Since 27 June 2017, there have been numerous media coverage of a ransomware attack on large multinationals and companies around the world, with similar behaviors to WannaCry, but whose malware comes from a variant of "Petya" ransomware.
This summary is intended to provide more information regarding the ransomware, and provide guidelines to prevent and mitigate infection.
- Virus Name: Petya, NotPetya, Netya
- Affected Systems: All windows system that does not have the patch for MS17-010 applied.
- Infection Vector: Phishing email with a malicious attachment
- Vulnerability in Microsoft SMBv1 (MS17-010) protocol: Exploits exist for this vulnerability which allows an attacker to take control over system that:
- have not been patched by the MS17-010 fix released in March 2017, AND
- are accessible from the Internet or internal network
- Lateral movement: The ransomware moves laterally in the network by:
- Extracting administrator credentials from the machine’s memory, and using the credentials to connect and execute commands on other machines using PsExec and WMIC
- Exploiting vulnerabilities in SMB (MS17-010) using EternalBlue and EternalRomance exploit
This means that if a machine is already patched, it will try to use the credentials extracted from memory to spread. To obtain the credentials, the ransomware will need to execute the EternalBlue or EternalRomance exploit for MS17-010
- Ransom Amount: USD300 in Bitcoin
What does it encrypt?
This variant of Petya does not encrypt files on the targeted system. Instead it reboots the target computer, and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system. Petya ransomware replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.The ransomware will start encrypting files after reboot.
The ransomware sets a scheduled task to automatically reboot after one hour.
What can you do to prevent infection?
- Block ports TCP 445/139 at edge firewalls and perform external scanning of all internet facing ranges to confirm ports are blocked.
- Push out MS17-010 to every machine as a matter of priority.
- Restrict the use of PsExec and WMI through Group Policy.
- Remove local administrator rights
- Consider turning off attachments in email until all systems are patched
- Update all security devices –Anti-virus, SIEM, IPS/IDS, APT, etc. in order to get the latest signature and threat protection
- Start monitoring for IOCs (see next slides) if you have a SOC/MSSP
- Upgrade all end of life machines as a matter of priority.
- For systems without patches isolate from the network as much as possible (strict VLAN’s and Firewalls with very tight ACL’s (for example only allow 139/445 to File Server and DC)
Note: These suggested solutions are provided only as a guide and are not meant to be a comprehensive solution to protect your organization from potential attacks by the ransomware. KPMG is not liable for any loss or damages in the event such proposed solutions adopted are not pursuant to a formalized engagement between your organization and KPMG.