It appears there’s another global ransomware outbreak occurring that’s effecting banks, telco’s, and critical infrastructure.
There are multiple countries in Europe stating they’re infected with confirmed reports coming in from UK, Spain, Ireland, Russia and Ukraine.
At this point, the purported malware seems to be a variant of the Petya Ransomware that’s combining the EternalBlue exploit to infect users. This is speculation at this point, since it’s very early on, but there’s been packet captures shown in the wild demonstrating this activity. The Bitcoin wallet for the ransomware shows the malware is currently accepting payment and will most likely continue to do so for the foreseeable future.
The particular outbreak seems to have effected organizations in advertising, power distribution, airports, oil producers, shipping, etc. throughout Europe, with Ukraine being particularly hard hit.
The Petya ransomware doesn’t encrypt individual files, but goes after the master boot record (MBR and leave the entire systems lifeless without paying the ransom. If Petya truly is using EternalBlue it’s taking advantage of SMBv1 with systems not running the Microsoft Windows patch MS17-010. This patch was pushed out a few months back due to the NSA leak and was used primarily by WannaCry to worm its way to infamy.
Due to the severity of this exploit it was highly recommended to patch all Windows systems vulnerable to this exploit, but as we saw a few days ago, Honda was recently taken offline due to a WannaCry infection which was released weeks earlier.
Organizations should be extremely cautious if this malware is integrating EternalBlue.
If it turns out this malware is using the same exploit there’s reason to believe attackers will continually do so until it’s no longer effective. Criminals will continually use the path of least resistance.
At this time everyone should be continually monitoring they’re systems, creating a patch/config management procedure, have proper backups, validate that SMB isn’t open publically, signatureless AV installed and some type of phishing protection enabled to stop the malware from infecting your assets.
If any technical details change with this report we’ll update the blog accordingly.
[UPDATE] – 06-27-2017
It appears that the Petya ransomware uses the EternalBlue exploit and a process to harvest admin credentials if it’s capable.
[UPDATE] – 06-28-2017
After the dusts settled the past 24 hours it’s been determined that the Petya ransomware, also being called NotPetya, was a little more malicious than originally expected. This malware not only uses EternalBlue as an exploit, like WannaCry did, but also includes another leaked SMB NSA exploit called EternalRomance for good measure.
The NotPetya malware uses a few other tools to help it spread throughout the network besides the NSA exploits. It’s being seen bundled with MimiKatz to pull admin credentials form a systems memory and if accessible attempts to use PsExec and WMIC to spread itself to other machines in the network.
It’s also being reported that the financial software company MeDoc was compromised and had a malicious software update pushed out to its customer that infected their networks with NotPetya. If the system running the MeDoc software had escalated privileges, or domain admin rights, the malware would spread throughout the entire organization.
You might have seen many people not calling this malware ransomware, but a wiper. The NotPetya malware adjusts the MBR of a disk and essentially leaves no way for the system to revert back from damage done to the filesystem. Also, the ransom note asked to contact an email address, which was promptly taken down, leaving anyone without the ability to contact the attackers. This was unusual since this seems to have been done less for monetary gain and more for destruction.
With WannaCry we became concerned that organizations weren’t patching and leaving their network exposed to vulnerable ports, but with NotPetya we’re seeing them take it up a notch. Not only are config and patching still a concern but they’re showing that segmentation on networks and user privileges are still a weak link. Both the WannaCry and NotPetya malware have shown the increased need to get back to security basics to defend your systems.
The WannaCry Ransomware has highlighted a few areas in security where customers can tighten their defenses against malware today. Much of this advice relies on basic security hygiene while others bring in new tools that can assist with defending against WannaCry and other malware of its kind. For additional information about WannaCry and how to protect yourself, download this free whitepaper: WannaCry Ransomware: Steps to Protect Yourself.
Contact CCSI today for more information about protecting yourself from ransomware.
Author Bio: Matthew Pascucci is a Security Architect, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email mpascucci@ccsinet.com