UPDATE: Petya Ransomware Outbreak

One month after the WannaCry outbreak, we have seen another widespread ransomware outbreak, possibly involving the Petya ransomware family variant. The initial vector has been confirmed to be a compromised software update package from MeDoc.  As we learn more, we will continue to update our blog. 
Businesses from several countries, including Ukraine, India, France, Russia, and Spain, have been impacted by this ransomware outbreak
 
The malware family involved is purported to be a variant of the Petya ransomware family; however, from our analysis up to this point, we are seeing very little resemblance between this code and previous Petya variants
 
This ransomware variant is highly virulent and, once it infects a user, it spreads rapidly across a corporate network via SMB
 
There are reports of the payload using the EternalBlue (MS17-010) exploit when it is not able to spread through a network using the credentials of the logged-in user
 
The ransomware payload encrypts the Master Boot Record (MBR) of an infected system, making it unusable
 
The ransomware payload is also using the Windows Management Instrumentation Command-line (WMIC) interface for lateral movement over SMB. This explains why the attack has been successful more than a month after the WannaCry outbreak that leveraged the EternalBlue (MS17-010) exploit, which should have been patched on most systems by now
 
Protective Actions
Apply Microsoft Windows security update MS17-010 and CVE-2017-0199
Block legacy protocols like SMBv1 on your local network
Disable WMIC on your local network
Block connection to ports 135, 139, and 445 on your firewall
How Zscaler Can Help with Preventative Measures Zscaler had generic signature coverage on one of the payloads involved and added multiple signatures and indicators for blocking other known payloads related to this attack.
Advanced Threat Signatures:
Win32_ransomware_Petya_116628
CVE_2017_0199
Inline AV Signatures:
W32/Petya.VUNZ-1981
W32/Ransom.Petya.J!Eldorado
Zscaler Cloud Sandbox provides the best line of proactive defense against these evolving ransomware strains. A Cloud Sandbox report for a sample payload run is shown below:
Figure 1: Zscaler Cloud Sandbox report of Petya ransomware
 
Initial Delivery Vector
The initial infection vector was via a compromised custom software update package delivered over HTTP from MeDoc. The ransomware has a worm component that uses the Windows Management Instrumentation Command-line (WMIC) interface and the MS17-010 (EternalBlue and EternalRomance) exploits to propagate laterally over SMB.
Figure 2: Initial infection and propagation
 
Technical Analysis of the Payload
We analyzed two unique payloads from this attack, both of which were Windows Dynamic-Link Library (DLL) files. These DLLs have an export function without a name; it is invoked using the ordinal value “#1” as shown below:

Link: https://www.zscaler.com/blogs/research/update-petya-ransomware-outbreak