What we know so far about Byata.

Summary

Yes, this is bad — real bad — this is another ransom-ware leveraging SMB network kernel vulnerabilities to spread on the local network. The exploit used is based on ETERNALBLUE NSA’s exploit leaked by TheShadowBrokers in April, 2017. Similar to WannaCry. No kill-switch this time. (& stop hoping for one)

Update: The initial infection vector seem to have been a rogue update pushed by the attackers via the Ukranian accounting software Me-Doc.

Update2: Microsoft published a complete and detailed analysis of the ransomware.

image

Infected machine on one of our customer’s site in Ukraine.

Bottom line is :

  • Patch your systems. (Especially MS17–010) — Keep in mind that WannaCry itself is still active — our killswitch prevented 80K infections in the past 7 days alone !
  • Have a backup strategy. This is your best strategy against the rising threats of ransomware.
  • Have a worse case scenario plan. Companies need incident response and recovery plans.

Get your patches together ! Put them in a backup. All your patches. Get them together.

Details: Byata/Petya/NotPetya/Nyeta

Comae Team dubbed this malware: Byata

Thanks to Costin for sharing the 71b6a493388e7d0b40c83ce903bc6b04hash.

  • SMB kernel exploit can be found at the 0x10005A7E offset

The attackers xored (0xcc) the shellcode to make sure the signature does not automatically get detected by anti-virus. Very simple trick which is very efficient which shows how easy it is to bypass signature-based anti viruses.

image

Another thing we can notice is that the attackers rewrote the kernel exploit properly. Below is the definition of a function that builds SMBv1 header packets.

image

.text:10002466 buildSMBv1PacketHeader()

The code is definitely cleaner.

Affected files by the ransomware.

65 different file types are targeted by the ransomware. .3ds,.7z,.accdb,.ai,.asp,.aspx,.avhd,.back,.bak,.c,.cfg,.conf,.cpp,.cs,.ctl,.dbf,.disk,.djvu,.doc,.docx,.dwg,.eml,.fdb,.gz,.h,.hdd,.kdbx,.mail,.mdb,.msg,.nrg,.ora,.ost,.ova,.ovf,.pdf,.php,.pmf,.ppt,.pptx,.pst,.pvi,.py,.pyc,.rar,.rtf,.sln,.sql,.tar,.vbox,.vbs,.vcb,.vdi,.vfd,.vmc,.vmdk,.vmsd,.vmx,.vsdx,.vsv,.work,.xls,.xlsx,.xvd,.zip

image

Logs Deletion

Logs are also being deleted. wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:v

Appendix A — IDA script to decode the kernel shellcode in Petya

auto start, end, ptr;  
 auto key;  
 start = 0x100123B0;  
 end = 0x10012D26;  
 key = 0xcc;  
 for (ptr = start; ptr <= end; ptr++)  
 PatchByte(ptr, Byte(ptr) ^ key);

image

Decoded Kernel Shellcode