate as much confidential data as possible.
How the attack happens
Petya ransomware made its appearance in 2016 and, unlike a typical ransomware, it doesn’t just encrypt files, but also overwrites and encrypts the master boot record (MBR).
One of the methods used for distribution is exploiting the MS17-010 vulnerability, also known and EternalBlue, which was developed by the United States’ National Security Agency. This requires no user input to get infected. If you have an Internet-connected computer and your operating system is outdated, you can be the next victim.
This ransomware strain also targets Internet users through spam emails (which still work – here’s why), which include a malicious zip archive, called “inmyguy.xls.hta“.
If the victim opens the archive, the malicious code is automatically activated, which triggers the main component of the infection to be downloaded:
[% APPDATA%] \ 10807.exeThe binary code is signed with a fake Microsoft certificate name.
A second spam wave comes through a different malicious attachment, called “Order-20062017.doc“, which abuses the CVE-2017-0199 (CVSS score: 9.3) and downloads the file from the https://84.200.16 [.] 242 / myguy.xls (sanitized for your protection).
This attack vector injects itself into several system processes and triggers the data encryption stage locally. However, at the same time, it also spreads to other computers connected in the local network.