Initial infection vectors
As this is still an ongoing incident, all infection vectors are not clear at the time of writing (28 June 2017).Initially it was thought that the ransomware was spreading in a similar fashion to WannaCry, however, Petrwrap is now not thought to have the capability to scan for and spread to external IP addresses, instead using other means to infect hosts and networks, then spreading internally.
One of those means is likely to come via typical phishing vectors, and in the case of Petrwrap, this would appear to have been the case in a few isolated incidents. Staff should be further alerted and educated on the risks of downloading and accessing files from unknown sources.
An additional attack vector would appear to be via an automatic update process for a Ukrainian based tax software. This method would indicate that the Ukrainian company was compromised and the update process for the software consequently became compromised.
Internal spread vectors
As the ransomware does not appear to have the means to scan for and infect remote networks, including those exposed to the internet, the ransomware spreads via internal networks, using methods such as WMI (Windows Management Instrumentation) and psexec (a remote Windows command executer).
Petrwrap has 3 main methods of spreading on an internal network:
1. Credential theft
a.The ransomware would appear to be harvesting the infected machine for credentials stored on the host or in memory. Once it has valid credentials, it scans the local network looking for exposed 135/tcp and 445/tcp services. Where these services are identified, the binary is copied to those hosts (see point 2). Where the infected host is a domain controller, the ransomware will query the DHCP leases on the controller before directly targeting those hosts which have a DHCP issued IP address.
2. Exposed file transfer services
a.Once the initially infected machine has successfully located ports 135/tcp and 445/tcp on target machines in the local network, it attempts to copy the ransomware binary, before attempting to then execute on each host using WMIC or psexec methods.
3. Exploits
a.Petrwrap also includes functionality to exploit unpatched SMB services. The exploits it utilises are from the Shadowbrokers dump, and are named “EternalBlue” and “EternalRomance”, both of which are patched with MS17-010.
Encryption
The Petrwrap ransomware encryption would appear to have two modes; If the infection has high level privileges (SeDebugPrivilege) or has gained that level of privilege, it encrypts the MBR (Master Boot Record) on disk partitions so the host will boot straight to the ransomware code once it is restarted (which it is configured to do so after a set period of time). If the infection does not have administrative level credentials, it will encrypt the files on the disk in a similar fashion to how WannaCry did.
This particular strain would seem to be implementing strong cryptography, using code from OpenSSL along with strong cryptographic functions. This would rule out a file decryption utility being written in the immediate aftermath.
Mitigation advice
Mitigation for this strain is similar to other forms of Ransomware that have been prevalent in recent times.
A quick internet search shows there are a number of TCP ports that should be firewalled immediately. These include: 135, 445, 1024-1035.
