NotPetya; A Ransomware Attack with Worm Like Behaviour, but Without the Ransom

Posted by Geraldine Hunt on Tue, Jul 11th, 2017

On June 26, a new ransomware attack began making its way across Europe.  This new strain called Petya, like its predecessor known as WannaCry, is based the exploit called EternalBlue.  Eternal Blue is one of a bundle of tools believed to have belonged to the NSA that was released by the Shadow Brokers hacker group earlier this year.  EternalBlue takes advantage of an exploit that is inherent within the Microsoft operating system.  Microsoft released a patch, (MS17-010), in March that addressed the issue for currently supported operating systems such as Windows 10.  Last month they took the unprecedented step of releasing the patch for older operating systems such as XP that are no longer supported.  Those who install the patch are protected against any malware variant that utilizes EternalBlue. 

The WannaCry outbreak in May spotlighted major deficiencies plaguing too many organizations.

1. Organizations continue to use unsupported operating systems and applications that have reached the end of their lifecycle
2. IT teams are failing to ensure that all computers are properly patched and updated

The Petya variant unfortunately confirms that apathy persists when it comes to cyber security.  Even after the dramatic headlines of the WannaCry outbreak concerning the havoc it created, there remains an untold number of machines throughout the world still unpatched.  As a result, thousands of users are falling victim to this new threat.

How many times can we get fooled again?

It also appears that some cybersecurity experts were fooled initially as to the intent of Petya.  Although computers infected with the virus are informed to pay a ransom of $300 in bitcoin, latest reports indicate that profiteering and extortion may in fact not  be the driving purpose of the hackers.  Unlike most ransomware, which directs victims to pay up using the Tor browser, victims of Petya are told to communicate with the extortionists through an email address.  As a result, some are now dubbing this latest outbreak, “NotPetya”. The real objective may in fact simply be to inflict mayhem and malicious destruction on a large scale – nothing more.

There are two very serious consequences as a result of this new cyberattack:

Rather than just targeting the file system for encryption, this malicious virus also encrypts the master boot record (MBR), thus preventing the user from rebooting the device.  The encryption cannot be undone by the FixMBR command and repairing the MBR will not delete the infection.

Using a series of tools, the virus has the ability to gather password credentials from a computer’s memory.  The virus specifically seeks out admin credentials in order to use them to infect the network at large.

This worm like behavior of this latest attack means that even users that are operating fully patched devices can still invite the malicious infection into the network, which then seeks out admin privilege rights in order to infect vulnerable machines.  This means that additional measures should be taken in order to protect your network.

1. Disable SMBv1 and block outside access to ports 137, 138, 139 and 445
2. Do not allow users to operate their devices as local or network admins
3. Instruct your users to NOT click embedded URLs or attachments in their email

The issue as to whether organizations should pay the required ransom is a perpetually debated topic but in this case, the consensus is clearly NO because the email account has now been disabled.  In addition, users should immediately turn off their machines using the power button if they see a CHKDSK sequence being implemented.  The fabricated CHKDSK sequence is actually an emulation, which is executing the encryption process. 

If you find yourself infected with the outbreak, do not feel too bad about being fooled.  Plenty of high profile organizations have been infected including:

• Various government departments of Ukraine including the central bank as well as the airport in Kiev
• A prominent advertising firm in the UK
• A major shipping firm in the Netherlands
• The Chernobyl nuclear power plant
• A large pharmaceutical company in the U.S.

Preventing a ransomware infection

What was NotPetya ‘s lesson? The truth is you don’t have to be fooled again by ransomware attacks.  The culmination of :

• regular patching of operating systems and applications,
• use of 3-2-1 back up approach,
• email and Internet filtering,
• an installed security suite,
• protecting privileged credentials at endpoints
• and user education will prevent most infections.

Are you an IT professional that wants to ensure sensitive data and devices are protected?  Talk to a specialist or  email us at info@titanhq.com with any questions.