Just when we thought there were no more tears left in the wake of WannaCry, it’s time to pull out the tissues yet again for the latest global cyber incident: introducing “NotPetya,” the most recent ransomware variant to creep across continents and affect companies across many industries. Please read on for helpful information on how to prevent a NotPetya attack, as well as minimize propagation across the network.
What do we know?
Security researchers are still learning more about this latest destructive attack, and details will continue to come to light in the coming days. What we know is that it is a ransomware variant that encrypts users’ data files and asks for $300US in ransom to be paid in Bitcoin per system affected before data is released. In most cases, an infected machine will crash and/or reboot, and the malware begins the encryption process at the time of boot. Different and potentially more destructive than predecessors like WannaCry, the malware also appears to use credential harvesting techniques to laterally move through a network.
The Ukraine and Russia were hit the hardest by initial attacks, which then spread across Europe and the United States. NotPetya has affected pharmaceutical companies such as Merck, law firms including DLA Piper, the shipping giant Maersk, a number of essential governmental services in the Ukraine, and many other enterprises.
The service provider of the email address used by the malware authors has chosen to block access to the email account, preventing companies from paying the ransom, receiving decryption keys, and retrieving their data – unless and until the malware author finds a workaround. But at this time, victims cannot pay the ransom or potentially retrieve their data.
What else do researchers suspect?
It is believed that NotPetya it is a variant of Petya/Petrwrap, which has been around for some time. At this time, it appears that this variant uses three attack vectors:
- As a network worm, exploiting any system found with missing patches from MS17-010. If a vulnerable system is detected, the malware replicates itself to this system.
- As a network worm, using account credentials found on an infected system. The malware pulls account names and password hashes on the system and attempts to replay those credentials to other systems on the local network. If a remote system accepts the credentials it becomes infected itself.
- There have been a few isolated reports that it has come as a malicious email attachment. These have been unconfirmed at this time.
However, research on the infection vector (how it spreads) or payload behavior (how it infects) is still underway and could reveal more methods and payloads used by the malware. There are some reports that the malware is using a different exploit from the Shadowbrokers NSA tools release and other reports claim that it is using a zero-day exploit. Coalfire will continue to monitor the situation and keep you informed.
What can I do to minimize impacts?
- Create a file called perfc with no extension in %windir%. This file should be non-executable and non-writeable. In some (but not all) cases, this appears to prevent the malware from spreading to systems on the network that contain the MS17-010 patch, but may be susceptible to the other network-based attack described above. Note: At this time this does NOT appear to prevent encryption from email-based payloads or to systems that are missing the MS17-010 patch.
- Leverage GPO to block access to the ADMIN$ share to prevent the credential passing propagation that occurs via WMI / psexec.
- NotPetya creates a scheduled task that reboots the computer one hour after infection. If the task is removed before the hour, it does not reschedule.
- The encryption process begins before reboot, and completes after reboot, while presenting the user a fake ‘chkdsk’ status message.
How can I protect myself against attack?
In order to protect yourself from NotPetya ransomware, you should do the following:
- If you have not done so already, install all security patches available for your version of Windows. There is no cost associated with receiving Microsoft patches.
- There exists the possibility that this malware will be copied and delivered in different methods than previously made known. Some of the observed ransomware attacks in the past have used common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources, as a best practice.
- Disable SMB (server message block) file sharing services on your PC if not required for legitimate use. Microsoft has published guidance on this technique here. Note that this is not intended as a long-term solution, nor is it for the less technically savvy.
- Keep backups of valuable data stored offline!
What controls should you have in place to prevent similar attacks in the future?
No two attacks are the same, but a number of cyber hygiene steps should be taken by organizations to mitigate risk moving forward. All organizations should have several controls in place to prevent and mitigate the impact of these attacks, including:
- Automatic and timely operating system updates on user workstations
- Good endpoint security and malware tools, especially built to detect ransomware
- Efficient email monitoring tools that can detect and block malicious attachments (especially password protected attachments)
- Automated (and periodically tested) data backup systems, which allow organizations to revert to a ransomware-free system
- A configuration management program that ensures systems run the least amount of functionality needed for business purposes
- Architecture design that ensures network traffic to and from critical systems, including user workstations, are restricted to only that required for the system’s function
- Cybersecurity awareness training that discusses phishing and ransomware as part of the organization’s evolving culture
- Review the configuration of administrator accounts (particularly domain administrator) in use within your organization. Ensure that domain administrator accounts issued to staff are used only for administration activities, and not for mundane activities such as workstation logins, email, and regular access. Also, ensure that these accounts issued to staff are for “interactive” logins only and cannot be used for network-based logins (which use pass the hash processes).
- Finally, ensure your organization does not reuse the same passwords across different resources.
All this being said, no organization is completely safe. If your organization has systems outside of the standard security configuration profile, take the following steps:
- Ensure that you're running a licensed version of Windows that's supported by Microsoft. Windows XP is no longer maintained, so even though Microsoft took the extraordinary step in releasing a patch for XP, it did so only after overwhelming damage had taken place. Windows Vista and Windows 7 are also not supported by Microsoft without a support extension contract.
- Ensure that the system is running the latest operating system patches from Microsoft. You can check this through "Windows Update" under "Control Panel"
- Verify that antivirus is running and is up to date with the latest signatures from your vendor
- Ensure that a host-based firewall (such as Windows Firewall) is running at all times
- Continually reinforce good security hygiene with staff and instill a security-conscious environment
Should you pay the ransom?
As mentioned above, it is not currently possible to pay the ransom, and therefore, you cannot recover your data. Your best recourse is to restore data from a backup if that data has not been encrypted or deleted.
How can Coalfire help?
Coalfire’s computer forensics and incident response team has managed response efforts to numerous service-disrupting events. For assistance with your cybersecurity program, please contact your Coalfire representative, call (877) 224-8077, or fill out a contact form at www.coalfire.com.
Update 6/29/2017: NotPetya – NotRansomware
As details continue to emerge around NotPetya, evidence is surfacing that ‘ransomware’ is a misnomer. In fact, ongoing threat research is indicating that NotPetya may be a wiper, a significantly more destructive form of malware, disguised in the more headline-grabbing cloak of ransomware.
Where ransomware is designed to elicit funds in exchange for data held hostage (and has the underlying infrastructure to enable these transactions), wipers are malicious programs designed to do permanent damage to computer systems. While NotPetya is extremely sophisticated in the way it infects and propagates, the ransom collected and decrypting mechanisms are either crude or non-existent, begging the question of whether ransom was ever the intent in the first place. Additionally, it is exhibiting the identifying characteristics of wiper behavior, destroying disks as it replicates itself.
There are many reasons that malicious attacks such as these (particularly those that affect governmental infrastructure and essential services) may be launched, and many potential threat actors. We will avoid speculation on the actor and motive; but the intent of NotPetya seems to be more malicious than financial at this stage of our understanding.
For more detailed information on current threat research, please see two recommended resources:
Petya.2017 is a wiper not a ransomware
ExPetr/Petya/NotPetya is a Wiper, Not Ransomware