On June 27th, organizations across the globe discovered a new ransomware danger now pegged as NotPetya. This variant of new ransomware was initially thought to be a repackaged version of the Petya ransomware variant discovered about two months ago but has since been found to only borrow code from that variant, with modifications to increase its impact. At the time of this article’s publishing, NotPetya has impacted organizations across 64 countries. Ukraine was the first to report it, as it infiltrated banks, government agencies, airports, and other critical infrastructure before spreading to a Russian oil company, a US pharmaceutical company, and others around the world.
As we had predicted in our earlier TruBlog post, NotPetya makes use of EternalBlue – an NSA-created tool designed to exploit weaknesses in SMB – the same vulnerabilities as WannaCry. As we mentioned in our last post, patches have been available to address this risk since March of 2017, and those who have patched should not be impacted by this attack.
Interestingly, this threat takes on a different attack approach with a few striking differences than its predecessor. The first divergence is that while typical ransomware tries to encrypt individual files – which can sometimes take a while – NotPetya attacks the Master File Table (MFT), where information about every file and directory on an NT File System is stored. This is a much faster, and much more destructive attack vector. Once this is corrupted, the affected computer does not know how to locate files and is essentially expensive office decor as an inoperable computer.
Another notable difference is that the malicious actors sending out NotPetya actually made it more difficult to take a payout. Most ransomware attacks try to make it easy for the victim to pay to have the computer unlocked. With NotPetya, the victim must utilize another computer to send Bitcoin through Tor to the attackers’ Bitcoin address, which may not be a simple task for many users. For those that are not technically savvy, this process could be impossible to accomplish.
The final item to take note on is that ordinary ransomware takes time to encrypt all of the files found on an infected computer and the process can be time-consuming, allowing the user time to interfere by shutting down the computer or seeking help from their IT administrator. With NotPetya, once the computer is infected it becomes inoperable virtually immediately, so the impact is instantaneous. As with all ransomware, ensuring that your computer is backed up properly and regularly is imperative.
This has the same worm propagation mechanism as WannaCry, so it is currently seeking computers that have not been patched for the EternalBlue weakness. a patch released by Microsoft back in March which we mentioned in an earlier blog post. Again, by keeping up with patches, people are able to take steps to greatly reduce their risk of being affected by this.
Steps to Prevent NotPetya
The same mitigation steps we recommended in our previous blog post would again apply in prevention of this ransomware attack. Here is the list of steps for prevention of NotPetya.
- Patch ALL Windows machines in your environment immediately. The EternalBlue vulnerability was patched by Microsoft back in March as part of MS17-010 (KB4012215). CRITICAL – all Windows systems MUST be patched to address this issue. Microsoft has also released patches for out-of-support operating systems XP and 2003.
- Immediately disable inbound Server Message Block (SMB) access from the Internet (Port 445).
- Immediately disable inbound NetBIOS access from the Internet (Port 139).
- Strongly recommend also disabling inbound Remote Desktop Protocol (RDP) from the Internet (Port 3389).
- Maintain up-to-date backups of files and regularly verify that the backups can be restored.
- Using the domain list below, update your firewalls, proxies, and IPS to block traffic to/from the listed domains.
- Ensure your AV signatures are up to date as major vendors are all working to deliver updated signatures to detect/prevent this.
- If you discover any machine on your network compromised by this attack, remove that machine from the network immediately and report the incident to your CISO or CTO.
- Inform your users to be EXTREMELY cautious with email over the next several days and inform clients to forward suspicious emails to their CTO or CISO for analysis (but please don’t click any of the links, folks).
Additionally, security researcher Amit Serper discovered that placing an empty file with no file extension called perfc in the #windir# directory will immunize a system or kill an active attack.
“To vaccinate your computer, create a file called perfc in the C:\Windows folder and make it read only. For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you, while also creating two other files – perfc.dat and perfc.dll.”
The key infection vector for the worm is SMB open to the Internet on unpatched hosts. We recommend taking immediate action to scan your public IP space for port 445, 3389 and 139 listeners. Anything that is allowing an inbound connection is going to be a scan target, and any unpatched system will eventually be a scan target.
Find out how TruShield can give you the leverage you need with threat intelligence for early detection of threats like Petya and WannaCry.
Click to share this article on Twitter!