Here we go again, another large scale ransomware attack is causing chaos across the globe, including at British marketing firm WPP, a Harpenden Jewson hardware store, several Ukrainian national infrastructure firms, and even causing a halt in production at a Cadbury chocolate factory in Australia.
The ransomware in question is a new strain of the Petya ransomware family, modded to take advantage of the same EternalBlue SMB (Server Message Block) vulnerability () as the WannaCry ransomware. EternalBlue was leaked by the Shadow Brokers hacker group in April 2017 and is believed to be developed by the NSA. The malware also uses another exploit for vulnerability CVE-2017-0145 known as EternalRomance. Both of these Microsoft Windows vulnerabilities enables the Peyta ransomware to spread rapidly across local area networks, potentially self-infecting any other Windows systems without the MS17-010 security update applied. It is this rapid spread capability within company networks with unpatched Windows systems which is causing the major impact at organisations around the world.The Microsoft MS17-010 Critical Security Update, released on 14th March 2017, prevents both EternalBlue and EternalRomance exploits and the rapid internal spread of the malware, so reducing the potentially high impact on businesses.
The Petya ransomware has been around since early 2016, instead of encrypting individual files like most ransomware, it goes after locking out the operating system by attacking the operation system’s Master File Table (MFT). The MFT is a database in which information about every file and directory on the file system (NTFS) volume is stored. This new version or copy of Petya is also known as NotPetya and Petrwrap.
The most common malware entry into organisations is via a Phishing Email, there are reports of Peyta loaded emails having a subject of ‘Hi’ along with a .zip or .scr attachment with the title of ‘gone’.
The ransomware element of Peyta requires Window Administrator rights, however, with basic level Windows User Rights Peyta is still able to propagate onto other insecure local area network connected Windows systems. Peyta doesn’t have a killswitch which brought the WannaCry outbreak to an abrupt end last month, so expect the Peyta outbreak to last longer.
How to Protect your Organisation from Peyta
Much of the same protection advice applies as with the WannaCry ransomware.
- Perform regular Staff Phishing Email Awareness, teach staff how to spot suspect emails and to not open attachments or click on any links within them.
- Ensure the Microsoft MS17-010 security update is applied to all Windows systems or disable SMBv1, as this prevents Peyta from rapidly spreading within the internal network.
- Adopt a robust Patch Management process, ensure all Critical Security Updates are quickly applied, they are marked as critical for a reason!
- Ensuring Anti-Virus (AV) is running on all Microsoft Windows systems, with AV definitions kept up-to-date. Most anti-virus solutions have updates released which detect and prevent the latest Peyta strain – see https://virustotal.com/fr/
file/ 027cc450ef5f8c5f653329641ec1fe d91f694e0d229928963b30f6b0d7d3 a745/analysis/. However, be aware your anti-virus product may not be able to detect and prevent new versions of the malware for a period of time, that is until the AV vendors are able to update their products (virus detection definitions) to detect, which is why it is important to keep your anti-virus solutions updated daily.
- There is a Peyta Infection Blocking alternative to Anti-Virus, see Petya Vaccine
- do not reboot or power back on the computer, Peyta does its damage during the bootup sequence, it runs a fake CheckDisk/ChkDsk as per the below screenshot, warning not to switch off the computer. If you see that message power off immediately
- Peyta creates a scheduled task to reboot the computer between 10 and 60 minutes after infection, find and remove this task to prevent the Windows reboot. Petya does not reschedule the reboot task.
Any devices scanning ports 139 and 445 across the LAN is a solid indication of a Peyta compromised system attempting spread.
Petya Data Recovery
At this time there are no known methods to recover Petya encrypted data. Restoring the MBR will not decrypt the data. Wipe the disk drive and reinstall/reimage the Operation System and restore data from an anti-virus scanned backup.
Nation-State or Cyber Criminal Orchestrated?
This cyber attack has all the hallmarks of a nation-state attack, given the initial outbreak of Peyta was reported to occur at large national infrastructure organisations in the Ukraine and India, and then went on to spread globally. In my opinion, at this time, the attack was probably conducted by either a nation-state or a group affiliated with a nation-state, motivated to cause national infrastructure mayhem by mirroring the impact of the recent WannaCry attack, and not by Cyber Criminals out to make easy money. Cyber Criminals tend to target home users with ransomware attacks which are a far more lucrative and rewarding market for them than companies. Although there was a report of a South Korean company paying a $1m ransom recently, it is worth noting Petya only asks for $300 worth of Bitcoin, which is low for business ransomware, and only $8,000 worth of Bitcoin has been paid so far, which again is extremely low financial reward for the scale of the attack. In late 2016 Ukraine had several state websites hacked and the Ukraine national electricity grid was also cyber attacked in late 2015, suggesting the country does have an advanced persistent cyber threat advisory that is active.
- UK – WPP, Jewson
- US – Marck &Co, DLA Piper, a Pittsburgh Hospital
- Ukraine – Central bank, power grid
- Russia – Evraz, Rosneft
- France – Saint-Gobain
- Germany – Metro, Deutsche Post
- Denmark – AP Moller-Maersk
- Norway – Unnamed firm
- The Netherlands – APM Terminals
- India – Jawaharlal Nehru container port in Mumbai
- Australia – Cadburys and another yet unnamed company
Detailed Technical Breakdown of Peyta
This Peyta version was compiled on 18th June 2017
Scans your local network and tries to spread using PsExec and WMI calls.
Uses SMB exploits EternalBlue and EternalRomance (Patched by MS17-010).
Full technical brief by Microsoft https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
This is a Security Bloggers Network syndicated blog post authored by Dave Whitelegg. Read the original post at: IT Security Expert Blog