Threat Advisory Report on Petya Ransomware (Critical Severity)

  • Ransomware: An Introduction

Ransomware is a form of malicious software that locks up users files on the computer system, encrypts them, and demands that the user should pay a specified amount to get the files back.

A ransomware that affects Microsoft’s Windows operating system, when a system is infected, a pop up window appears, prompting the user of the system to pay to recover the files within specified time, with a countdown timer. It adds that if the user fails to pay within that time, the fee will be doubled, and if the user doesn’t pay within that period, the user will lose the files forever.

Payment is accepted only in Bitcoins. Experts say that Ransomware is spread by an internet worm- software that spreads copies of itself by hacking into other computers on a network, rather than the usual case of prompting unsuspecting users to open attachments. It is also believed that, the cyber-attack was carried out with the help of tools which were stolen from the National Security Agency (NSA) of the United States.

  • Petya Ransomware: An Introduction

A new variant of Ransomware known by the name Petya is Spreading like Wildfire.

On June 27, 2017, the world woke up to another ransomware outbreak named as “Petya” also known as “PetWrap” which also uses the same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect more than 300,000 systems and servers worldwide in just 72 hours in earlier this March.

It uses EternalBlue, CVE-2017-0143 (patched by Microsoft in March) and leverage an additional Shadow Brokers- leaked NSA exploits known as EternalRomance CVE-2017-0145 (patched by Microsoft in March) for remote access as an attack vector and spreading via SMB post-exploitation and uses either PSEXEC or WMIC tools to spread.

Some researchers have also found that, the Ransomware may take advantage of yet another tool published by the ShadowBrokers, known as EsteemAudit, which specifically targets computers running Windows XP and Windows Server 2003.

Note: Microsoft patched those vulnerability as a part of its unprecedented effort to secure its old, unsupported operating systems against leaked NSA exploits.

After further analysis about how Petya infects the MBR (Master Boot Record), Security Researchers found that Petya contains a programming error which destroys some of the MBR, leading to speculation it is a Wiper and intended to destroy data rather than make money by holding it to a ransom, which just trashes the first 24 sector blocks of the disk while replicating itself.

The way the code is set out (i.e. not setting bFinalBlock to True if the file is larger than 1 MB) suggests that, the developer was trying to encrypt files of size 1 MB at a time to avoid using too much RAM, but never got around to writing the code responsible for handling the rest of the file should it exceed 1 MB.

  • What is a Wiper?

When you erase/delete a file from the computer system, they are not really gone until the areas of the disk it used are overwritten by new information. If the normal Windows delete function is used, the “deleted” file is sent to the Recycle Bin until the space it uses is required by other files.

If Shift+Delete is used to bypass the Recycle Bin, the space occupied by the file is marked as available for other files. However, the file could be recovered days or even weeks later with third-party data recovery software; as long as the operating system does not reuse the space occupied by a file with another file, the “deleted” file can be recovered. While erasing files simply marks file space as available for reuse, data wiping overwrites all data space on a storage device, replacing useful data with garbage data.

So, a Wiper function simply overwrites the deleted files from hard disk with some garbage value and that’s where Wiper function is used.

After further analysis, it is also discovered that the attackers implemented a function that wipes the first 10 sectors of PhysicalDrive0 including the MBR under two conditions:

  1. If the hash command computed from a running process name (“exe”) returns 0x2E214B44
  2. If the function that replaces the actual MBR returns an error. Probably as a generic way to detect EDR trying to prevent boot loader modifications.
  • Is Petya a Ransomware or a Wiper?

The Petya cyber-attack that swept globally, and has infected enterprise networks across Europe is much worse than initially thought. Security researchers have now concluded that, the Petya attack is not a ransomware.

Petya is being termed as a wiper by researchers, with the aim of being mass destruction of user’s data. The idea was never to collect money from victims or enterprises. But it is now used to get ransom from the victims that is why it is called as Ransomware.

Petya has been around since March 2016 and differs from usual ransomware families because it does not encrypt files on a targeted system one by one. Instead, Petya reboots victim’s computers and encrypts the hard drive’s Master File Table (MFT) and renders the Master Boot Record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot. 2016’s version of Petya was able to modify the disk in a way where it can actually revert its changes, whereas 2017’s version of Petya does permanent and irreversible damage to the disks.

To summarize, it encrypts a system’s MBR in addition to encrypting files. This double stroke renders the disk inaccessible and prevents most users from recovering anything on it.

  • Attack Scenario

The Petya Ransomware infection vector is believed to be the software updater process (EzVit.exe) of a Ukrainian program called MeDoc developed by Ukrainian Company M.E.Doc, and possibly through Microsoft Word documents laced with malicious macros. It combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010) to become nastier.

The Current Petya attack is different in the sense that the exploits it uses are only used to spread across a local network rather than the internet. The important difference between WannaCry and Petya is, WannaCry was likely deployed onto a small number of computers and then spread rapidly, whereas Petya seem to have been deployed onto many computers and spreads via local network.

Additionally, using EternalBlue exploit, Petya can also propagate over the network using “WMIC” (Windows Management Instrumentation Command line) by trying credentials gathered from the local machine using “Mimikatz” this allows it to infect network systems which are patched against EternalBlue or not running SMB.

Again, it’s important to note that spreading appears to be limited to only devices on the local network.

Once Petya gets foothold it has two distinct stages. As per the updated information, following is the breakdown for Petya’s two stages:

  • During the first stage:
  1. The Windows executable file is dropped and executed.
  • Downloads the main binary at hxxp://
  1. This overwrites the beginning of the disk, including the Master Boot Record, and makes an encrypted (XOR) backup of all original data.
  2. It then clears the windows event log using windows utility Wevtutil
  • (wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:)

4. It then writes a message to the raw disk partition.

5. At the end, reboot the system at noon as a logic bomb

  • (schtasks %ws/Create /SC once /TN “” /TR “%ws” /ST %02d:%02d ; at %02d:%02d %ws) or time specified in parameter defined in DLL component “Rundll32 c:\windows\<dll name>.dll,#1 40”,
    • By default, when the malware infects a remote system, it runs the remote DLL with the value “40,” which makes it wait 40 minutes before rebooting the machine.

Note: Stage one ends when the infected device is rebooted.

  • During the second stage:
  1. The second stage initiates after the device reboots, and results in the entire drive being encrypted.
  • After restarting, a message appears announcing system encryption and asking a Bitcoin $USD300 as a ransom for decrypting the files.

Given this new ransomware’s added lateral movement capabilities, it only takes a single infected machine to affect the entire network. This Ransomware drops a credential dumping tool (typically as a .tmp file in the %Temp% folder) that shares code similarities with “Mimikatz” and comes in 32-bit and 64-bit variants.

Since users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines. Once the Ransomware has valid credentials, it scans the local network to establish valid connections on TCP ports 139 & 445.

A special behavior is reserved for Domain Controllers or servers, Petya attempts to call DhcpEnumSubnets() to enumerate DHCP subnets for each subnet, it gathers all hosts/clients (using DhcpEnumSubnetClients()) for scanning for TCP 139 & 445 services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.

It then tries to execute remotely the malware using either PSEXEC or WMIC tools.

It further attempts to drop the legitimate psexec.exe (typically renamed to dllhost.dat) from an embedded resource within the malware. It then scans the local network for admin$ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.

In addition to credential dumping, the malware also tries to steal credentials by using the CredEnumerateW function to get all the other user credentials potentially stored on the credential store. If a credential name starts with “TERMSRV/” and the type is set as 1 (generic) it uses that credentials to propagate through the network.

The encryption used by the malware is AES-128 with RSA. This is different from previous variants, which used SALSA20.  This ransomware’s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:

  • 0x6403527E or 0x651B3005 – if these hashes of process names are found running on the machine, then the ransomware does not do SMB exploitation.
  • 0x2E214B44 – if a process with this hashed name is found, the ransomware trashes the first 10 sectors of \\\\.\\PhysicalDrive0, including the MBR

The RSA public key used to encrypt the file encryption keys is hardcoded and can be seen below:





The ransomware attempts to encrypt files that correspond to the following file extensions:

.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl.dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip

Following Hashes are generated by Petya which can help detecting it;

  • 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 (main 32-bit DLL)
  • 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1 (main 32-bit DLL)
  • f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 (signed PSEXEC.EXE)
  • 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f (64-bit EXE)
  • eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 (32-bit EXE)

Petya uses following files for infecting the systems;

  • c:\windows\dllhost.dat
  • c:\windows\<malware_dll> (no extension)
  • %TEMP%\<random name>.tmp (EXE drop)

In environments where command-line logging is available, the following command lines may be searched:

  • Scheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the current time
  • schtasks /Create /SC once /TN “” /TR “<system folder>\shutdown.exe /r /f” /ST <time>
  • cmd.exe /c schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR “C:\Windows\system32\shutdown.exe /r /f” /ST <time>

This may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.

Lateral Movement (Remote WMI)

  • “process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1”

Network indicators in environments where NetFlow data are available, this ransomware’s subnet-scanning behavior may be observed by looking for the following:

  • Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope
  • Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes

Following Domains are believed to be infected with Petya:

  • hxxp://petya3jxfp2f7g3i.onion/
  • hxxp://petya3sen7dyko2n.onion/
  • hxxp://mischa5xyix2mrhd.onion/MZ2MMJ
  • hxxp://mischapuk6hyrn72.onion/MZ2MMJ
  • hxxp://petya3jxfp2f7g3i.onion/MZ2MMJ
  • hxxp://petya3sen7dyko2n.onion/MZ2MMJ
  • hxxp://mischapuk6hyrn72.onion/
  • hxxp://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin COFFEINOFFICE.XYZ
  • hxxp://french-cooking.com/

Countries that reported Petya infections include, but are not limited to, Russia, Ukraine, Spain, France, United Kingdom, the United States and India. The Extortion for Petya infections are set at $300 in bitcoins per infected device.

Reported affected industries include, but are not limited to: financial services; retail, hospitality and travel; and energy and utilities.

Researchers also believed that the attacker took an existing Ransomware which he repackaged and resulted in chaos.

  • Attack PoC












  • Advisory Notes

The EternalBlue SMB vulnerability was originally published by the Shadow Brokers who allegedly acquired NSA hacking tools. The vulnerability was published in April 2017 but patched prior to release by Microsoft in March 2017. The exploit is particularly dangerous because Petya Ransomware uses remote code execution vulnerability that does not require any user interaction.

Since the ransomware propagates primarily through the exploitation of the EternalBlue SMB vulnerability, multiple infections in the same organization are to be expected. This is because the exploit leverages a previously-patched Windows vulnerability and uses either PSEXEC or WMIC tools along with other lateral spreading techniques like stealing admin credentials to spread across a local network rather than the internet as mentioned earlier.

Researchers have also suggested not to pay any ransom as the email address “wowsmth123456[at]posteo[dot]net” which the Petya Ransomware asks you to contact upon payment has been blocked by the email provider, “Posteo” so making payment confirmation is pretty much impossible.

Early analysis indicates that for the current variant of Petya, administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file “C:\Windows\perfc.dat” from running.

Administrators can also shore up their defenses by using Microsoft’s Local Administrator Password Solution to protect credentials that grant network privileges. Researchers also found that the Petya runs on boot, meaning that if system is disrupted before Windows boots, or by quickly powering down once screen displays a fake “Check Disk” message, files encryption can be avoided.

If MS17-010 is not patched, the malware will spread via Microsoft Server Message Block. If MS17-010 is patched and the malware has admin rights, it will spread laterally via either PSEXEC or WMIC as mentioned in earlier sections.

Note: The actor(s) behind this activity is currently unknown and no major group has taken credit for the activity.

  • Mitigation Techniques

To safeguard the organization from Petya outbreak, Varutra Consulting recommends the following:

  • Prevent reboot after blue screen, thereby preventing stage 2 encryption.
  • Microsoft patches- MS17-010, SMB Server patches need to be applied over the network.
  • Disable SMB v1 and block all versions of SMB by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139 at network perimeter.
  • Ensure Microsoft Knowledge Base KB4015546 & KB4015549 has been applied to all the systems as Petya leverages CVE-2017-0199.
  • As the Email used for the Petya Ransomware is “wowsmth123456[at]posteo[dot]net” detect/blacklist all incoming emails from wowsmth123456[at]posteo[dot]net at network boundary.
  • Below mentioned are the possibly infected IP’s which need to be blocked on firewall immediately “95.141.115[dot]108”, “185.165.29[dot]78”, “84.200.16[dot]242”, and “111.90.139[dot]247”
  • Do not pay any ransom associated with this activity. The actors may not even provide a decryption key, and furthermore doing so incentivizes and finances further criminal activity.
  • Enable strong Spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and Domain Keys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Disable macro scripts from Microsoft Office files transmitted via e-mail.
  • Implement Endpoint Controls to Protect the Windows AppData Folder.
  • Prevent privileged execution of windows binaries from temp directories.
  • User education should involve frequently advising users of how attackers are trying to gain a foothold in the environment.
  • Advising users not to open Email attachments unless they are expecting it. Only open Email attachments received from trusted source.
  • If a document from an email is opened in Protected Mode, a user should not enable editing of the document unless they expected the document and know who sent it.

Read about WannaCry Ransomware Threat Advisory blog post here

  • References:
  1. https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/
  2. http://seckurity.com/2017/06/everything-technical-about-the-new-ransomware-petya/
  3. https://www.optiv.com/blog/intelligence-advisory-new-petya-ransomware-outbreak
  4. https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html
  5. https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
  6. https://www.wired.com/story/petya-ransomware-wannacry-mistakes/
  7. https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/


Lekhraj Rawat and Umang Waghmare


Beware Android Users – CLOAK AND DAGGER is here to exploit you

The WORLD has still not got over with the WannaCry ransomware menace and here comes one more!

People have been debating for years over Android V/s iPhone.  It’s the ultimate battle. And it’s not ending anytime soon. But there is something Android users would not like to hear and iPhone users would rejoice about their choice– Android users are not safe!

Yes, the Android OS which you and I are using (even the latest Android 7.1.2) is not safe, all your credentials, data are at major risk.

Android users all over the world have always been a very popular target for criminals. It’s not even a month researchers uncovered several malicious Android applications masqueraded as “Funny Videos” on Play Store which had over 5000 downloads; it did not only provide users with “Funny Videos”, but had ‘BankBot banking Trojan’ which also stole victim’s banking password.

Till now everyone thought that malware requires user interaction in order to get installed on any device or click on a link in a phishing email, or the installation of software from an unverified source. But Researchers now have discovered a new attack, called “Cloak and Dagger”, that works against all versions of Android. Yes, even the latest version of Android isn’t safe from this attack.

It allows an attacker aka hackers to smoothly and silently take complete control of your device and steal private data of the device user like login credentials, using key logger and also by analyzing the keystrokes, personal chats, contacts without the users concern.

This stealthy attack was first discovered researchers at the Georgia Institute of Technology in Atlanta last August. They were in discussion with Google and some vulnerabilities were fixed over months with updates, but some of them are still present in the latest version of the platform.

How does the attack take place?

Cloak and Dagger attack is caused by 2 specific permissions the SYSTEM ALERT WINDOW and the BIND ACCESSIBILITY SERVICE.

What makes it even more dangerous is the fact that the SYSTEM ALERT WINDOW permission is automatically granted for applications installed from Play Store, and it can easily trick the user into granting the BIND ACCESSIBILITY SERVICE permission and bootstrap the whole attack.

This means, all you have to do is download an application (malicious) from the Android play store and rest will be taken care by the malicious code.

Let’s know more about the permissions


This System alert window is nothing but “Draw over other apps”, used to draw overlays on top of other applications. According to the official documentation, “Very few applications should use this permission; these windows are intended for system-level interaction with the user.” Despite this warning, the SYSTEM ALERT WINDOW is used by popular applications such as Facebook, LastPass, Twitter, and Skype. Furthermore, it is found that about 10.2% (454 out of 4,455) of top applications on Google Play Store require this permission.

This means that, since the SYSTEM ALERT WINDOW permission is automatically granted, the user will not be notified at any point.


This permission is accessible for the Android users with disabilities. It can discover UI widgets displayed on the screen, query the content of these widgets, and interact with them programmatically. This permission is less popular than the previous permission. Among the top 4,455 applications on the Play Store, it is found that 24 applications use this service. It is worth noting that none of them are purely designed for people with disabilities! In fact, most of them are security applications such as password managers (e.g., app lockers, desk launchers, and antivirus applications. It is also found that 17 of these applications require both permissions.

The combination of these two permissions leads to a stealthy, very popular attacks, called “Cloak and Dagger”. It is called so as they take place undercover without user’s knowledge.

Conceptually, Cloak and Dagger is the first class of attacks that has successfully and completely compromise the UI feedback loop. It can modify what the user sees, detect the input/reaction to the modified display and update the display to meet user expectations. Similarly, the user can fake input, and it still manages to display to the user what they expect to see, instead of showing them the system responding to the injected input.

This sharply contradicts the existing attacks that utilized either SYSTEM ALERT WINDOW or the BIND ACCESSIBILITY SERVICE permissions. With the use of only SYSTEM ALERT WINDOW permission (e.g., GUI confusion attacks), the attacker can modify what the user sees, but cannot anticipate how/when the user reacts to the modified display, and hence fails to change the modified displayed content accordingly. Similarly, by using BIND ACCESSIBILITY SERVICE permission alone, the attacker can inject fake user inputs, but the attacker here cannot prevent the user from seeing the results of these fake inputs displayed on the screen. As a result, in both cases, with only one of the two permissions, the user can very quickly discover the attack.

On the contrary, in Cloak and Dagger,  the combination of the two permissions allows an attacker to both modify what the user sees and inject fake input, all while maintaining the expected “User experience”.

The potential consequences of the Cloak and Dagger attacks include almost complete control over the victim’s device – context-aware clickjacking attacks, perform (unconstrained) keystroke recording, steal user’s credentials, security PINs, and two-factor authentication tokens, and silently install a God-mode application with all permissions enabled.

According to the research, the flaws allow malicious applications downloaded from the Google Play Store to take control of the operating system’s user interface feedback loop. Thereby taking control of the device. What makes it more dangerous is the fact that user would be completely unaware of this malicious activity taking place.

The researchers have examined the attack and explained how they got on the Google Play Store to perform Cloak & Dagger attacks. They first submitted an application which got approved just after few hours and it is been said that it is still available on the Play Store. That application contained a non-obfuscated functionality to download and execute arbitrary code (to simulate malicious behaviour).

Once installed, the researchers say the attacker can perform various malicious activities including:

  • Advanced clickjacking attack
  • Unconstrained keystroke recording
  • Stealthy phishing attack
  • Silent installation of a God-mode application (with all permissions enabled automatically)
  • Silent phone unlocking and arbitrary actions (all this while keeping the screen off)

The attack has been successfully performed on 20 people by Researchers at Georgia Institute of Technology and none of them were able to detect any malicious activity.

It is important to mention that, starting from Android 6.0, this permission is treated differently from the others. The user needs to manually enable this permission through a dedicated menu. If an application is installed by the latest version of the official Play Store app, the SYSTEM ALERT WINDOW permission is automatically granted (users will not be notified at any point).

Researchers have reported their findings to Google, which promptly acknowledged all the problems that have been raised. However, no comprehensive patch is available yet: while few of the specific instances of problems can be fixed with a simple patch, most of the attacks are possible due to design shortcomings that are not easily addressable.

What can you do to protect yourself?

The easiest way to mitigate the issue and disable the Cloak and Dagger attacks in Android 7.1.2 is to turn off the “draw on top” permission by heading on to:

Settings → Apps → Gear symbol → Special access → Draw over other apps.

Don’t expect a true fix for this issue to come to your device anytime soon. However, “Android O” will partially address this flaw by disallowing malicious applications from completely drawing over the entire screen and generate alerts via notification if an application is actively drawing an overlay. With these changes, it’s less likely that a malicious application can get away with the exploit if the user is attentive. Thus, until Android O comes along (which is supposed to come by 3rd quarter this year), users don’t have much they can do to avoid being trapped, beyond regular security practices. It is still doubted if it would be able to detect all such cases. Install applications only from trusted sources, don’t install random applications, and, keep a close watch on what permissions an application is asking for.

All you can do is to check application permissions before installing it. And monitor what permissions are being granted to each application you install. Check if any application is asking more than what it is meant for, just do not install it.












Shreeya Patewadiyar

Associate Security Consultant, Varutra Consulting Pvt. Ltd.


Threat Advisory Report on WannaCry Ransomware (Critical Severity)

1. Introduction

On Friday, May 12, countless organizations around the world began fending off attacks from a ransomware strain variously known as WannaCrypt, WanaDecrypt and Wanna.Cry.

Security researchers found “WannaCry” or “WannaDecryptor”; a type of ransomware which spreads from system to system silently and remains invisible to users until it unveils itself and then warns users that all their files have been encrypted with a key known only to the attacker and that they will be locked out until they pay to an anonymous party using the cryptocurrency Bitcoin.

Ransomware encrypts a victim’s documents, images, music and other files unless the victim pays for a key to unlock them.

Wana Decrypt0r triggered security alerts for ETERNALBLUE, an alleged NSA exploit. ETERNALBLUE works by exploiting a vulnerability in the SMBv1 protocol to get a foothold on vulnerable machines connected online. Microsoft patched the flaw in MS17-010, released in March, but there are high chances that all Windows PC owners have applied the security update.

On Friday, at least 16 hospitals in the United Kingdom were forced to divert emergency patients after computer systems there were infected with Wanna. According to multiple stories in the British media, approximately 90 percent of care facilities in the U.K.’s National Health Service are still using Windows XP – a 16-year-old operating system.

2. Attack Scenario

The initial infection vector of WannaCrypt 2.0 is not confirmed. It is possible that the initial vector is spam with malicious attachments (.pdf, .hta, and macro embedded MS Office files) commonly used in other ransomware campaigns.

Once WannaCry 2.0 achieves a foothold, the ransomware infects other machines by leveraging a remote command execution vulnerability of Server Message Block (SMB). It is confirmed to exploit at least one publicly disclosed SMB vulnerability – CVE 2017-0143 also referred to as “EternalBlue” – which was released by a group called ShadowBrokers in April 2017. Using arbitrary code execution privileges, the ransomware installs itself to the machine, then proceeds to encrypt a wide array of files.

Files are encrypted with the .WNCRY file extension added to them. The ransomware also downloads and installs TOR, with all dependencies, onto the infected machine, and uses this service to reach out to one of at least six .onion domains. The ransomware drops a ransom note named @Please_Read_Me@.txt; it also adds a lock screen, named “WanaCrypt0r 2.0”

At the time of reporting, the malware was requesting $300 USD in BitCoins, though this amount was later increased to $600. The Bitcoin wallets associated with the activity had received approximately 500 ransom payments, estimated to be worth over $150,000.

Additionally, reports indicate the ransomware may have increased its payment demands from $300 to $600, indicating the actors have some level of control over the demanded amount and are increasing the cost of decryption, likely due to the success of the malware.

The ransomware uses a unique encryption key for each binary placed onto a computer, but since the ransomware uses asymmetric RSA encryption even having the encryption key will not allow for convenient decryption.

Upon infection, the following files are created:










%Temp%\[14 random digits].bat

The file c.wry contains information needed by the malware to further the infection and communication with its Command and control server.








Adding the following registry entry for persistence:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v “” /t REG_SZ /d

“\”C:\Users\\AppData\Local\Temp\tasksche.exe\”” /f

It also drops the ransom file named @Please_Read_Me@.txt and the decryptor file named @WanaDecryptor@.exe, as shown below:

WannaCrypt0r 2.0 uses TOR hidden services for command and control, dropping and installing a fully functional version of TOR with all necessary components onto an infected machine. The TOR service reaches out to one of a number of .onion domains, including:

  • gx7ekbenv2riucmf[.]onion
  • 57g7spgrzlojinas[.]onion
  • Xxlvbrloxvriy2c5[.]onion
  • 76jdd2ir2embyv47[.]onion
  • cwwnhwhlz52maqm7[.]onion
  • sqjolphimrr7jqw6[.]onion

The following file extensions have been observed affected by this malware:

.der .slk .odb .jsp .3g2 .zip .edb .docm.pfx .wb2 .frm .php .flv .rar .potm .docb.key .odp .myd .asp .wma .tgz .potx .jpg.crt .otp .myi .java .mid .tar .ppam .jpeg.csr .sxd .ibd .jar .m3u .bak .ppsx .snt.p12 .std .mdf .class .m4u .tbk .ppsm .onetoc2.pem .uop .ldf .mp3 .djvu .bz2 .pps .dwg.odt .odg .sln .wav .svg .PAQ .pot .pdf.ott .otg .suo .swf .psd .ARC .ppt m .wk1.sxw .sxm .cpp .fla .nef .aes .xltm .wks.stw .mml .pas .wmv .tiff .gpg .xltx .hwp.uot .lay .asm .mpg .tif .vmx .xlc .rtf.3ds .lay6 .cmd .vob .cgm .vmdk .xlm .csv.max .asc .bat .mpeg .raw .vdi .xlt .txt.3dm .sqlite3 .ps1 .asf .gif .sldm .xlw .vsdx.ods .sqlitedb .vbs .avi .png .sldx .xlsb .vsd.ots .sql .dip .mov .bmp .sti .xlsm .eml.sxc .accdb .dch .m p4 .vcd .sxi .dotx .msg.stc .mdb .sch .3gp .iso .pptx .dotm .ost.dif .dbf .brd .mkv .backup .ppt .dot .pst.xlsx .xls .docx .doc

3. Attack PoC

4. Advisory Notes

The EternalBlue SMB vulnerability was originally published by the Shadow Brokers who allegedly acquired NSA hacking tools. The vulnerability was published in April 2017 but patched prior to release by Microsoft in March 2017. The exploit is particularly dangerous because WannaCry 2.0 a ransomware uses remote code execution vulnerability that does not require any user interaction.

Moreover, the malware can spread laterally as quickly as the commands can be processed by infected machines resulting in the highly virulent nature of this threat. Since the ransomware propagates primarily through the exploitation of the EternalBlue SMB vulnerability, multiple infections in the same organization are to be expected. This is because the exploit leverages a previously-patched Windows vulnerability and if an infected device does not have the appropriate patches it is likely other machines are similarly vulnerable.

The inclusion of over twenty language variants for the ransom note supports the conclusion that this malware was not targeted at a particular country or entity, but rather was intended to spread as widely as possible.

The success of this ransomware attack will almost certainly lead to future ransomware attacks attempting to propagate via critical Microsoft Windows vulnerabilities, even months after the vulnerability is publicly released and patched. The actor(s) behind this activity is currently unknown, and no major group has taken credit for the activity.

5. Mitigation Techniques

Varutra Consulting recommends the following:

  • Apply Microsoft patches MS17-010 / MS17-012 disabling SMB v1, and blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139 for all boundary devices.
  • Due to recent changes in Microsoft patch naming, ensure Microsoft Knowledge Base 4013389 has been applied to all systems, as it is another name for the MS17-010 SMB vulnerability patch.
  • Do not pay any ransom associated with this activity. The actors may not even provide a decryption key, and furthermore doing so incentivizes and finances further criminal activity.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Prevent privileged execution of windows binaries from temp directories.
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
  • Develop user security awareness training for identifying scams, malicious links, and attempted social engineering.
  • Scan your perimeter and other Internet-facing network structures for the presence of open Windows SMB ports.
  • Ensure that Snort Signatures ET-2024217, ET-2024218, and ET-2024220 are implemented to ensure lateral propagation detection within an enterprise network and not just at the border or perimeter.
  • Below mentioned are the possibly infected IP’s which need to be blocked on firewall immediately.

Read about Petya Ransomware Threat Advisory blog post here

6. References




Customer Guidance for WannaCrypt attacks


Mobile Vulnerability Database (MVD)




The Android operating system is the most widely used operating system for mobile devices. Android has around 82.8% (IDC) market share and is a favourite  target for attackers. One of the latest vulnerabilities, StageFright, allows the attacker to execute arbitrary code on an Android device which takes advantage of a flaw that exists in media library stagefright. Considering other platforms such iOS, Windows, and Blackberry, Varutra is maintaining the vulnerabilities related to mobile operating systems in the Mobile Vulnerability Database (MVD). Varutra has developed the MVD application for the Android platform which identifies vulnerabilities on the Android operating system and provides detailed vulnerability reports, and which is freely available on Playstore for all Android users. The applications for other platforms are under development and will be available very soon for iOS, Windows and Blackberry.

MVD (Mobile Vulnerability Database):

Mobile Vulnerability Database, or MVD, is a unique place to find out about vulnerabilities reported worldwide for Mobile Platforms.

A user can browse through vulnerabilities specific to their mobile platform and the particular version. The objective of MVD is to give a common place for mobile users to get acquainted with the vulnerabilities that might exist on their devices. Users can choose to receive specific vulnerability details as a report via Email.

1. MVD

Platforms covered by MVD

At present MVD covers major mobile smartphone platforms such as Android, Blackberry, iOS and Windows Phone.

2.1 PlatformsMVD Web Application:

MVD is also available in web interface where users can search and gather information related to mobile operating system vulnerabilities by simply searching by the Common Vulnerabilities and Exposures (CVE ID) vulnerability category.

A user can browse through vulnerabilities specific to their mobile platform and the particular version. The objective is to give a common place for mobile users to get acquainted with what vulnerabilities might exist on their devices. Additionally, users can choose to receive specific vulnerability details as a report via Email.

Web Application

For more information: http://varutra.com/mvd/

MVD Platforms:

MVD is developed for mobile operating systems such as Android, iOS, BlackBerry and Windows

3.1 MVD PlatformsTerminologies related to MVD

What is KVID?

KALP Varutra ID (KVID) is a unique number assigned to each reported vulnerability; maintained in the MVD database by the Varutra team.

E.g. KVA01 for Android, KVB01 for Blackberry, KVI01 for iOS and KVW01 for Windows Phone

Note: KALP stands for Knowledge Attained Learn Process. It is a blog for information published on the World Wide Web and consisting of discrete entries (“posts”) typically displayed in reverse chronological order.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this “common enumeration.”

For more information: https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

What is CVSS?

Common Vulnerability Scoring System (CVSS) is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization.

For more information:


CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical).

E.g. BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

MVD Feature:

MVD feature How to get the Vulnerability Report on Email?

The user can register with their Name and Email ID on Register for Vulnerability Report and then select the required platform and version to receive the report. A module is being implementing where once a user is registered they will get automatic updates for any new vulnerabilities reported in the platform and version specifically chosen by the user.

4.1 Vulnerability Report

 Users can now access the MVD on their Android Smartphones, Tablets.

The MVD Android application covers major mobile smartphone / tablet platforms such as Android, Blackberry, iOS and Windows Phone. Users can register with their Name and Email ID on “Register for Vulnerability Report” and then select the desired mobile platform and version to receive the report. Users can also download the MVD Android application on your device from Google Play:



MVD very useful for mobile phone users who are interested in knowing the vulnerabilities in their Android phone and want to mitigate the vulnerabilities. Additionally, MVD is useful for security researchers interested in knowing the vulnerabilities present in multiple mobile operating systems.

For more Details reading Pentestmag


Mr. Chetan Gulhane

Security Consultant, Varutra Consulting Pvt. Ltd.


CSRF Vulnerability on LinkedIn


In previous blog we have seen a critical vulnerability in LinkedIn password reset module allowing an attackers to compromise LinkedIn user’s account and how helpless a LinkedIn user in case of an actual compromise of his / her account in real world scenario.

Here is a new vulnerability Cross-Site Request Forgery, CSRF present on LinkedIn Recommendation Section, which allows attacker to delete any Recommendation of Any user. 


Lets us understand the issue and simplicity of this attack.

1. Attacker / malicious LinkedIn user can check the recommendation given by LinkedIn User 1 to LinkedIn User 2.

2. Attacker logs into LinkedIn account, goes to the web page source and search for strings such as “Recommendation for USERNAME”.


 Figure: Web page source shows the recommendation details with a unique Id ”515940281” for User 1’s recommendations to User 2.


3. To craft a malicious CSRF link attacker goes to Manage Recommendation area and check for any recommendations he has posted for others.  Clicks on it and copy the URL for any one recommendation.

The URL will be



Figure: Analyzing and collecting URL for Displaying and Withdrawing a User’s recommendation.

 4. Now same way the URL to withdraw any given recommendation by the attacker is


The only difference is to change the parameter from ‘dep’ to ‘wdr’.

Craft a URL for removing or withdrawing recommendation from User 1 to User 2 is


This is the shortest and simplest form of the vulnerable CSRF link.

5. Send this URL to User 1 in an email. More dangerously, the same CSRF link can be send using LinkedIn mail feature.

6. On clicking this link by User 1 the selected recommendation given by User 1 to User 2 will be withdrawn or deleted.


On reporting this issue LinkedIn was prompt to acknowledge the vulnerability and have mitigated it.

More can be read at http://packetstormsecurity.com/files/127259/

Author: Kishor Sonawane


Insecure URL redirection in Google+

URL Redirection

Our team identified a vulnerability in Google+ (Google Plus) service which can be used to perform malicious URL redirection. It was possible to bypass the Google+ ‘Redirect Notice’ and divert user to a malicious site.  The issue takes advantage of Google+ facility to redirect users from Google service to third party sites.

When User is redirecting to a third party site(s), Google+ shows a Redirect Notice that the user is about to be re-directed and thus user can make a choice of either continuing with re-direction or stay with Google+.

Varutra team could successfully bypass the redirect notice and came up with a way to directly divert the users to third party site(s) without any notice or correspondence from Google+. The severity of the identified threat is raised by the fact that the victim user need not be logged in to the Google+ account.

Below are the steps to reproduce the issue:

I. Please note, these steps are just to showcase the consequence of the vulnerability and are given for educating users about the threats, Varutra does not hold any responsibility for use/misuse of this information.

II. Attacker navigates to page http://plus.url.google.com/url?q= and enters the malicious URL of choice. (http://plus.url.google.com/url?q=http://www.malicious-site.com)

III. Google+ generates a redirection request/URL ands show a Redirect Notice with two options;

    1. The previous page is sending you to http://www.malicious-site.com
    2.  If you do not want to visit that page, you can return to the previous page.

IV. The redirection URL will look like http://plus.url.google.com/url?q=http://www.malicious-site.com&ei=Fw0WUoPPGcvwrQfwqIFI&sa=X&ct=targetlink&ust=1377178655421471&usg=AFQjCNHfnI0h_f5_uqegvYZ

V. Attacker right clicks on the www.malicious-site.com and copy link location

VI. This link then can be sent to victim user through numerous and best suited ways to redirect him/her to the http://www.malicious-site.com without any notice from Google+

The only thing to notice is that this link is temporary and valid for approximately 30 minutes.

It was also observed that other Google services such as google.com (search engine) and orkut.com are also open to this issue.