June 27, 2017
Updated June 28, 2017: New Ransomware, Petya: a global threat
Many organizations worldwide are being crippled by a new variant of the Petya ransomware. The new variant, also known as Petrwrap *update: it seems some groups are referring to this outbreak as “NotPetya” and classifying it as a “Ransomworm”, has penetrated a number of vital network systems from a range corporations and government services including banks, public transit commissions, oil companies and airlines. This ransomware is believed to have used the NSA exploit EternalBlue to spread throughout networks, similar to the WannaCry Ransomware attacks in that shocked the world in May.
Update: there are reports that the email address that infected users were to email after paying the ransom to unlock their files has been shut down by the provider. If you’re infected and ready to pay for your files, it may be too late.
Reports from victims from around the globe including Spain, India, Russia the UK and Norway have seen IT teams scrambling to respond to this widespread security event. Companies that have neglected to patch their systems are now paying a very steep price.
Microsoft had patched the EternalBlue vulnerability in March, prior to WannaCry’s spread in May, which did protect some systems from the infection. Based on the extent of damage Petya has caused so far, though, it appears that many companies have put off patching, despite the clear and potentially devastating threat of a similar ransomware spread.
Dark web software such as Petya or Wannacry have been increasing in attacks over the past decade. This crisis alone has reportedly earned over five thousand dollars worth of bitcoins within the first day and is believed to be one of the largest RaaS (Ransomware-as-a-Service) attack ever observed.
What we know so far:
Due to the advanced characteristics of this new Ransomware variant, which operates like a worm once breaching your network, we strongly recommend you prepare backups of critical workloads and data. There are reports of fully patched machines being infected; horizontally attacked by other systems within the network.
We’ve collected the following information that we believe are the most credible and relevant to this security threat:
- The malware is still being examined but is suspected to be a variant of Petya (which was observed months ago) or new software with similar characteristics. Additional variants of this software may appear.
- Infected machines will display a screen claiming the drive is being checked for errors.
- Once infection occurs, the malware appears to spread throughout corporate networks using WMIC and PSExec.
- Early indications speculate that the malware will try to record and reuse passwords, attempting to gain elevated privileges.
- Most initial research indicates this malware exploits ETERNALBLUE, which was patched several months ago. However, patched machines may still be vulnerable to attacks from infected machines within the network using recorded passwords.
The Petya situation is being monitored by our security team, and the threat level is unclear at this time. While this new threat is still being assessed and the origin/cause is under investigation, there are immediate steps you can take to help secure your systems:
- Use a layered IT defense strategy to help reduce your risk, minimize damage an infection can inflict and improve your ability to respond to security breaches.
- Install all security patches available for your version of Windows. This is a crucial part of a proactive strategy to defend against network attacks
- Ensure that you’re running a licensed version of Windows that’s supported by Microsoft.
- Use common sense (and when in doubt err on the side of caution) when opening documents from untrusted or unknown sources.
- Engage a third party organization to conduct a vulnerability test. Experienced security consultants will discover critical weaknesses in IT security processes, parts and with the people using the technology.
- Define and enforce a strong security policy within your work environment. While there are many topics that should be covered in such a policy, one of the most important concerns staff member use of computers and networks.
- Update anti-virus & anti-malware software definitions and make sure it’s installed on all corporate machines.
- Review the configuration of administrator accounts (particularly domain administrator) in use within your organization.
- Ensure that domain administrator accounts issued to staff are used only for administration activities, and not for workstation logins, email, and regular access.
- Ensure that these accounts issued to staff can’t be used for network-based logins (which use pass the hash processes).
- Create a non-executable and non-writeable file called perfc with no extension in %windir%. This appears to prevent the malware from spreading to systems on the network that contain the MS17-010 patch.
- Leverage GPO to block access to the ADMIN$ share to prevent the credential passing propagation that occurs via WMI / psexec.
- Disable SMB file sharing services on your PC if not required.
Please check this page for updated information as it becomes available