This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

UPDATE (July 21): FireEye continues to track this threat. An
earlier version of this post has been updated to reflect new findings.

On June 27, 2017, multiple organizations – many in Europe – reported
they are attributing to a variant of the Petya
ransomware, which we are calling “EternalPetya”. The malware was
initially distributed through a compromised software update system and
then self-propagated through stolen credentials and SMB exploits,
including the EternalBlue
used in the WannaCry
attack from May 2017.

The initial infection vector for this campaign was a poisoned
update for the MeDoc software suite
, a software package used by
many Ukrainian organizations. The timing of a MeDoc software update,
which occurred on June 27, is consistent with initial reporting of the
ransomware attack, and the timing correlates to lateral movement via
PSExec we observed in victim networks starting around 10:12 UTC.
Additionally, the MeDoc website had displayed a warning message in
Russian stating: “On our servers is occurring a virus attack. Our
apologies for the temporary inconvenience!”

Our analysis of the artifacts and network traffic at victim networks
indicate that modified versions of the EternalBlue and EternalRomance
SMB exploits were used, at least in part, to spread laterally.
However, much of the propagation is believed to have occurred by the
malware’s use of WMI commands, MimiKatz, and PSExec.

FireEye has confirmed the following two samples related to this attack:

  • 71b6a493388e7d0b40c83ce903bc6b04
  • e285b6ce047015943e685e6638bd837e

FireEye mobilized a Community Protection Event to investigate the
threat activity and protect customer environments.

While FireEye detection leverages behavioral analysis of malicious
techniques, our team has created a YARA rule to assist organizations
in retroactively searching their environments for this malware, as
well as detecting future activity. Our team has focused on the
malicious attacker techniques that are core to the operation of the
malware: SMB drive usage, ransom demand language, the underlying
functions and APIs, and the system utilities used for lateral
movement. The thresholds can be modified in the condition section that follows.

description=”Probable PETYA ransomware using ETERNALBLUE,
WMIC, PsExec”
      // DRIVE
      $dmap01 = “.PhysicalDrive”
nocase ascii wide
      $dmap02 =
“.PhysicalDrive0” nocase ascii wide
  $dmap03 = “.C:” nocase ascii wide
  $dmap04 = “TERMSRV” nocase ascii wide
$dmap05 = “admin$” nocase ascii wide
$dmap06 = “GetLogicalDrives” nocase ascii wide
      $dmap07 = “GetDriveTypeW” nocase ascii

      $msg01 =
      $msg02 = “IF YOU ABORT THIS
PROCESS” nocase ascii wide
      $msg03 =
“DESTROY ALL OF YOUR DATA!” nocase ascii wide
PLUGGED” nocase ascii wide
      $msg05 =
“your important files are encrypted” ascii
      $msg06 = “Your personal installation
key” nocase ascii wide
      $msg07 = “worth
of Bitcoin to following address” nocase ascii wide
      $msg08 = “CHKDSK is repairing sector” nocase
ascii wide
      $msg09 = “Repairing file system on
” nocase ascii wide
      $msg10 = “Bitcoin
wallet ID” nocase ascii wide
      $msg11 =
nocase ascii wide
      $msg12 =
“1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX” nocase ascii
      $msg_pcre = /(en|de)crypt(ion|ed.)/     

      $functions01 =
“need dictionary” nocase ascii wide
$functions02 = “comspec” nocase ascii wide
  $functions03 = “OpenProcessToken” nocase ascii
      $functions04 = “CloseHandle” nocase
ascii wide
      $functions05 =
“EnterCriticalSection” nocase ascii wide
$functions06 = “ExitProcess” nocase ascii wide
      $functions07 = “GetCurrentProcess” nocase
ascii wide
      $functions08 =
“GetProcAddress” nocase ascii wide
$functions09 = “LeaveCriticalSection” nocase ascii
      $functions10 =
“MultiByteToWideChar” nocase ascii wide
$functions11 = “WideCharToMultiByte” nocase ascii
      $functions12 = “WriteFile” nocase
ascii wide
      $functions13 =
“CoTaskMemFree” nocase ascii wide
$functions14 = “NamedPipe” nocase ascii wide
    $functions15 = “Sleep” nocase ascii wide //
imported, not in strings     

      // COMMANDS
    //  — Clearing event logs & USNJrnl
$cmd01 = “wevtutil cl Setup” ascii wide nocase
      $cmd02 = “wevtutil cl System” ascii wide
      $cmd03 = “wevtutil cl Security”
ascii wide nocase
      $cmd04 = “wevtutil cl
Application” ascii wide nocase
      $cmd05 =
“fsutil usn deletejournal” ascii wide nocase
    // — Scheduled task
      $cmd06 = “schtasks
” nocase ascii wide
      $cmd07 = “/Create
/SC ” nocase ascii wide
      $cmd08 = ” /TN
” nocase ascii wide
      $cmd09 = “at
%02d:%02d %ws” nocase ascii wide
      $cmd10 =
“shutdown.exe /r /f” nocase ascii wide
// — Sysinternals/PsExec and WMIC
      $cmd11 =
“-accepteula -s” nocase ascii wide
$cmd12 = “wmic”
      $cmd13 =
“/node:” nocase ascii wide
      $cmd14 =
“process call create” nocase ascii wide

      // (uint16(0) == 0x5A4D)
3 of ($dmap*)
      and 2 of ($msg*)
      and 9
of ($functions*)
      and 7 of ($cmd*)

FireEye has read reports that the malware is spread by an email lure
containing a malicious Office document attachment or links to infected
documents exploiting CVE-2017-0199. We are confident that this
document is unrelated to the current outbreak of activity, and we have
seen no other indicators that CVE-2017-0199 is related. While FireEye
detects these campaigns, we have not observed any correlation with
known victims of the Petya attacks.


This activity highlights the importance of organizations securing
their systems against SMB exploits and ransomware infections. Microsoft
has provided a guide
for securing Windows systems against the
EternalBlue exploit in the context of the WannaCry ransomware. A
robust back-up strategy, network segmentation and air gapping where
appropriate, and other defenses against ransomware can help
organizations defend against ransomware distribution operations and
quickly remediate infections.

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,