Ransomware PetrWrap

June 29, 2017

Ransomware PetrWrap – Background, Analysis, Mitigation and Prevention

Ransomware PetrWrap
Ransomware PetrWrap

 

A new strain of ransomware dubbed “PetrWrap” or “Petya v3” is working its way around the world with alarming speed and is more destructive than the WannaCry ransomware. The Petra malware was originally reported in April 2016 and victims who opened the spam email and clicked a link to download a file, which they may have believed was a job applicant’s resume, instead were hit with the Blue Screen of Death in a matter of seconds. When the computer rebooted after the crash, it appeared as if Windows was running check disk; in reality it was a fake CHKDSK as Petya ransomware encrypted the master file table. Victims then saw a red screen filled with a white ASCII skull and crossbones. The new version of this malware is spreading using a vulnerability in Microsoft Windows that the software giant patched in March 2017 — the same bug that was exploited by the recent and prolific WannaCry ransomware strain and cleverly written spam email from unknown sources. It can also spread by using a variant of the Microsoft PS Exec tool in combination with admin credentials from the target computer.

Petya uses the “Eternal Blue” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agency and in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.

Ransomware PetrWrap
Ransomware PetrWrap

 

MALWARE ANALYSIS

The PetrWrap Trojan is written in C language and is compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.

After being launched PetrWrap delays its execution (sleeps for 5400 seconds = 1.5 hours). After that it decrypts the main DLL of Petya from its data section and gets ready to call its exported function ZuWQdweafdsg345312. This function normally prepares Petya for further operations and starts the MBR overwrite process. PetrWrap, however, needs to hook a couple of Petya’s functions first, so it replaces the instructions that call Petya’s DllEntryPoint with NOPs (hex bytes 0x90). This prevents Petya from proceeding on its own and allows PetrWrap to make all the necessary computations and preparations before letting it continue.

PetrWrap implementation uses cryptographic routines from OpenSSL (whereas Petya used the mbedtls library) and proceeds as follows:

  • The Trojan contains an embedded public key master_pub (which is a point on the curve prime192v1 which is again different from the one chosen by Petya);
  • During each infection PetrWrap generates a new pair of session keys ec_session_priv + ec_session_pub;
  • Computes ecdh_shared_digest = SHA512(ECDH(master_pub, ec_session_priv));
  • ‘Intercepts’ the salsa key generated by Petya and encrypts it using ecdh_shared_digest (there are a number of semi-useless manipulations which come down to essentially encrypting the salsa key with AES-256 using different parts of ecdh_shared_digest as the key and IV);
  • Constructs user_id which is a string representation that contains the encrypted salsa key and the ec_session_pub;
  • Passes this user_id to Petya, which uses it as if it was its own data (puts it into the configuration for the bootloader to be shown to the user after the PC reboot).

Petya bundles a tool called “LSADump,” which can gather passwords and credential data from Windows computers and domain controllers on the network.

MITIGATION AND PREVENTION

Organizations should strongly consider blocking connections to TOR nodes /TOR traffic on network and mitigate the risk of becoming compromised by following the following recommendations:

  • Update the signatures for your network Intrusion Detection Systems to detect any host infections
  • End user awareness training and use secure passwords for remote access systems
  • Email Filtering system configured with rules or criteria to limit dissemination
  • Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied (the same patch previously deployed for mitigation for the Wannacry Ransomware).
  • In accordance with known best practices, any organization who has SMB publicly accessible via the internet (ports 139, 445) should immediately block inbound traffic.
  • Ensure an anti-virus application is installed with up to date definitions. If possible, install an anti-malware application to detect rapid file changes.
  • Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline.