Ransomware is growing exponentially, across geographies and industries. Being targeted by Ransomware is becoming a “when” and not an “if” threat for most organizations. We have detected many known variants including CryptoLocker, WannaCry, Petya, Locky, and more with industry leading accuracy. Our research team, ProLion Labs, is continuously studying new attacks, and testing it against our detection methodologies to keep our customers always-on. For example, take into consideration our understanding of the Petya attack, a highly effective malware that affected many central file servers and critical data.

Petya: multiple lateral movement techniques
The Petya attack leverages lateral movement capabilities and only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:

-stealing credentials or re-using existing active sessions
-using file-shares to transfer the malicious file across machines on the same network
-using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines

Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines. Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call DhcpEnumSubnets() to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using DhcpEnumSubnetClients()) for scanning for tcp/139 and tcp/445 services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials. It then scans the local network for admin$ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.

In addition to credential dumping, the malware also tries to steal credentials by using the CredEnumerateW function to get all the other user credentials potentially stored on the credential store. If a credential name starts with “TERMSRV/” and the type is set as 1 (generic) it uses that credential to propagate through the network. This ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using NetEnum/NetAdd) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).

The attack can also spread using an exploit for the Server Message Block (SMB). In addition, this malware also uses a second exploit for CVE-2017-0145. This ransomware’s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion. This ransomware attempts to encrypt all files with specific file name extensions in all folders in all fixed drives, including .ppt, .ost, .zip, .xls, .xlsx, and many more.

It uses file mapping APIs instead of a usual ReadFile()/WriteFile() APIs. The unique key used for files encryption (AES) is added, in encrypted form, to the README.TXT file the threat writes under section “Your personal installation key:”. Beyond encrypting files, this ransomware also attempts to infect the MBR or destroy certain sectors of VBR and MBR. After completing its encryption routine, this ransomware drops a text file called README.TXT in each fixed drive.

ProLion Labs is always on the Hunt
Our research team is ahead of the curve, studying new types of attacks and methodologies being discussed on the dark web. Our labs team is constantly testing these approaches against our machine learning algorithms. Ransomware attacks start much earlier than the encryption stage, and ProLion studies hundreds of indicators to stop an attack before any damage is done. ProLion has prevented thousands of attacks across many different patterns.