We have been offered advise from our Security partners Dell SecureWorks outlining that their Counter Threat Unit (CTU) researchers are investigate the widespread outbreak of NotPetya ransomware. This malware takes advantage of similar vulnerabilities to WannaCry/WanaCryptor so some of the recommended action is the same, please read on..
Most reports incorrectly identified the ransomware as Petya or Goldeneye. While the messages displayed to the victim are similar to Petya, analysis has not detected any code overlap between the current ransomware sample (now called NotPetya) and Petya/Goldeneye. NotPetya differs from other ransomware outbreaks because it uses stolen credentials and exploits vulnerabilities to spread rapidly through impacted organizations.
NotPetya’s initial deployment may have occurred via a compromised software update mechanism belonging to Ukrainian financial software publisher MEDoc (My Electronic Document). MEDoc is used extensively by Ukrainian organizations and those doing business in the region. MEDoc’s update facility appears to have been compromised to deliver malware. NotPetya was deployed either as part of the MEDoc update service, or via its worm functionality. It is NotPetya’s self-spreading worm functionality that can infect Internet-connected entities that do not use the MEDoc software. After initial infection, NotPetya attempts to steal credentials. It uses stolen credentials and attempts to exploit the same vulnerability leveraged by EternalBlue in the WCry campaign to propagate through the network.
NotPetya restarts the system one hour after the initial infection and erases logs. After the reboot, NotPetya overwrites the master boot record (MBR) and encrypts a number of files on the drive. The public encryption key does not vary for this malware sample, and systems compromised by this NotPetya sample are not assigned unique keys. Therefore, a private key discovered in the future could be used to decrypt all affected files. After the encryption process completes, NotPetya displays a message for the victim to send $300 to a Bitcoin wallet and to email a specific address. The email provider blocked the email address exploited by NotPetya since midday CEST on June 27, so it is unlikely that any victim who has paid the ransom will receive decryption keys.
– Monitor for threat indicators, specifically the scheduled task used to reboot the compromised system. Cancelling this task can provide extra time to back up files before the system is rebooted and encrypted.
– Apply the Microsoft security updates for MS17-010, including updates for the Windows XP and Windows Server 2003 legacy operating systems.
– Disable SMBv1 on systems where it is not necessary (e.g., hosts that do not need to communicate with Windows XP and Windows 2000 systems). Carefully evaluate the need for allowing SMBv1-capable systems on interconnected networks compared to the associated risks.
– Segment networks to isolate hosts that cannot be patched, and block SMBv1 from traversing those networks.
– Use network auditing tools to scan networks for systems that are vulnerable to the vulnerabilities described in MS17-010.
– Implement a backup strategy that includes storing data using offline backup media. Backups to locally connected, network-attached, or cloud-based storage are often insufficient because ransomware frequently accesses and encrypts files stored on these systems.
– Consider using backup solutions that preserve low-level disk configuration data like that stored in the MBR.
– Isolate MEDoc installations and block automatic update facilities until the vendor has confirmed they are not involved or have fully remediated the compromise.
– Disable the WDigest authentication mechanism to prevent the recovery of plaintext credentials that facilitate the spread of NotPetya.
– Reduce user privileges to limit the effectiveness of malware.
References – Dell SecureWorks