By: Andrew Hay
Unless you’ve been away from the Internet earlier this week, you’ve no doubt heard by now about the global ransomware outbreak that started in Ukraine and subsequently spread West across Western Europe, North America, and Australia yesterday. With similarities reminiscent to its predecessor WannaCry, this ransomware attack shut down organizations ranging from the Danish shipping conglomerate Maersk Line to a Tasmanian-based Cadbury chocolate factory.
I was asked throughout the course of yesterday and today to help clarify exactly what transpired. The biggest challenge with any surprise malware outbreak is the flurry of hearsay, conjecture, speculation, and just plain guessing by researchers, analysts, and the media.
At a very high level, here is what we know thus far:
- The spread of this campaign appears to have originated in Ukraine but has migrated west to impact a number of other countries, including the United States where pharmaceutical giant Merck and global law firm DLA Piper were hit
- The initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MeDoc
- This appears to be a piece of malware utilizing the EternalBlue exploit disclosed by the Shadow Brokers back in April 2017 when the group released several hacking tools obtained from the NSA
- Microsoft released a patch in March 2017 to mitigate the discovered remote code execution vulnerabilities that existed in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handled certain requests
- The malware implements several lateral movement techniques:
- Stealing credentials or re-using existing active sessions
- Using file-shares to transfer the malicious file across machines on the same network
- Using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines
- Experts continue to debate whether or not this is a known malware variant called Petya but several researchers and firms claim that this is a never before seen variant that they are calling GoldenEye, NotPetya, Petna, or some other random name such as Nyetya
- The jury is still out on whether or not the malware is new or simply a known variant
Who is responsible?
The million dollar question on everyone’s mind is “was this a nation-state backed campaign designed to specifically target Ukraine”? We at LEO believe that to be highly unlikely for a number of reasons. The likelihood that this is an opportunistic ransomware campaign with some initial software package targets is far more likely scenario than a state-sponsored actor looking to destabilize a country.
Always remember the old adage from Dr. Theodore Woodward: When you hear hoofbeats, think of horses not zebras.
If you immediately start looking for Russian, Chinese, or North Korean state-sponsored actors around every corner, you’ll inevitably construct some attribution and analysis bias. Look for the facts, not the speculation.
What does LEO recommend you do?
We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. Until you can apply the patch, LEO also recommends the following steps to help reduce the attack surface:
- Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547
- Block incoming SMB traffic from the public Internet on port 445 and 139, adding a rule on your border routers, perimeter firewalls, and any intersecting traffic points between a higher security network zone to a lower security network zone
- Disable remote WMI and file sharing, where possible, in favor of more secure file sharing protocols
- Ensure that your logging is properly configured for all network-connected systems including workstations, servers, virtualized guests, and network infrastructure such as routers, switches, and firewalls
- Ensure that your antimalware signatures are up-to-date on all systems (not just the critical ones)
- Review your patch management program to ensure that emergency patches to mitigate critical vulnerabilities and easily weaponized attacks can be applied in an expedited fashion
- Finally, consider stockpiling some cryptocurrency, like Bitcoin, to reduce any possible transaction downtime should you find that your organization is forced to pay the ransom. Attempting to acquire Bitcoin during an incident may be time-prohibitive
Should your organization need help or clarification on any of the above recommendations, please don’t hesitate to reach out to LEO Cyber Security for immediate assistance.
- vulnersCom’s GitHubGist
- ‘Petya’ Ransomware Outbreak Goes Global – Krebs On Security
- Schroedinger’s Pet(ya) – Kaspersky Lab
- Petya Ransomware Spreading Via EternalBlue Exploit – FireEye
- Checking out the new Petya variant – SANS ISC InfoSec Forums
- Complex Petya-like Ransomware Outbreak Worse Than Wannacry – Threatpost
- Petya Weren’t Expecting This: Ransomware Takes Systems Hostage Across the Globe – IBM X-Force Research
- New Variant of Petya Ransomware Spreading Like Wildfire – McAfee
- Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak – Bleeping Computer
- WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe – Bleeping Computer
- Petya Ransomware Attack – What’s Known – MalwareTechBlog
- Threat Brief: Petya Ransomware – Palo Alto Networks
- Petya Ransomware Fast Spreading Attack – AlienVault Open Threat Exchange (OTX)
- New ransomware, old techniques: Petya adds worm capabilities – Microsoft MMPC
- Tuesday’s massive ransomware outbreak was, in fact, something much worse – Ars Technica
- FAQ about PETYA/GOLDENEYE/PETR outbreak – FOX IT
- New Petya Distribution Vectors Bubbling to Surface – Kaspersky Lab