What is it?
It wasn’t
long since the massive WannaCry ransomware hit the cyber-world, and starting
from yesterday, Tuesday June 27th, a massive new attack
of the ransomware variant has been identified, affecting organizations around
the globe (wired article).
This
ransomware is a new version Petya, also known as NotPetya (as it is a variant
that borrows code from Petya but it’s different) and has other different names
as Petrwarp, Nyetra, SortaPetya and Petna.
The attack
first took place in Ukraine
and started spreading quickly throughout the world. It is reported by Kaspersky
that more than 2000 organizations globally are infected, including Maersk,
Rosneft,
and many others. The result of the attack is a large scale power-down of sites
and services around the globe, with a major effect on daily business and
logistics.
Why is it so dangerous?
This
ransomware is more aggressive compared to WannaCry, as it encrypts the MFT (Master
File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot
Record) with a custom bootloader that shows a ransom note and prevents victims
from booting their computer. It’s also forcefully reboots systems and prevents
them from working altogether.
This
ransomware also contains advanced propagation techniques that makes it more
dangerous than any ransomware before.
Why can the attack spread so fast?
After
infecting a single machine the ransomware then propagates using several
techniques, one of them is in a similar fashion as WannaCry; through
exploitation EternalBlue.
Another
propagation technique includes stealing of credentials and exploiting users’
permissions and using legitimate methods of connecting to other
hosts.
This what
makes the current ransomware more dangerous compared to WannaCry that
uses only the EternalBlue exploit, as credentials harvesting
results in very fast lateral movement. It spreads like an oil spill with a
logarithmic character.
If only 1
computer is infected in the network and this computer stores login credentials
of a network administrator, the entire network is compromised.
Technically
speaking, the ransomware uses PsExec, WMI and SMB connections via ADMIN$ in
order to propagate in the LAN.
It then tries to forcefully reboot the system and also
creates a scheduled task to reboot the infected system one hour after the
initial infection. The full encryption happens when the system reboots. It is
not 100% clear if no encryption happens prior to the reboot.
Where does it come from?
At this point there are no clear indicators where the attack
comes from. With information currently available, it is suggested that Petya
was deployed onto potentially several millions of computers by hacking
Ukrainian accounting software called “MeDoc”. It then used their automatic
update feature to download the malware onto all computers using the
software.
Although MeDoc being the initial infection vector is
unconfirmed (andeven denied by the company itself), current evidence points to them (source1, source2, source3).
Who are or can be affected?
It appears a Windows only variant so far. So Windows users
are at risk.
Multiple large enterprises are hit: Maersk, TNT, and several
Ukrainian entities are amongst them.
Any other Windows-based organization can be hit as well.
How can we protect our company?
We in Comsec recommend the following recommendations, prevention and mitigation
measures:
- It is recommended to make all employees aware of this event to make sure suspicious emails are not opened and any suspicious email or activity is reported to the relevant IT personnel.
- Obtain and patch systems to the latest version using the manufacturer security update, as it is likely to believe that Petya is actively exploiting known vulnerabilities inside networks. (TechNet Article)
- For unsupported or unpatched systems, it is recommended to isolate them from the network and to consider shutting them down if possible. Alternatively, Microsoft released a security update for the SMB vulnerability also for Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003 (Technet Article. The system update is available here: KB4012598
- Disable SMBv1 in all unpatched machines, and in all machines where it does not impact their business purpose.
- Isolate communication UDP ports 137 and 138 as well as TCP ports 139 and 445 in networks to avoid spreading or infection.
- Update all AntiVirus and AntiMalware products signatures
- Make sure all the organization’s critical data is backed up both in
online and offline backup storage.
- If possible, block the ADMIN$ share in the
network. The worm uses this share with WMI to spread itself, thus disallowing
access prevents the possible spread.
- If you are infected, do not pay the 300$ asked ransom fee. The e-mail address referred to is no longer in service. The decryption key will not be received when you pay the fee.
- The malware tries to reboot immediately and then
again after 30-60 minutes. If infection is identified (pretends to be a windows
CheckDisk scan) shut down the infected machine immediately.
- In the recent hours it was found that a vaccine is available to prevent infection of a host. Create 3 read-only files named perfc, perfc.dll and perfc.dat in C:\Windows. This can be done by using the following script file (rename to vaccine.bat and execute in the entire domain using the GPO). It has to be noted that the vaccin works only if the executed / inject dll matches the exact name 'perfc'
@echo off
echo Administrative permissions required.
Detecting permissions...
echo.
net session >nul 2>&1
if %errorLevel% == 0 (
if
exist C:\Windows\perfc (
echo Computer already vaccinated .
echo.
)
else (
echo Vaccination file. > C:\Windows\perfc
echo Vaccination file. > C:\Windows\perfc.dll
echo Vaccination file. > C:\Windows\perfc.dat
attrib +R C:\Windows\perfc
attrib +R C:\Windows\perfc.dll
attrib +R C:\Windows\perfc.dat
echo Computer vaccinated.
echo.
)
) else (
echo
Failure: You must run this batch file as Administrator.
)
pause
We can help you, just ask!
Comsec is
constantly tracking the recent developments in the world and we update our blog accordingly. We are ready to
assist with any questions or requests that you may have.
For further
questions or help, please contact: timt@comsecglobal.com
or gilc@comsecglobal.com