The WannaCry-like ransomware attack against Ukraine via MEDoc preceding EternalPetya/NotPetya

This week, MalwareHunterTeam discovered next in a row ransomware clone after XData that targeted Ukrainian users presumably through MEDoc software updates this Monday (June 26, 2017) before EternalPetya/NotPetya was launched (June 27, 2017). The new ransomware is a .NET version of WannaCry. The ransomware has the ‘kill process to unlock file’ feature introduced for the first time by ransomware and a bug that reduces demolishing power allowing the cryptolocker to harm only network drives. Let us take a look under the hood.

EternalPetya / NotPetya Ransomware Analysis

The new modification of Petya, which we named EternalPetya (because of using EternalBlue and EternalRomance exploits), caused surprisingly big infection outbreak in Ukraine and Russia.

Chthonic Trojan is back in nation-state cyberattack against Ukraine

Recently, we discovered a nation-state cyber attack against one government institution in Ukraine. 

The attackers sent a spear phishing email that contained the archived JavaScript used to download and execute the Chthonic backdoor that belongs to the Zeus family.

XData ransomware attacked users in Ukraine

On May 18, the author(s) of XData ransomware ran the massive attack against Ukrainian users supposedly leveraging the EternalBlue exploit as well as an ordinary spearphishing email delivery method. A week later, an anonymous user, supposedly the author of AES-NI ransomware the XData is based on, released the master private key. Currently, the XData decryption tools are available. We analysed the XData code and found two host-based 'kill-switches', one of them is about detecting an antivirus running on an infected machine.

Ransomware Protection Test - April 2017

During the last decade, ransomware (cryptolockers) show sustainable growth that can be explained by an effective business model that incorporates an anonymous payment system (Bitcoin) and network (TOR). This allows attackers to go untraceable and unpunished in their criminal activities.

In this regard, antiviruses and backup solutions come to protect you against ransomware and eliminate infection consequences. However, based on our incidents investigation experience, most of the ransomware infections in organizations happened with an antivirus installed and turned on. This can be explained by the fact, that the new ransomware variants employ polymorphic encryption with code obfuscation [1], broken PE headers [2], and scripting languages [3, 4]. All these help attackers bypass antivirus signature-based protection giving a chance for behavior blockers and anti-ransomware solutions to come into play. Therefore, it is essential to test security solutions by simulating the real-world ransomware attacks.

First, we tried the RanSim ransomware simulation software made by KnowBe4 [5] to verify if an antivirus can block a ransomware attack. However, RanSim has several limitations. The most principal one is that antiviruses block the RanSim executables underway using simple blacklists before the actual test scenarios are run. The question then arises as to how to bypass antivirus signature protection to run ransomware test scenarios that will test the antivirus behavior blocker or anti-ransomware protection only.

To solve the problem of testing anti-ransomware solutions, we looked into the successful real-world ransomware attacks to find out the techniques that help malware to go unnoticed. As a result, we created the ransomware testing framework called NioCryptoSim [6] written mostly in Python. The test suite includes three false positive tests and 15 tests simulating the base cryptolocker functions as well as complete models imitating the behavior of some real-world ransomware.

As a result, we tested 22 top antiviruses and one backup solution with the anti-ransomware solution from Acronis using the NioCryptoSim testing framework.

See the full report by the link.

WannaCry 2.0: Indicators of Compromise

WannaCry (WannaCryptor) is becoming probably the most popular cryptolocker in the history of ransomware. It has nothing new in terms of files encryption (RSA + AES using MS CryptoAPI) but uses MS17-010 (a.k.a. ETERNALBLUE named by NSA) vulnerability to propagate itself through local networks using the Server Message Block (SMB) protocol as a network worm resulting in thousands of infections of Windows machines that have not been updated so far.

Targeted attack against the Ukrainian military

One more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a fake prescription of the Minister of Defense of Ukraine. The target is CERT in the military domain.