UPDATE: 2:00 pm EDT, June 28, 2017: During subsequent research, the initial infection vector isn’t believed to involve Word/RTF files or the CVE-2017-0199 exploit. Further research has also revealed that there is a separate propagation vector involving SMB transfers and execution using psexec. Fidelis Internal sensors will detect these files transfers over SMB.
ORIGINAL POST: 9:00 am EDT, June 28, 2017:
Note: Fidelis customers should login to the Support portal to see our statement about coverage using Fidelis products.
Yesterday, reports emerged of large corporations in Ukraine and Russia having had multiple systems infected with a ransomware variant. Originally this was assumed to be in the Petya family (see our blog on GoldenEye) but this is still under review (see Kaspersky). Throughout the day, it has become apparent that the ransomware has made a global impact, reportedly impacting enterprises across Western Europe and the U.S.
Here are some observations from our investigation so far:
1. Similar to the Wannacry incidents from May 2017, these events have been particularly impactful because they couple a worm with ransomware. The worming capability here appears to have 2 parts
a. After executing approximately 30 minutes, it uses EternalBlue to propagate across the internal subnet.
b. Additionally, it uses WMIC/psexec and harvested credentials to propagate. This is especially effective when it gets Workstation or Domain Admin credentials on the infected host. WMIC is also used to relaunch the malware sample itself.
2. We have also observed the bot attempting to use web servers on the local subnet with harvested credentials. This is presumably another method to distribute the malware for execution with psexec.
3. The ransomware note is seen in a DLL embedded in the .data directory
4. The file extension targeting list can also be seen
Of course, keeping systems patched and up to date is vital. The EternalBlue exploit that is used by this ransomware was patched by Microsoft back in March and the SMBv1 protocol that is used can be disabled altogether according to Microsoft’s KB article.
As with any ransomware, for it to be thwarted or at least slowed, network segmentation helps to disallow rapid propagation. Individual systems should always be current on their backups.
The use of harvested credentials in this event highlights the risks in using privileged credentials to log in to systems. While EternalBlue propagation was used on local subnets, it was the WMIC/psexec propagation that allowed this to escalate into enterprise-wide events. For Fidelis customers, Fidelis Network v8.3.5 detects the network transfer of the malware as well as the MS17-010 propagation vector. Fidelis customers should login to the Support portal to see our statement about coverage using Fidelis products.