Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Update: Intelligence Advisory – Petya Outbreak
This is an update to the Intelligence Advisory released June 27, 2017.
On June 27 2017, Optiv’s Global Threat Intelligence Center (gTIC) received reports from several sources pertaining to the newly created Petya ransomware strain. Initial reports identified infections in multiple countries including Russia, Ukraine, Spain, France, United Kingdom, the United States, and India. Affected industries included: financial services; retail, hospitality and travel; and energy and utilities. The modification was identified as the EternalBlue exploit (SMB vulnerability in multiple Microsoft Window distributions) leveraged in the globally recognized WannaCry outbreak.
Further analysis suggests that the recent Petya malware is operating as a disk wiper instead of the ransomware it purports to be. New research released June 28th, 2017 by the cyber-security firm Comae contained an analysis of the differences in Petya code samples captured back in 2016, and compared it with code obtained in June of 2017. Differences between the two code samples highlight Petya (GoldenEye, Petyawrapper, NotPetya, SortaPetya, Petna) as a wiper, instead of ransomware. Ransomware attempts to extort victims for monetary gain while wipers are designed to destroy data, and prevent recovery.
The gTIC team assesses with HIGH CONFIDENCE that this Petya variant has an espionage-based intent, and should be addressed as a critical threat. According to Comae, the ransomware lure was designed to be a distraction, and the author(s) never intended to allow data recovery.
It should also be noted that payment should not be made under any circumstance as the associated e-mail account for this variant has been disabled by its’ service provider. Even if the campaign alignment was monetary extortion, a decryption key will NOT be exchanged.
Researchers following the Petya outbreak believe that ground zero for the global outbreak was a compromised accounting software update server. M.E.Doc is a Ukrainian software vendor that has had historic issues of being compromised. In May of 2017, M.E.Doc was found to have been serving up XData Ransomware during one of its’ automated software updates. M.E.Doc customers are primarily Ukrainian and Russia therefore constituting the vast majority of victims infected with the Petya variant.
Research conducted by Comae, backed by Kaspersky, identified differences in the core of the ransomware code. While traditional Petya, and it’s many variants, are extortion-based malware conducting campaigns designed for monetary gain from victims, the change in its core code caused this Petya to focus on wiping the first few sectors of the drive, where it would then switch back to Petya’s encryption of the Master Boot Record. This type of attack is commonly seen in wiper-based malware, such as Shamoon. Additionally, according to MalwareTech, this Petya variant was specifically designed to only spread across the infected devices’ local network.
According to Comae: “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.”
NotPetya deletes the first twenty-four sector blocks of the drive, and prevents any data from being written to those sectors. These changes are permanent and cause critical damages to the disk. Considering the steps that were taken to modify the ransomware code, and how most ransomware campaigns are not very ‘profitable’, it would be safe to imply the smokescreen theory and the national state attribution.
As previously stated, the e-mail account associated with this variant has been shut down by its’ service provider. The recovery of decryption keys will NOT be possible, and therefore ransoms should NOT be paid under any circumstances.
Previous recommendations from the original advisory are still in effect:
Remediation in all cases is to prevent reboot after bluescreen, thereby preventing stage 2 encryption. Take a disk image to retain information, then wipe and reboot. The following Microsoft software are exposed to SMB vulnerability attacks, as well as other variants and tools that employ the same vulnerability:
MS17-010 is the Microsoft security bulletin number the SMB Server patches that need to be applied. They include:
Petya leverages CVE-2017-0199 and the following needs to be applied.
If patching is not possible at this time, tighten SMB security and close port 445.
Thwart malware by hardening settings for what tools can be run on a machine, as well as which file paths can be made executable. For instance, executables should not be run out of the system’s temporary directory. Because all binaries have permissions to write to the temp dir it is often used by malware for initial execution after exploitation.
Implement Endpoint Controls to Protect the Windows AppData Folder. Many malware variants (including CryptoLocker) use the AppData folder to store and call executable files and DLLs. Preventing DLL and executable access from being copied to or accessed from this folder contains many common ransomware variants.
Monitor for Unauthorized Use of Windows Administration Tools. Modern APTs are using native Windows administration tools such as PSExec, Cygwin, PowerShell, Windows Credential Editor (WCE) and alternative consoles. Native tools are often allowed by endpoint security tools and will not trigger alerts. Organizations who are not actively using these tools should add them to a blacklist or enable the potentially unwanted programs (PUP) group containing these tools.
User education should involve frequently advising users of how attackers are trying to gain a foothold in the environment – an aware user is more likely to identify and rebuff an attack attempt. User education around this campaign should include:
Furthermore, ensure that users are trained on how to report phishing emails to the internal information security department.
Let us know what you need, and we will have an Optiv professional contact you shortly.