Another round of ransomware (malware that encrypts the contents of a hard drive until a paid BitCoin ransom unlocks them) is spreading globally. The new ransomware, known as PetrWrap/Petya, is similar and yet significantly different than WannaCry. Unlike the previous attack, PetrWrap/Petya is a virus that spreads by spam campaigns using malicious Microsoft Word documents. Therefore, it cannot spread itself. Despite years of promoting good security hygiene, people are apparently clicking on the infected files.
During the first few hours of Tuesday, global companies such as the law firm DLA Piper, the shipping firm Maersk, and the food maker Mondelēz have all been affected. Additionally, gas pumps and ATMs in various countries have reportedly been hit. Also affected were several government office and infrastructure utilities in the Ukraine.
Vulnerable code remains
“Systems on a global level remain highly vulnerable and selective fixes only serve to perpetuate an attack based on the next vulnerability on what is now a nearly exponentially growing list of exploitable security bugs,” said Mike Ahmadi, Global Director of Critical Systems Security, Synopsys Software Integrity Group. “Unless vulnerability management and certification of systems becomes a legal requirement, we can expect to see attacks that are bigger and more sophisticated. As it stands today, it will likely take decades to dig ourselves out of the nearly bottomless pit of vulnerable code making up our infrastructure.”
Flaws leveraged in this attack–the Microsoft Word and Microsoft SMB vulnerabilities–have all been patched by Microsoft. It is incumbent on enterprises to monitor their software supply chain and be aware of and install any updates. This goes beyond the traditional network of office laptops and extends out into the real world such as media billboards.
The current attack is thought to be a variant from the PetrWrap/Petya family of ransomware that was first disclosed in March 2017. Like other ransomware, it bootstraps its way onto vulnerable Windows-based machines leveraging several vulnerabilities. And, like WannaCry, it does use the EternalBlue exploit, a tool originally thought to have been created by the NSA.
PetrWrap/Petya spreads via spam email using malicious Word attachments. These documents use CVE-2017–0199, a vulnerability in Microsoft Word allowing the installation of a remote Visual Basic script. PetrWrap/Petya uses that script to download the ransomware installer.
The ransomware, once installed, encrypts the MFT (Master File Tree) tables for NTFS partitions in Microsoft Windows. MFT is basically the directory that allows the operating system to locate individual files on the hard drive. Not only does PetrWrap/Petya make it hard to find the files, it also overwrites the MBR (Master Boot Record) with a custom bootloader. The new bootloader is the element that displays instead of the Microsoft logo — a ransom note — and prevents victims from booting their computer until paying the ransom of $300 in BitCoin. Because it reboots the computer, PetrWrap/Petya erases all the encryption artifacts.
According to F-Secure, PetrWrap/Petya uses an Elliptic Curve encryption scheme for asymmetric key encryption with 192-bit public key and secp192k1 curve parameters hard coded in the binary. This makes it difficult to decrypt without the proper key. Once the ransom is paid, that key is provided.
Underground ransomware kingpins
The concept of ransomware as a service is not new. According to Quartz, the authors of Petya designed their malware to be “licensed” or distributed by others. That means that the Petya authors always get a cut of the BitCoin profits from any third-party ransomware using their modules. But hackers being hackers, apparently, someone figured out how to get the Petya module without paying the Petya authors. The new ransomware, known as PetrWrap, behaves similarly while it is under the control of others.
The internet underground has the basic infrastructure necessary to scale more and more of these attacks in the future.
“Scalable ransomware attacks are now a proven and viable business model where the risk is heavily skewed in favor of the attacker. This has been predicted by security professionals for years and we are now witnessing it all unfold,” said Ahmadi.
As noted with WannaCry, widespread ransomware attacks can be mitigated by testing the health of your software. Tests such as software composition analysis can reveal known, often patched, vulnerabilities.
Additionally, software vendors also need to test their software with static code analysis and fuzz testing tools during the development life cycle. They should continue to monitor the software decay that occurs over time and issue patches as needed.