Security Advisory Notice – Petya Ransomware

A number of high-profile ransomware attacks have been reported globally starting June 27^th. With the recent global Ransomware outbreak of May 12^th still fresh in minds, it is ever more clear that decisive and responsive action is needed to protect organisations.
Similar to the recent Wannacry outbreak, this variant of ransomware ‘Petya’ is causing widespread disruption; reports indicate that the outbreak originated in Ukraine, with the state’s government, and electricity grid among the first confirmed targets. While initial victims centred around Ukraine, the Dutch shipping company Maersk has confirmed it was targeted, with its Irish operations reportedly hit; more organisations are expected to be identified as victims in the coming days.

The media have dubbed this outbreak ‘GoldenEye.’

How Does ‘Petya’ Work?

Similar to Wannacry, Petya is designed to exploit the known Microsoft Samba vulnerability (MS-17-010) using EternalBlue, the NSA developed attack code which was published as part of the Shadow Brokers’ leak. This vulnerability, which has been rated as Critical by Microsoft, was remediated as part of updates released on March 14^th of this year.

However, Petya is demonstrably more sophisticated than Wannacry. In addition to using the EternalBlue exploit, Petya can spread laterally using Windows Management Instrumentation Command-Line (WMIC) and PsExec, a remote command tool from Microsoft, to systems which have been patched but are on connected networks. ³ This multi-threaded approach, using lateral attack vectors highlights that patching alone is not sufficient to protect organisations.

The Petya variant of ransomware is designed to encrypt a filesystem’s Master File Table (MFT), rather than encrypting files or shared drives within an organisation. This means the operating system cannot then locate files. Petya installs itself to the disk’s master boot record (MBR) similar to a bootkit, before displaying a ransom page directing victims to send bitcoins for the release of their files. ²

With previous versions of malware, the only potential loss is that of data. With Petya, the loss is greater – the entire system. ⁴

How Do I Protect My Organisation?

Ward Solutions recommend the following short term actions be taken to protect your organisation;

• As per previous advisories, systems administrators are advised, if they haven’t already, to patch against the Microsoft Samba vulnerability which is known to affect the below Microsoft software;

– Microsoft Windows Vista SP2
– Windows Server 2008 R2 SP1 and SP2
– Windows 7
– Windows 8.1
– Windows RT 8.1
– Windows Server 2012 R2 and
– Windows 10
– Windows Server 2016

Ward Solutions recommends that systems administrators immediately take action to patch against this Microsoft vulnerability if they haven’t already done so.

Further details on this patch can be found on the Microsoft support site here: https://support.microsoft.com/en-sg/help/4013389/title

• Keep your antivirus active and up to date and always update your AV software from valid sources. McAfee has released and extra.dat to include coverage for Petya. McAfee has also provided a range of known extensions which have been identified as affected. Further information can be found at the below McAfee advisory; https://kc.mcafee.com/corporate/index?page=content&id=KB89540

• Ensure you have a reliable and well configured backup solution, keeping at least one of those backups offline
• Ensure the minimum appropriate level of administrative privilege is allocated. This can assist in prohibiting propagation should your organisation be attacked
• Block the following inbound TCP Ports 135, 445, 1024-1035
• To stop the spread from the WMIC, administrators should block the file C:\Windows\perfc.dat from running.⁶ Additionally, there have been reports of a possible kill-switch, though successful use of the method has yet to be reported. PTSecurity researchers have reported that the ransomware checks if the C:\Windows\perfc file is present, and if it determines that the file is already present, the malware execution stops. PTSecurity is proposing that if the correctly named file is created in the given folder path, it may halt encryption, though this method has yet to be verified. ⁵
• McAfee also recommends blocking the following file/folders; **\PSEXESVC.EXE and   C:\Windows\System32\Tasks\**. Blocking these will prevent the ransomware from creating the Windows Scheduler task it requires to force a restart of the system and can assist in preventing the replication of PsExec.⁶

In the medium term, there are also a number of actions that organisations can take to protect themselves including;

• Update email and SPAM filtering solutions to scan all emails and blocks malicious software from reaching end users.
• Perform regular user awareness training and make sure the content is kept relevant. Include social engineering phishing exercises to get real-world measure of the effectiveness of the training and awareness on staff
• Logical separate internal network segments such that users and servers are on different segments with appropriate policies to help stop the spread of malware through the network.
• Implement a vulnerability management solution in tandem with a patch management solution, enabling you to pinpoint vulnerabilities and prioritise your patching.

My Organisation is Infected, What Now?

The first piece of advice is to not attempt to pay the ransom as Posteo, the email provider hosting the address where Petya victims are being directed, has shut down the account.⁷

Secondly, as Petya only encrypts the Master File Table (MFT) after reboot, if you are aware that you have been infected (or are prompted with a ‘Check Disk’ message) and shut down the infected machine before reboot, you can potentially prevent the encryption. And, as Petya encrypts the MFT and not the files themselves, data recovery may be possible – though no successful recoveries have yet been reported.

How Can Ward Help?

For SOC Managed Service customers, we have been receiving IBM Threat Intel feeds, including Petya Indicators of Compromise, since June 27^th, and will take any appropriate action accordingly.

For Managed Service customers, the Ward Support team will be reviewing individual environments to ensure all recommendations are implemented.

For all other customers, if you would like additional information or would like support in implementing preventative measures in your environment, please contact support@ward.ie or your account manager, as appropriate.

Further reading:

¹http://www.bbc.com/news/technology-40416611
² https://labsblog.f-secure.com/2016/04/01/petya-disk-encrypting-ransomware/
³ https://securityintelligence.com/petya-werent-expecting-this-ransomware-takes-systems-hostage-across-the-globe/
⁴ https://blog.fortinet.com/2017/06/27/new-ransomware-follows-wannacry-exploits
⁵ https://www.bleepingcomputer.com/news/security/email-provider-shuts-down-petya-inbox-preventing-victims-from-recovering-files/
⁵ https://kc.mcafee.com/corporate/index?page=content&id=KB89540
⁶ https://www.ptsecurity.com/ww-en/about/news/283096/
⁷ https://www.wired.com/story/petya-ransomware-wannacry-mistakes/