More information on the recent Petya ransomware outbreak
What is it and what measures should be taken
Ransomware strikes around the world once again, this time with a variant of Petya (also known as NotPetya, PetrWarp, or Nyetya) which has already infected thousands of endpoints in 64 countries. This latest global attack is believed to have originated in Ukraine with it quickly spreading elsewhere. Much like the infamous WannaCry, Petya utilises the Eternal Blue/ MS17-010 vulnerability as one of its propagation mechanisms.
28 juni 2017
The initial attack method or the true initial victim have not been conclusively identified with high confidence. The current working theory (also supported by reporting from Microsoft is that a Ukrainian accounting firm, M.E. Doc, was compromised and their servers were sending malicious updates to their clients, and these clients in turn infected other organizations. It is speculated that additional victims were infected with M.E. Doc’s clients having misconfigured netmasks and with proxy ARP enabled, allowing for infection to other public IPs in the same range as the misconfigured netmask. Other working theories assume there might be legitimate technical connections between M.E. Doc’s customers and other businesses, allowing the malware to spread itself to other networks.
What does this variant do?
Petya is a unique ransomware variant as it encrypts the MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader displaying a ransom note and preventing the target computer from booting. Typical ransomware encrypts individual files and not the MFT itself.
Since this variant has various embedded propagation techniques, this has the capacity to infect multiple endpoints causing for cascading loss of critical data and business disruption, leading to financial loss and reputational damage. Even if backups are available, it takes time to revert to them and contain the infection.
Several measures should be taken
In order to limit the propagation of Petya (and attacks using a similar Modus Operandi), several measures should be taken:
- Deploy the Eternal Blue/MS17-010 patch. If the patch cannot be deployed, consider to block all incoming traffic on port 139 and 445, and disable SMBv1;
- Deploy GPO to disable PSExec where possible;
- Create the file C:\Windows\perfc; perfc.dat; perfc.dll;
- Create a block or alert rule for the known Indicators of Compromise (we can provide up to date and relevant IOCs through our threat feeds via MISP);
- Block and recall existing email communications with ‘firstname.lastname@example.org’;
What to do if you have just been infected?
There are a few things you can do.
- If your system reboots and you see a “checkdisk” screen, immediately power off the machine; the malware is encrypting files. It has been reported that it is possible to fix the limited damaged at this point with a recovery disk;
- Do not pay the ransom; the threat actor’s email address has been disabled, thus, they will not be able to receive your information and in turn send you the decryption key;
- Remove infected endpoints from the network immediately.
Recommendations to prevent these cyber attacks
What are the things you can do to prevent an attack like this:
- Follow industry best practices regarding patch management and have backups;
- Restrict administrative access rights for employees;
- Limit access to management ports (ex. smb, wmi, or winrm) to a whitelisted management segment;
- Longer term: take a close look at your vendor management practices to assess third party connections and other technical links which might affect your organisation if your vendors gets compromised
Further analysis suggests the coding of Petya is more in line with being a destructive/wiper tool than a ransomware attack. The unique identifier that the victim is supposed to send the attacker in order to generate the decryption key is random data, and without a unique identifier, the attacker will not be able to create a decryption key. To date, there are no known cases of any paying victims recovering their files, further highlighting never to pay ransoms. It is possible these victims are attempting to remain anonymous to reduce brand damage with being implicated in this attack.
New infections of Petya are not being reported, indicating this specific Petya campaign has come to an end. This, however, does not mean organisations can lose vigilance and delay implementation of the above/below (based on where it is inserted into the original doc) recommendations or other industry best practices. There is no doubt that similar global-scale attacks are going to occur in the near future.
It is important to collect and analyzs information that will keep the Incident Responders, Crisis Management and other relevant stakeholders updated so they can make more informed decisions on the next steps to reduce business risk.
Should you need further assistance or need clarification on any of the points above, then don’t hesitate to contact Inge Philips-Bryan or Jelle Niemantsverdriet.