Skip to main content

Intelligence Advisory – New Petya Ransomware Outbreak

June 27, 2017

On June 27, 2017, Optiv’s Global Threat Intelligence Center (gTIC) received reports from several sources concerning a recent modification to the Petya ransomware strain. This new strain is being referenced as ‘GoldenEye’. The modification has been identified as the SMB exploitation leveraged by WannaCry, the so-called EternalBlue exploit. This appears to be a previously unseen ransomware, sharing capabilities of the Petya ransomware. This ransomware continues to evolve its’ tactics, techniques, and procedures (TTPs) to maintain its’ dominance as a paid effective ransomware solution.

Countries that are currently reporting Petya infections include, but are not limited to, Russia, Ukraine, Spain, France, United Kingdom, the United States, and India. Extortion for Petya infections are set at $300 in bitcoin per infected device. Reported affected industries include, but are not limited to: financial services; retail, hospitality and travel; and energy and utilities.

Intelligence Advisory

The Global Threat Intelligence Center assesses with HIGH confidence that malicious campaigns will continue to be modified to exploit the SMB vulnerability leveraged by WannaCry, EternalBlue and now Petya. Even though Microsoft released MS17-010 in April of 2017 rendering the SMB vulnerability inert, organizations around the globe continue to report successful exploit by malicious actors. Associated patches should be applied immediately, ensuring all backups are up-to-date, and taking any other precautions, including disabling SMBv1 except where necessary, continuously updating A/V signatures and applying all known indicators of compromise. These precautions include perimeter hardening, Microsoft Word hardening, and user education to protect against commonly used infection vectors. gTIC mitigation recommendations included in the recommendations section.

Technical Background

The Petya Ransomware infection vector includes a malicious Microsoft document that downloads an executable payload. Additionally, Petya has two distinct stages. Although last updated January of 2017, Malwarebytes provides the following breakdown for Petya’s two stages:

During the first stage, the Windows executable file is dropped and executed. This overwrites the beginning of the disk, including the Master Boot Record, and makes an encrypted (XOR) backup of all original data. Stage one ends when the infected device is rebooted.  Saving data from an infected device prior to reboot is relatively easy. This is because only the beginning of the disk becomes modified.

The second stage initiates after the device reboots, and results in the entire drive being encrypted. 

Early analysis indicates that if the user does not have admin rights, infection will not spread beyond the infected device. The infection will be isolate only to the local system, enabling encryption only after reboot. If MS17-010 is not patched, the malware will spread via Microsoft Server Message Block. If MS17-010 is patched and the malware has admin rights, it will spread laterally via WMIC. 

Recommendations

Remediation in all cases is to prevent reboot after bluescreen, thereby preventing stage 2 encryption. Take a disk image to retain information, then wipe and reboot. The following Microsoft software are exposed to SMB vulnerability attacks, as well as other variants and tools that employ the same vulnerability:

  • Microsoft Windows Vista SP2
  • Microsoft Windows Server 2008 SP2 and R2 SP1
  • Microsoft Windows 7
  • Microsoft Windows 8.1
  • Microsoft Windows RT 8.1
  • Microsoft Windows Server 2012 și R2
  • Microsoft Windows 10
  • Microsoft Windows Server 2016
  • Microsoft Windows XP
  • Microsoft Windows Server 2003

MS17-010 is the Microsoft security bulletin number the SMB Server patches that need to be applied. They include:

  • KB4012598
  • KB4012215
  • KB4012212

Petya leverages CVE-2017-0199 and the following needs to be applied.

  • KB4015546
  • KB4015549

If patching is not possible at this time, tighten SMB security and close port 445. 

Thwart malware by hardening settings for what tools can be run on a machine, as well as which file paths can be made executable. For instance, executables should not be run out of the system’s temporary directory. Because all binaries have permissions to write to the temp dir it is often used by malware for initial execution after exploitation.

Implement Endpoint Controls to Protect the Windows AppData Folder. Many malware variants (including CryptoLocker) use the AppData folder to store and call executable files and DLLs. Preventing DLL and executable access from being copied to or accessed from this folder contains many common ransomware variants.

Monitor for Unauthorized Use of Windows Administration Tools.  Modern APTs are using native Windows administration tools such as PSExec, Cygwin, PowerShell, Windows Credential Editor (WCE) and alternative consoles. Native tools are often allowed by endpoint security tools and will not trigger alerts. Organizations who are not actively using these tools should add them to a blacklist or enable the potentially unwanted programs (PUP) group containing these tools.

User education should involve frequently advising users of how attackers are trying to gain a foothold in the environment – an aware user is more likely to identify and rebuff an attack attempt. User education around this campaign should include:

  • Lure types: Microsoft Word documents claiming to be attached scans.
  • Document trust: Do not open documents that are not expected. This includes attachments from unknown senders, as well as documents claiming to be scans, faxes, invoices, or receipts related to vague, unknown, or unrecognized business.
  • Microsoft Word features: If a document from an email is opened in Protected Mode, a user should not enable editing of the document unless they expected the document and know who sent it.

Furthermore, ensure that users are trained on how to report phishing emails to the internal information security department.

 

Resources

Related Blogs

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

February 07, 2018

Intelligence Bulletin – When Cryptomining Attacks

Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers....

See Details

March 22, 2018

Intelligence Bulletin – MinionGhost Reemerges

At approximately 9:30am EDT on 20 March 2018, hacktivist collective, MinionGhost, announced planned cyber attacks against unspecified Asian entities. ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

April 19, 2018

Cyber Threat Intelligence-as-a-Service

Learn how Optiv’s Cyber Threat Intelligence-as-a-Service solution provides you with an advanced "beyond the perimeter" capability as a part of your cy...

See Details

July 29, 2016

2016 Cyber Threat Intelligence

Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.

See Details

June 28, 2017

Petya / Petna / NotPetya Ransomware Recommendations from the Trenches

Here we go again. Not long ago I updated a blog post containing actionable recommendations to protect your environment from ransomware threats, includ...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.