What we know so far about Byata.
Yes, this is bad — real bad — this is another ransom-ware leveraging SMB network kernel vulnerabilities to spread on the local network. The exploit used is based on ETERNALBLUE NSA’s exploit leaked by TheShadowBrokers in April, 2017. Similar to WannaCry. No kill-switch this time. (& stop hoping for one)
Update: The initial infection vector seem to have been a rogue update pushed by the attackers via the Ukranian accounting software Me-Doc.
Infected machine on one of our customer’s site in Ukraine.
Bottom line is :
- Patch your systems. (Especially MS17–010) — Keep in mind that WannaCry itself is still active — our killswitch prevented 80K infections in the past 7 days alone !
- Have a backup strategy. This is your best strategy against the rising threats of ransomware.
- Have a worse case scenario plan. Companies need incident response and recovery plans.
Get your patches together ! Put them in a backup. All your patches. Get them together.
Comae Team dubbed this malware: Byata
Thanks to Costin for sharing the
- SMB kernel exploit can be found at the
The attackers xored (0xcc) the shellcode to make sure the signature does not automatically get detected by anti-virus. Very simple trick which is very efficient which shows how easy it is to bypass signature-based anti viruses.
Another thing we can notice is that the attackers rewrote the kernel exploit properly. Below is the definition of a function that builds SMBv1 header packets.
The code is definitely cleaner.
Affected files by the ransomware.
65 different file types are targeted by the ransomware.
Logs are also being deleted.
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:v
Appendix A — IDA script to decode the kernel shellcode in Petya
auto start, end, ptr; auto key; start = 0x100123B0; end = 0x10012D26; key = 0xcc; for (ptr = start; ptr <= end; ptr++) PatchByte(ptr, Byte(ptr) ^ key);
Decoded Kernel Shellcode