Petya was first reported in March 2016, and what we see now is improved version also referred as “NotPetya” or “GoldenEye”. It is a nasty piece of ransomware and works bit differently from any other ransomware or malware in that it does not encrypt files on a targeted system one by one. Instead, it reboots victims’ computers and encrypts the hard drive’s Master File Table (MFT) and renders the Master Boot Record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk. Petya ransomware replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
The attack was first reported in Ukraine, where the government, banks, state power utility and Kiev’s airport and metro system were all affected. The Petya ransomware then further spread through the US and Europe where its victims have been unable to unlock their computers even if they pay the ransom. It has caused serious disruption at large firms in countries like the Ukraine, Russia and France.
Last month’s WannaCry ransomware attack affected more than 230,000 computers in over 150 countries, with the UK’s National Health Service, Spanish phone giant Telefonica and German state railways among those hardest hit. It has been confirmed that the ransomware in the current attack used the same exploit as WannaCry.
The exploit – called Eternal Blue- was leaked by the Shadow Brokers hacker group in April and is thought to have been developed by the US National Security Agency (NSA). To spread within companies that installed the patch to protect themselves against WannaCry, the Petya ransomware appears to have two other ways of spreading rapidly within an organisation, by targeting the network’s administrator tools. It’s not yet clear how computers became infected with the ransomware in the first place, but it’s not sure to be through email as happened with Wannacry.
The two prominent differences between Petya and Wannacry is that, the former doesn’t just encrypt individual files on the system, but encrypts the Master Boot Record as well, rendering the system unbootable. And seemingly it is also known to spread using WMIC and PSEXEC interface/utilities, so basically the protection used against Wannacry, just by patching the systems or disabling SMBv1 might not help when it comes to Petya.
Who is affected?
Any entity running vulnerable Windows systems which does not have necessary patches installed on the systems.
Best Practices to Prevent Infection
To limit the impact:
- Block access to known Indicator of Compromise (IOC) domains
To ensure you can recover:
- Regularly back up all critical systems and data
- If you are using encrypted backups make sure you have a backup of the key material used to encrypt the backups in an offsite storage. If the backup server is running vulnerable windows it may also have been impacted
- Technically it is impossible to recreate the systems without that restore of data.
Prevent in the first place:
- Review Microsoft Security Bulletin MS17-010 and apply the update.
- Update systems to latest version or patch as reported by manufacturer.
- For systems without support or patch is recommended to isolate from the network or turn off as appropriate.
- Disabling SMBv1 and blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.
- Since Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-line).
- Discover which systems, within your network, can be susceptible to attack through the vulnerability of Windows, in which case, can be isolated, updated and / or shut down.
- Don’t open attachments from untrusted email addresses
- Avoid opening Microsoft office files from untrusted sources.
- It is recommended to back up data and create a restore point.
- New signatures files for antivirus products are available. It is necessary to update the antivirus soon.
Not reported yet for this malware, but in general as lot malware delivery happens through tricking victims to click on links or open malicious attachments. Hence it advised to have strong e-mail filtering gateway.
The major issue here is that seemingly harmless attachments can create a lot of damage within an organization, aiding in everything from credential thefts to crypto-malware.
Today there are technologies available which can look at inbound e-mails and deconstruct attachments, basically meaning breaking up the attachments in functional elements and then reconstruct the attachment without potential harmful parts. An example could be a word-file being sent to you with a macro embedded in it. With the correct technology that word file can still be delivered to the user, but only after the macro has been removed from the file.
Help AG works with OPSWAT on data sanitization. The solution is installed as a mail transfer agent after your existing e-mail defences and therefore does not require any change to user behaviour.
Note: We integrate OPSWAT with sandbox solutions, which means you can perform behavioural based analysis on e-mail attachments.
Client Application Whitelisting
Application whitelisting can be a very efficient way of dealing with such malware, as it can stop untrusted executables from running on your machines.
Help AG works with a number of vendors, which have application whitelisting solutions, hereunder Carbon Black Protect and Symantec Endpoint Protection. Palo Alto Networks recently added signing certificate validation to the TRAPS platform, which also can add value.
Please note that there are of course big differences in the capabilities of each platform, but if you have any of them deployed you should investigate how you can use them to harden your environment.
Threat Intelligence from Existing Security Platforms
In case you are have existing Next Generation Security Platforms it can be beneficial to look at enabling Threat Intelligence Feeds. As an example, in Palo Alto Networks the Wildfire feature set is interesting to investigate, in Cisco the AMP feature set, and in Fortinet the Advanced Intelligence Subscriptions.
Threat Isolation of Privileged and Sensitive users
Threat isolation is a new technology which has recently started to appear. The technology works by executing websites in a centralized isolation platform and then deliver the rendered webpage to the user utilizing the solution.
The benefit of the solution is that your privileged user’s machine never executes any client side components, and therefore is also isolated from attacks from website or potential URL phishing.
Help AG works with Menlo Security on these technologies https://www.menlosecurity.com/