A few days ago, NotPetya came into our purview, and left enterprises globally with many questions.
Is it ransomware? Is it a wiper? The world really had enough problems dealing with the many variants of ransomware generally, but now the problem just got exponentially more complex.
Why? Because organizations are not prepared for an attack or series of attacks never before seen– categorizing them into the “unknown threat” realm. Because the level of adaptive behavior exhibited by Petya and NotPetya, combined with their self-propagation (worm-like) capability, many detection systems across the energy and financial sectors were spoofed.
Some of the questions you may have might include:
- What can I do to protect my business?
- What can I do to ensure a Petya variant, or the next NotPetya or WannaCry won’t affect my company?
With a ton of damage already inflicted, there are a few things you need to know about this malware, its variants, and what you can do to protect your business.
First, here are a few key details:
- Geographically, NotPetya hit the hardest in Europe and India before reports of the virus spreading to the UK and the US were validated. Over 2000 separate attacks are being tracked.
- The NotPetya ransomware worm used the NSA’s exploit called EternalBlue as well as the PSExec tool as a means to execute. It encrypts hard drives in addition to files.
Anyone who thought that WannaCry was a one-off was, to say the least, very naïve. The NotPetya/ExPetr comes and wreaks havoc amongst thousands of organizations in a very short time. It looks like ransomware, but perhaps it is not.
Pretending to be something bad like ransomware while actually being even worse (a wiper or a destroyer) is a very cynical move. At least with ransomware when victims pay they get their files back – most of the time. This is not the case with wipers.
NotPetya tries to overwrite the master boot record (MBR) and the master file table (MFT). Most of the recent analyses of NotPetya show that the way the MFT is encrypted provides no way to decrypt its content, not allowing you to recover files. Unless the authors of the malware were intentionally clumsy, the inability to recover the MFT resembles more of a wiper-style attack, with the intention of generating as much damage on the target organization as possible. This makes it a very lethal cyberweapon indeed.
Several important characteristics of the NotPetya attack are critical to point out:
- First, it overwrites critical host objects, mainly the MBR and MFT, and it has embedded self-spreading technology to further proliferate laterally, thus extending its reach.
- Second, it uses tools that already exist on all Windows machines, namely PSExec from SysInternals and wmic (Windows Management Instrumentation Command-line). Why is this so important? Because both tools are frequently used by IT, and as such are not considered suspicious when they execute.
- Third, it has embedded password stealing code (LSADump), so it can steal password hashes and make lateral movement that would look like legitimate or normal activity on machines. It also utilizes the legitimate Windows program rundll32.exe to execute malicious actions on victim host.
CounterTack Can Help
With CounterTack’s Endpoint Threat Platform, users have the following capabilities at their disposal around this malicious set of attacks:
- Detect writes to MBR and provides a full context of the action (user account and user SID, time stamp, process name and PID, and process image path)
- Detect attempts to steal password hashes (with full event context)
- Detect lateral moves through connections over target port 445
- Detect PSExec remote execution, both on the source host and target host
- Detect remote execution utilizing WMIC with full command line arguments
- Identify malicious execution from rundll32.exe as suspicious activity
In addition to what our Endpoint Threat Platform detects, the platform also classifies NotPetya as "Policy: Ransomware MBR Overwrite (possible rootkit)."
The Relationship Graph below provides a visual representation of the attack for quick and easy analysis.
Best Practices to Implement Now
The conventional approach for organizations is to keep all computers fully updated and patched. In addition, CounterTack strongly recommends that users enforce the following security procedures in the wake of this set of attacks:
- Ensure that the patch for MS17-010 is applied to all systems within your endpoint environment: (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?f=255&MSPPError=-2147217396)
- Do not allow remote access to hidden Admin shares (Admin$) or limit this as much as possible.
- Do not provide regular users Administrative privileges on their computers.
- Do not allow random use of PSExec and wmic. Only allow Administrators to use those tools. Monitor command line arguments when used for unusual usage.
- Do not allow automatic macro execution in Microsoft Office documents. If the document requires a macro to be enabled, verify the source of the document (that is, who sent it and why) before enabling macros.