Top 10 Things You Need To Know About NotPetya (Note: Don’t Pay The Ransom)

By   Professor John Walker
Visiting Professor , Trent University (NTU) | Jun 29, 2017 06:15 am PST

Europe woke up Tuesday to massive attacks on both governments and some of the world’s largest brands. While the story is sure to develop, here’s what we’ve learned so far, and what enterprises need to take into account whether they have been affected or are trying to protect their organizations from becoming the next victim.

  1. Currently, most victim companies are in Russia and the Ukraine with some much smaller volumes observed in Western Europe. Unless the malware has some form of geo fencing, this will likely change throughout the day as the rest of world wakes up and logs on to their systems.
  2. This malware only has passing resemblance to the historic Petya malware and thus should NOT be considered the same. This is much more sophisticated than both Petya and the recent Wannacry.
  3. The campaign is using multiple propagation vectors:
  4. Email (multiple PDF and Word attachment samples have been collected)
  5. The EternalBlue exploit used by Wannacry
  6. Harvesting of credentials via a custom capability against the lsass process and subsequent use of WMIC to move laterally
  7. An attack against the update process of a third-party Ukrainian software product called MEDoc
  8. Even a machine patched against the EternalBlue exploit is still vulnerable if a user clicks on the email vector. This malware is nastier than WannaCry because it can continue to propagate even in fully patched environments.
  9. The worst case for an organization is if a user with domain admin credentials is compromised as the entire network becomes at risk via WMIC and remote process execution (psexec).
  10. For non-admin victims, the files on the machine are encrypted using a standard AES routine (thus it is unlikely there will be an implementation bug found to allow for non-keyed decryption).
  11. For admin (local or domain) victims, the Master Boot Record (MBR) is encrypted (but not the files on disk). Thus, the machine seems bricked but is actually relatively easy to recover. However, this seems to go to a motive that this may actually be more of a disruption attack than a financially motivated crime.
  12. There was a single bitcoin account setup for ransom payments but it has already been taken down. Thus, there is currently no way for victims to get decryption keys even if they want to pay the ransom. Again, this hints at motive, in the sense there was  possibly never any real intention of collecting significant ransom or of providing a decryption pathway.
  13. Because of the attempt to move laterally, environments that have adopted Software-Defined Perimeterarchitectures to limit lateral movement are likely to see far reduced impact compared to traditional open enterprise networks.
  14. A number of next-gen AV systems are now detecting and stopping this.

[su_box title=”About Chris Day” style=”noise” box_color=”#336588″][short_info id=’102680′ desc=”true” all=”false”][/su_box]