This Week in Security: To Petya or Not To Petya

Petya Reloaded

The security world was smothered this week by all things ‘Petya-like’ (aka NotPetya). What started out looking like a new, and long awaited, follow-up to Petya/Goldeneye has turned out to be something quite different. The similarities between the original Petya and this new threat quickly became less and less concrete.

While the Petya-like threat does ‘affect’ the master boot record (MBR) like the original Petya, the similarities primarily stop there. The Petya-copycat behavior is the least intriguing piece of this new threat. What really set it apart is the spreading (worm) capabilities. Like WannaCry, NotPetya/Petya-like is able to spread via the MS10-070 SMB vulnerability exploited by the ETERNALBLUE exploit which was first leaked by the Shadow Brokers.

However, NotPetya does not stop there. History has shown that the most prolific malware outbreaks tend to embrace multi-prong/ fault-tolerant approaches towards persistence and spreading (especially lateral movement) – for example, Nimda. In addition to ETERNALBLUE, NotPetya also attempts to spread via Windows Mangement Instrumentation (WMI) and PsExec, both well known techniques among penetration testers for moving laterally within networks. This allows it to spread to machines that are patched against the ETERNALBLUE exploit.

Further analysis has revealed that the motive behind this threat is more destructive in nature and less about financial gain… further distancing it from the original Petya/Mischa/Goldeneye family. While it is never recommended that victims pay ransom to these actors, it appear that even if one had paid (in this instance) it would not have resulted in successful decryption.

Analysis of the threat is ongoing and we have posted two blogs to track coverage and technical details. Read our Threat Guidance team’s deep dive analysis of this Petya-Like Ransomware here. (And yes… Cylance prevents Petya-Like).

Interestingly enough, we have observed fake websites (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog