Home ResourcesBlog Recent attack identified as Petya.2017-ExPetra

Recent attack identified as Petya.2017-ExPetra

Share:Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn

After further investigation on the recent attack, FoxGuard can confirm that this attack was not actually PetrWrap as recently believed, but yet another variant now being called Petya.2017 or ExPetr.

The initial infection appears to have been targeted at Ukraine by setting up a watering hole attack by compromising Ukrainian news agencies websites, as well as corrupting an update for the ME DOC tax software. After the initial infection, the malware reboots and starts to encrypt the MFT table, and overwrites the MBR with a fake bootloader. During the encryption process, the malware displays a screen similar to the “Check Disk” dialogue for windows, after encryption is leaves a ransom message. It also attempts to move laterally using a variant of mimikatz to steal credentials, and then execute using the stolen credentials and PSExec and WMIC. It also spreads across networks using the Eternal Blue and Eternal Romance exploits.

This malware IS NOT a ransomware, but rather a malware designed to wipe data, and masquerade itself as a ransomware to throw off researchers. For starters, this malware uses only one bitcoin wallet, which is not what we normally see in ransomwares, but rather a separate bitcoin wallet for each victim to prove payment was sent/received. Secondly, in a regular ransomware, an installation key is generated which contains crucial information to generate a recovery key. After a victim gives this ID to the attacker, the attacker can then extract the decryption key. That decryption key would then be used to decrypt the data on the drive and restore the MBR to that the boot process is restored. ExPetr, however, did not implement an actual installation key system, but rather generates random characters to display on the screen to make it look like an installation key is being provided. This is just a random string of characters, and cannot actually be used to generate a recovery key. The malware also writes to disc sectors in such a way that permanent damage is done to the disc and recovery is impossible. This indicates that the attackers had no intention to decrypt any data all along, and were not interested in the monetary gains from their endeavor, but rather performed the attack simply to cause harm. Lastly, the attackers setup only one email account, which has already been shutdown. Therefore, even if there WAS a way to recover the data, there is no way to get in touch with the attackers.
FoxGuard recommends taking the below mitigation strategies:
     •  Offline backups
            o  Shadow volumes can be deleted and connected backups can be accessed by the
                malware, it is therefore crucial that backups be kept completely offline and disconnected.
     •  SMB
            o Disable SMBv1 if it is unneeded
            o Apply the Microsoft SMB patch (MS17-010)
     •  Secure Active Directory
            o Filter user privileges, password policy, etc
     •  Secure Boot
            o UEFI ignores MBR, so machines with secure boot enabled are not affected by the MBR overwrite
     •  Network
            o If possible, block incoming traffic on TCP port 445 (Used by the Eternal Romance exploit)

For more information on some of the technologies used in the attack, see the below links:
     Psexec: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
     WMIC: https://msdn.microsoft.com/en-us/library/bb742610.aspx
     Mimikatz: https://www.offensive-security.com/metasploit-unleashed/mimikatz/
     MBR: https://technet.microsoft.com/en-us/library/cc976786.aspx

For newer information regarding this attack, see the links below:

FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.


If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert