We speak to Cognosec CTO Oliver Eckel about the recent Petya / NotPetya attack, find out how you can protect your company and ask what should an organization do if it thinks it has been affected...
How does this type of ransomware spread from organization to organization globally?
This type of ransomware corrupts computers and demands $300 in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected. This is achieved via the EternalBlue vulnerability in Microsoft Windows or through two Windows administrative tools. The malware tries one option and then if it doesn’t work, it moves on to the next. Many believe it can spread itself more effectively than the recent WannaCry ransomware.
Various news reports suggest this type of ransomware originated from corrupted updates on MeDoc accountancy software, although the company has denied this. Researchers believe hackers have breached the company's computer systems and compromised a software update, which was distributed to its customers on 22 June.
How does this Petya type ransomware differ from WannaCry earlier this month?
According to some security researchers the Petya attack is not ransomware, it is a wiper designed to destroy data and not necessarily to extort money from victims. This theory was initially highlighted by Matt Suiche, founder of the cyber security firm Comae, in his blog post.
The Petya cyber attack that swept globally, and has infected enterprise networks across Europe is much worse than initially thought. Security researchers have now come to the conclusion the Petya attack is not a ransomware. If one thought that was good news, it is not. Petya is being termed as a wiper by researchers, with the aim being mass destruction of data. The idea was never to collect money from victims or enterprises. In his blogpost, Suiche explained the difference between wiper and ransomware. He writes, ”a wiper would simply destroy and exclude possibilities of restoration.” With ransomware, the idea is always to get the victim to pay and then restore the data. Based on early analysis, Suiche has concluded that the 2017 version of Petya is also exploiting the EternalBlue and EternalRomance vulnerabilities in Microsoft’s systems. He writes, “After comparing both implementation, we noticed that the current implemented that massively infected multiple entities Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk.” In conclusion he believes, that this attack is deliberately overwriting the data on the disk, and this is not read or saved anywhere else. He says the main difference between the 2016 and 2017 Petya is that the earlier version modified the disk in a way that it was possible to get the data back. In the new version, the damage is irreversible.
How does the ransomware affect computer systems?
Once active, the ransomware will attempt to spread laterally. The ransomware then proceeds to drop additional components and install itself in the Master Boot Record (MBR) of the system prior to creating a scheduled task that will reboot the system after an hour and a half. When the system reboots automatically, the encryption process begins, and the following ransom note is displayed:
Send your Bitcoin wallet ID and personal installation key to e-mail
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because
they have been encrypted. Perhaps you are busy looking for a way to recover
your files, but don't waste your time. Nobody can recover your files without
our decryption service.
We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
Send $300 worth of Bitcoin to following address:
How does an organization know if it is still vulnerable to this attack?
If individuals and small businesses believe they are vulnerable they should:
For Individuals
- Run Windows Update to get the latest software updates.
- Make sure any anti-virus product is up to date and scan your computer for any malicious programs. It's also worth setting up regular auto-scans.
- Back up important data on your computer so it can be recovered if it's held for ransom.
For large organizations
- Apply the latest Microsoft security patches for this particular flaw.
- Back up key data.
- Scan all outgoing and incoming emails for malicious attachments.
- Ensure anti-virus programs are up to date and conducting regular scans.
- Make sure to run "penetration tests" against your network's security, no less than once a year.
What should an organization do if it thinks it has been affected?
Don't pay the ransom – there's no way to get the necessary keys to restore your documents. It appears the malware doesn't provide enough information to the extortionists for them to generate a correct unlock key, so it would be impossible to obtain a working decryption key from the perpetrators. And the means to contact the hackers after paying the money is now shut off, so there is very little remedy.
According to researchers, not only should you patch your computers to stop the SMB exploits, disable SMBv1 for good measure, and block outside access to ports 137, 138, 139 and 445, you must follow best practices and not allow local administrators carte blanche over the network – and tightly limit access to domain admins.
The precise affected versions of Windows aren't yet known, however, news has emerged that Windows 10's Credentials Guard prevents NotPetya's password extraction from memory.
In addition, creating the read-only file C:\Windows\perfc.dat on your computer helps prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Unlike WannaCry, which spread externally across the internet, the software is designed to spread internally for less than an hour and then activates.
How can Cognosec help organizations increase their cyber resilience?
We can offer state of the art vulnerability management and endpoint protection solutions.
If the victims had patched their systems (same exploit used as in Wannacry, so nobody can say they were not aware) the malware would have not been able to take over their computers.
If they had used a state of the art AI endpoint protection this would have stopped the infection from even reaching the system.
Cognosec Partners with Tenable, the leading vulnerability management vendor and Cylance, the leading endpoint protection vendor, together we can walk you through the implementation.
Cylance and Crowdstrike were the only two vendors to immediately detect Petya. Here’s how Cylance achieved detection and thwarted infection:
CylancePROTECT stops both file and fileless malware, including that of the self-destructing variety. Since it operates pre-execution – before it enters memory – ransomware such as we are seeing never had a chance to do damage or communicate with C2 servers.
CylancePROTECT runs silently in the background to detect malicious files, with configurable options across memory, script, file, and network protection. In essence, Cylance predicts attacks – far in advance – without the blind spots found in legacy, signature-based tools.
Finally, the CylancePROTECT Dashboard offers insight into “what could have been,” aiding in investigations on unprotected machines. But those with CylancePROTECT won’t require remediation or cleanup.
