The planning for Kaspersky Lab Security Analyst Summit (SAS 2017) is nearing completion and we have a small number of invitations available for malware researchers, law enforcement officials, incident responders and professionals involved in the fight against cybercrime.
If you’ve never been to SAS, ask around. You really are missing out on the best security conference in the industry – and event where the best connections are made, high-quality discoveries are shared in a fun, casual atmosphere.
This year, the conference will be in beautiful St Maarten at the Westin Dawn Beach Resort & Spa. The agenda is now live with a wide range of quality keynotes and presentations. If you still haven’t made up your mind, here are the top ten reasons to make a last-minute decision to join us in St Maarten.
Mark Dowd’s first ever conference keynote: Mark Dowd, of ISS X-Force fame, is globally respected for his work hacking – and fixing – some of the biggest software vulnerabilities. He has literally written the book on software security assessment and now focuses his efforts on breaking Apple’s iOS to look for security holes. At SAS 2017, Dowd’s keynote will focus on the memory corruption safety dance.
The Internet of Things (IoT) is everywhere around us, presenting amazing gadgets like drones and productivity devices. It also introduces a wide range of vulnerabilities. The agenda is filled with presentations on these weaknesses and promises a straightforward discussion on where the industry needs to go to protect the world from attacks that are inevitable.
The SAS conference is renowned for uncompromising APT revelations and 2017 promises een more. Kris McConkehy from PwC will reveal technical talk on a seven-year malicious campaign; BAE Systems and Kaspersky Lab with a story about chasing bad guys from Bangladesh to Costa Rica (hint: SWIFT); Researchers from Mandiant will discuss major campaigns against the hospitality and gaming industries; Lookout Security will provide new information on a nation-state backed mobile espionage case.
Much like IoT issues, the world is moving swiftly to smart city deployments. These manage transportation sectors, traffic lights, water meters and a range of technologies to increase efficiency and cut costs. At SAS 2017, Smart Cities will take center stage with a highly anticipated talk on the security problems with the deployment on a smart city municipal drone programs. SAS 2017 participants will also learn how to build and run an IoT honeypot for researching attacks and evaluate first results of IoT tracking project.
Security experts willpresent a cheap and simple hardware design that can empty one of the most popular ATM models in the world; others will talk about criminal gangstargeting banks and Apple and the hijacking of a major financial institution.
We are in the midst of a ransomware epidemic but did you know there is a new trend emerging regarding ransomware in targeted attacks? Think APTs merging with ransomware cybercriminals and you will understand why this is an incredibly important topic. Security experts from Google will also talk about how to harden Android against ransomware).
If you think the debate on vulnerability disclosure is complete, think again. SAS 2017 will present an entire session focused on this evergreen issue with some of the biggest names joining us to share their expertise – Katie Moussouris, Alex Rice, David Jacoby, Kymberlee Price and Cesar Cerrudo. There may even be an interesting news announcement
This year we found a new family of ransomware used in targeted attacks against organizations. After penetrating an organization’s network the threat actors used the PsExec tool to install ransomware on all endpoints and servers in the organization. The next interesting fact about this ransomware is that the threat actors decided to use the well-known Petya ransomware to encrypt user data. As you may know, this family of ransomware has a RaaS model, but the threat actor decided not to use this ability. To get a workable version of the ransomware, the group behind PetrWrap created a special module that patches the original Petya ransomware “on the fly”. This is what makes this new malware so unique.Tech details
The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.Modus operandi
After being launched PetrWrap delays its execution (sleeps for 5400 seconds = 1.5 hours). After that it decrypts the main DLL of Petya from its data section and gets ready to call its exported function ZuWQdweafdsg345312. This function normally prepares Petya for further operations and starts the MBR overwrite process. PetrWrap, however, needs to hook a couple of Petya’s functions first, so it replaces the instructions that call Petya’s DllEntryPoint with NOPs (hex bytes 0x90). This prevents Petya from proceeding on its own and allows PetrWrap to make all the necessary computations and preparations before letting it continue.
Main function of PetrWrap
After that PetrWrap makes the necessary cryptographic computations (we’ll discuss them in more detail below), hooks two Petya procedures (which are responsible for the generation of the configuration data, dubbed petya_generate_config, and for the MBR overwrite process, dubbed petya_infect) and then passes the execution to Petya. For more information on what the original Petya was capable of, please see our previous publication.Cryptographic scheme
Normally, Petya generates a 16-byte key and uses the Salsa20 cipher to encrypt the MFT of the NTFS partitions found on local drives. To make decryption possible only by its operators, it uses the Elliptic Curve Diffie-Hellman (ECDH) key agreement algorithm with the curve secp192k1 and a public key is embedded into Petya’s body.
The criminals behind PetrWrap faced a problem: if they used Petya as is, they would be unable to decrypt the victim’s machine because they would need the Petya operators’ private key. So what they decided to do was to completely replace the ECDH part of Petya with their own independent implementation and use their own private and public keys.
PetrWrap implementation uses cryptographic routines from OpenSSL (whereas Petya used the mbedtls library) and proceeds as follows:
- The Trojan contains an embedded public key master_pub (which is a point on the curve prime192v1 which is again different from the one chosen by Petya);
- During each infection PetrWrap generates a new pair of session keys ec_session_priv + ec_session_pub;
- Computes ecdh_shared_digest = SHA512(ECDH(master_pub, ec_session_priv));
- ‘Intercepts’ the salsa key generated by Petya and encrypts it using ecdh_shared_digest (there are a number of semi-useless manipulations which come down to essentially encrypting the salsa key with AES-256 using different parts of ecdh_shared_digest as the key and IV);
- Constructs user_id which is a string representation that contains the encrypted salsa key and the ec_session_pub;
- Passes this user_id to Petya, which uses it as if it was its own data (puts it into the configuration for the bootloader to be shown to the user after the PC reboot).
The ECDH shared key computation implemented in PetrWrapHooked procedures
PetrWrap hooks two procedures in Petya which we will call petya_infect and petya_generate_config and replaces them with its own procedures dubbed wrap_infect and wrap_generate_config.
wrap_infect implements the following functionality:
- saves the salsa key generated by Petya for further use;
- patches the Petya bootloader code and ransom text in order to skip the flashing skull animation and to wipe all mention of Petya in the ransom message;
- passes execution to the original petya_infect procedure.
wrap_generate_config in turn does the following:
- calls the original petya_generate_config procedure;
- generates the user_id string according to the algorithm described in the previous paragraph;
- replaces Petya’s id string with this newly generated user_id.
The screen of the infected machineTechnical summary
As a result of all the manipulations described above, PetrWrap achieves the following goals:
The victim’s machine is locked and the MFT of NTFS partitions is encrypted securely (because Petya v3 which is used in this attack doesn’t have flaws of the earlier versions and implements Salsa20 correctly);
The lockscreen doesn’t show the flashing skull animation and doesn’t contain any mentions of Petya which makes it harder to assess the situation and determine the extent of the caused damage;
The developers of PetrWrap didn’t have to write the low-level bootloader code and risk making mistakes similar to the ones observed in earlier versions of Petya.
Unfortunately, this family of ransomware uses a strong encryption algorithm, meaning a decryption tool is out of the question. However, victims can try restoring files using third-party tools such as R-Studio.Detection
Kaspersky products successfully detect this ransomware as Trojan-Ransom.Win32.PetrWrap and PDM:Trojan.Win32.Generic.Conclusion
Targeted attacks on organizations with the main aim of encrypting data are becoming more popular. The groups using ransomware in their targeted attacks usually try to find vulnerable servers or servers with unprotected RDP access. After penetrating an organization’s network they use special frameworks like Mimikatz to obtain the necessary credentials for installing ransomware throughout the network. To protect against such attacks, organizations need to keep their server software up to date, use secure passwords for remote access systems, install security solutions on their servers and use security solutions with behavioral detection components on their endpoints.
17c25c8a7c141195ee887de905f33d7b – Trojan-Ransom.Win32.PetrWrap.b