By now you have probably heard about the…
Data exists everywhere and is generated from our…
If you've been on the tech scene for…
Intelligence isn't only shown in great grades, but…
We were passionate to build a platform to…
Each time I see a problem, opportunity presents…
By now you have probably heard about the widespread ransomware attack that came on the heels of the notorious WannaCry. This latest attack is caused by a variant initially identified as Petya later referred to “NotPetya,” “Petna,” and “ExPetr” by various security researchers who have analyzed its code. Although it isn’t as widespread as WannaCry, reports show that this latest incident has spread to over a dozen countries across various sectors.
Like most cyber incidents, the facts of this attack continue to evolve and much of the originally reported information was not entirely accurate. According to various open source reports, the initial attack came from the breach of a server that was operated by M.E.Doc, a Ukrainian company that develops accounting software.
The unknown hacker was able to push out a malicious update to M.E.Doc software users, starting the infection. Once systems were infected, the ransomware propagated through LANs using the ETERNALBLUE and ETERNALROMANCE exploits over TCP port 445. After each successful infection, the ransomware waits for 10 to 60 minutes then reboots the system.
As the system reboots, it encrypts the MFT in NTFS partitions and overwrites the MBR with a custom loader to display its ransom note.
Key characteristics of the attack include….
– Stealing login credentials from system memory. Scanning local networks for additional files to encrypt.
– Evading Antivirus detection by using an executable that is signed with a fake Microsoft certificate.
– Using the Windows Instrument Command-Line (WMIC) to locate remote shares and utilizing the PsExec tool to execute itself on uninfected systems.
– Karsten Hahn, G Data malware analyst, provides a detailed breakdown of the infection on GitHub here.
Unlike typical ransomware, Petya/NotPetya isn’t just about the ransom
Initially, observers and victims alike may have thought that this incident was a typical profit-motivated attack, similar to nearly all ransomware campaigns over the last three years. Following additional analysis was conducted on Petya/NotPetya (also known as “ExPetr”) samples, researchers determined that the variant could be categorized as a “cyber-weapon” since its primary function appears to be the destruction of data, rather than generating profit for the attacker.
Unlike other ransomware variants, the malware used in this attack reportedly encrypted the Master File Table (MFT) for NTFS partitions and overwrote the Master Boot Record (MBR). This variant does not establish a connection to a C2 server so no infection or system information is ever transmitted back to the attacker. Also, the encryption scheme used to lock the MFT is irreversible, making all of the data on the affected drive completely unrecoverable.
This effect is more consistent with what is known as Wiper malware, like the malware used in the attack on Sony Pictures Entertainment in 2014.
These characteristics are inconsistent with the operations and tactics of a financially-motivated criminal group and may point to ulterior motives and the involvement of state actors or those acting on behalf of a hostile state’s interests.
Avoid falling victim to Petya/NotPetya
– Apply patches to all out-of-date software and discontinue the use of unsupported/EoL software or hosts.
– Update antivirus software with the latest definitions and, if possible, set it to automatically update.
– Blacklist the execution of perfc.dat as well as the PsExec utility from the Sysinternals Suite.
– Block ingress and egress traffic to TCP and UDP ports 139, 445, and 3389 at your demarcation point.
– Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing.
– Run all software as a non-privilegeduser to diminish the effects of a successful attack.
– Grant users access to only the systems and services that they absolutely require.
Petya/NotPetya’s got everyone talking
Trend Micro has more information about Petya here.
Bleeping Computer has more information about the combination of Petya and Mischa here.
Bleeping Computer provides more information about PetrWrap here.
You’ve been ‘Petya’d’, Now what?
– ALL54 is currently unaware of any decryption tools available for PetrWrap.
– Lawrence Abrams of Bleeping Computer created a batch file that automatically adds a “vaccine” file to systems to prevent infection. This free tool can be downloaded here. Instructions on how to use the tool are available on the Bleeping Computer website.
– To counteract ransomware variants that modify the Master Boot Record (MBR) and encrypt the Master File Table (MFT), Cisco Talos has released a Windows disk filter driver called MBRFilter, available on GitHub here.