Several high-profile organizations are already affected by a ransomware attack which began to spread in Europe on June 27. Tanium’s EDR and TAM teams are monitoring the situation closely. Here’s what we know so far.
A ransomware attack which began to spread in Europe on June 27 is showing potential to have a broader impact worldwide, with several high-profile organizations already infected. Some reports are tying this to a new variant of the “Petya” (or “Petrwrap”) malware, which was used in prior campaigns earlier this year. Others are saying it’s a completely new variant never seen before. The malware uses delivery and propagation methods which exploit recently patched vulnerabilities.
Please note: The findings and recommendations we’re sharing below are derived from community research shared on public and private forums. Aspects of this campaign still are not yet fully understood, and the situation may continue to evolve.
Based on early analysis of a few publicly available samples, the window of opportunity for response is extremely short. The malware automatically reboots systems after completing its encryption and propagation routines. Early research indicates this occurs within an hour post-infection.
- Initial Infection: Early public research indicated the malware is initially delivered to a victim organization through email with a malicious Microsoft Word attachment that exploits CVE-2017-0199. This vulnerability was patched in Microsoft’s April 2017 roll-up update. However, researchers have not yet found evidence of emailed Office documents carrying this malware.
Subsequent analysis suggests at least some of the victims were infected through a malicious update to accounting software provided by a Ukrainian firm, “MeDoc,” which was hacked. It remains possible this was not the sole initial vector.
- Propagation: Preliminary research suggests the malware may have two methods of propagation. The first entails using the Windows credentials available on the infected endpoint to attempt to authenticate to other Windows hosts. The second, which may be a fallback mechanism, relies on the same ETERNALBLUE exploit used in WannaCry. There is some outstanding uncertainty over how and when this second method is used – and whether it applies to all variants.
Analysis of publicly available samples indicate the malware may use PsExec in conjunction with the native WMI Command-Line tool, ‘wmic’ to execute the malware on remote systems. Post-infection, the malware may use ‘schtasks’ to create a local task, which reboots the system within an hour (rendering it inoperable).
Guidance for Tanium Customers
- Tanium customers should ensure they are up-to-date using Tanium Patch. The April 2017 Security Roll-Up includes a fix for the Microsoft Office vulnerability thought to be used in the initial exploit. The March MS017-010 patch addresses the SMBv1 vulnerability exploited by EternalBlue, thought to be used as one of the campaign’s propagation techniques. Note that this patch may not mitigate other methods that the malware uses to spread.
- Customers with Tanium Trace can search for historical execution of the ‘wmic’ and ‘schtasks’ commands to look for recent outlier activity matching the behavior of this malware. Both ‘wmic’ and ‘schtasks’ are legitimate but uncommonly used commands (especially on end-user workstations).
- Tanium customers should work with their threat intelligence providers to ensure they have the latest up-to-date indicators of compromise related to this campaign. Tanium IOC Detect supports all of the endpoint indicator types that have been shared to-date. Further, Tanium Protect can be used to block specific hashes and network addresses associated with the malware.
(Editor’s note: This article was updated at 4:30 pm PT to reflect new information about the initial infection phase.)
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.