Petya - Ransomware attack components and behaviors

Like many modern attacks the 2017 Petya ransomware leveraged multiple techniques to complete its objective.  

Unlike traditional AV that for the most part has a single opportunity to stop malware with a signature or heuristic match of the portable executable, Intercept X gets multiple chances to thwart the adversary. If we can detect and prevent any one of the techniques being used the attack usually falls apart as the process is terminated and Sophos Clean steps in and collects associated artifacts and moves them to quarantine.  This fall when we add the deep learning AI models to the Early Access Program we will gain the ability to block the executable files before they can be deployed, and when you combine that front line defense with the depth of anti-exploit, cryptoguard and active adversary mitigation it is becoming a very difficult environment for the adversary.  We are moving from a situation where security products have to be perfect and all the adversary had to do is get past once, to a situation where the adversary has to be perfect and any misstep they make is enough to stop the attack in its tracks. 

To illustrate how that works in the real world lets look a little closer at Petya.

A lot has already been written about the Petya attack and a good post on how it spread is on naked security.   We also have a good video showing how the already shipped version of Intercept X stopped the attack.

In this post I wanted to look more closely at the techniques and tactics used by the authors of Petay and compare them against what is available in Intercept X EAP.

 

If the traditional AV on the endpoint missed the Petya ransomware executable the attack would begin and the end result would be an unrecoverable device and likely spread of the malware to other devices. Most existing AV products had one shot to stop the attack and until vendors issued signature updates, Petya had free reign in the organizations it targeted.

On initial infection the malware uses multiple techniques to complete the attack and to spread throughout the organization and to other organizations, and that gives Sophos Intercept multiple opportunities to detect and prevent the malware.

First on initial execution it will modify the master boot record and insert the ransom note while destroying the first 10 sectors of the disk. For that portion of the attack the current shipping intercept X intervened and blocked the destruction of the MBR.

Then it launches multiple threads each with different objectives and leveraging different techniques.

- An attack on the SMB vulnerabilities - This will be blocked in the EAP with the Asynchronous Process Call violation exploit prevention technique

- Theft of authentication credentials - This will be blocked by the Credential Theft Prevention capability of the EAP

- A network scan to collect IP Address of additional targets to attempt to move laterally with once the credentials are stolen.

- File Encryption - Blocked by the existing CryptoGuard features in Intercept X

With Intercept X EAP, you can see that almost all the aspects of the attack are prevented.

 

Stopping any one of these techniques will cripple the attack and often be enough to prevent any damage at all and because Intercept X as currently available already prevented the MBR and Encryption portion of the attack our customers were protected.