Old is New Again
On Tuesday, June 27th, the internet experienced yet another “global” ransomware epidemic, this time in the form of a new variant named “Petya.” Petya was initially discovered in the wild back in March of 2016, but this new variant sports some serious upgrades. Petya is now “wormable,” using the same SMBv1 exploit, also known as ETERNALBLUE, as the WannaCry ransomware from a month ago. However, there are a few key differences between Petya and WannaCry that set the former apart significantly.
What is Petya and how does it work?
What makes Petya significantly different from WannaCry are four (4) different components:
- Unlike traditional ransomware, Petya does not encrypt files on a targeted system one-by-one; rather, Petya reboots the target device and encrypts the hard drive’s master file table (MFT), rendering the master boot record (MBR) inoperable. Petya replaces the device’s MBR with its own malicious code that displays the ransom note, which prevents the computer from booting.
- Petya uses not only the ETERNALBLUE exploit to spread, but also uses PSEXEC (a light-weight telnet-replacement that allows a user to communicate with other systems), WMI (Windows Management Instrumentation) commands, and MimiKatz (a post-exploitation tool) to spread via internal networks. Using these tools, an attacker can move laterally within networks. With Petya, not only are unpatched computers and network exposed; so are patched internal devices.
- Petya only used one (1) BitCoin address for payment of the $300 ransom, whereas WannaCry used three (3) BitCoin addresses (still very uncommon for ransomware to use that few) but asked for the ransom amount. Furthermore, while most ransomware instructions require the victim to use the TOR network to send payments anonymously, Petya simply asks users to send payments via Bitcoin to email@example.com. The email address has since been suspended, meaning that victims literally cannot pay the ransom, even if they wanted to.
- It’s also been reported that Petya includes a tool called “LSADump,” which can gather passwords and credential data from Windows computers and domain controllers on the network.
Pictured: Screenshot of Petya's Ransom Message
How is Petya delivered?
Experts have suggested that the initial attack vector for the Petya ransomware was a poisoned update (a regular product update hijacked and injected with malware) for the MeDoc software suite, a tax and accounting software used by many Ukranian organizations.
Similar to WannaCry, Petya also uses the ETERNALBLUE zero-day exploit, the ransomware displays worm-like properties by scanning for open instances on port 445 to gain access to Server Message Block (SMB) protocol. While Petya will initially only propagate to hosts that have not implemented Microsoft’s MS17-010 Security Update, once inside a network, Petya is able to propagate to updated, patched Windows hosts using PCEXEC, MimiKatz, and WMI.
Who has Petya affected?
While Petya has not reached the “global” proportions of WannaCry, the Ukraine was heavily affected by this new strain of ransomware. Petya has affected Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers Kyivenergo and Ukrenergo, Ukranian banks National Bank of Ukraine (NBU) and Oschadbank, Maersk – an international logistics company, Kiev’s Boryspil Airport, and many more. While Petya has primarily affected European organizations thus far, the ransomware has spread to other countries, including the US.
Credit - Symantec: Top 20 countries based on numbers of affected organizations
One report from the website The Verge suggests the ransomware component of Petya was merely a distraction, rather than the objective. Before the Dyn incident, many DDoS attacks were used as a diversionary technique while attackers exfiltrated data from networks they had already compromised, so using one attack as a diversion while a higher-reward attack is executed is not a new concept. Alternatively, the ransomware may have been designed to simply cover up the source (perhaps a nation-state?) by disguising itself as being launched by a “mysterious attacker.”
Numerous narratives support this claim. For example, the attack is simply destructive (full disk encryption vs. file-level encryption), leaving the victim with no recourse. The victim can’t contact the attacker via unencrypted, discoverable email any longer, so there’s not even a possibility of recovery. Additionally, Petya utilizes the password capturing component LSADump; not something most ransomware variants utilize. Furthermore, it appears that specific targets have been affected, including transportation, telecoms, banks, and power companies. All have been targets of Russia in the past, as the two countries continue to fight over borders. Perhaps time will tell the true cause and reveal whether or not Petya was a deliberate act of cyber-warfare, but it’s only speculation as of now.
How to Defeat (or Prepare for) Petya
- If you have not yet done so, please be sure to install Microsoft’s MS17-010 Security Update, which prevents Petya and WannaCry from affecting your Windows OS in the first place. The update applies to all currently-supported Microsoft Operating Systems, including Windows 10, Windows 8.1, Server 2008, Server 2012, etc.)
- If you are running an older workstation or server past End-of-Life (Windows XP, Windows 8 [note: Windows 8 is not supported, but Windows 8.1 is supported], and Server 2003), find the applicable Emergency Fix in the Microsoft Update Catalogue here: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
- If your organization utilizes Windows Defender, you can download updated threat definitions that allow you to detect Petya on a host here: https://www.microsoft.com/security/portal/definitions/adl.aspx
- Since Petya uses full-disk encryption that prevents your computer from booting, decrypting the hard drive becomes more difficult. There are two (2) ways to recover your hard drive if you suffer a Petya ransomware attack:
- Since the email address used to pay the ransom has been suspended, paying the ransom isn’t an option. Your last resort is to load clean backups onto a fresh, unaffected desktop or server and hope the data you’ve lost since the last backup isn’t mission-critical.
- Wipe any affected device and re-image from bare-metal (start from scratch).
How Can You Stop Attacks Like These in the Future?
Ransomware attacks like Petya and WannaCry are not going to become less frequent. This new global ransomware outbreak is going to spawn more copy-cats and inspire others to get more creative with their malware. Here are a few things you can do to put your organization in the best position to defend against or respond to major ransomware attacks:
- Ensure you have a consistent, repeatable Patch Management program. Failing to patch your workstations, servers, and devices in today’s world is akin to signing your business’ death warrant. Patch your devices religiously.
- Employ the highest quality Data Backup Program you can implement technically or financially. Backups today are CHEAP, especially compared to the cost of being unable to recover. If you can, backup to multiple locations (having both an online and offline copy is recommended), and test your backups regularly.
- Deploy new-school security awareness training, which includes simulated social engineering tests via multiple channels, not just email.
- Check your firewall configuration and monitor all outbound traffic to make sure no criminal network traffic is leaving your network. If you do not know how to monitor your internal or outbound traffic, consider investing in a Security Information and Event Management system (managed or local).
- Disable and/or block SMBv1 on all machines immediately. See this guide from Microsoft on how to disable SMBv1, and/or block SMBv1 ports on network devices, including UDP ports 137, 138 and TCP ports 139, 445. Also, consider adding a rule to your firewall blocking all incoming SMB traffic on port 445.
Written by: Jon Waldman, CISA, CRISC
Partner and Executive Vice President, IS Consulting - SBS CyberSecurity
Advance your cyber education with a certification!
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
How SBS Can Help
If you are looking for some additional information around cybersecurity risk management, implementing cybersecurity controls, and Information Security Programs, SBS IS Consultants and IT Auditors have worked with over 1,500 organizations across the United States to mitigate the risk of cyber attacks. If you are not sure what to do to prevent cyber attacks or to recover from one, SBS will work with you to make the best preventative or recovery decisions possible for your organization.
Three (3) ways you can test your organization right now for cyber threats include testing your People, your Processes, and your Technology.
- People: SBS CyberSecurity is one of the largest resellers of the KnowBe4 phishing email assessment software, which helps train users on how to identify and mitigate phishing email attacks, as well as to assess that training in a low-risk, real-world phishing scenario.
- Processes: Test your policies, procedures, and governance with an External IT Audit.
- Technology: Test your network for known vulnerabilities, making sure that all patches have been implemented on your network, with a Network Security Assessment.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.