By now most of you are aware that on 27th of June, we have entered a new era of security in information systems. The new type of malware has hit networks and started to infect computer systems within Ukraine and then spreading fast across the world.
Petya, a new variant of the previously known ransomware, has attacked small and large organizations, hitting some very big companies like Maersk, Cadbury, Merck, Deutsche Post and many other.
Their users woke up to see a demanding ransom on their screens. We know now that it was a fake request from the start!
It has spread too fast for IT departments to stop it. Damaged are servers, and most of the organizations hit by it are right now in damage control mode.
What is important?
This malware, Petya or NonPetya as it is called by now IS HERE TO STAY. It will be EXTREMELY hard to eradicate it. And others will follow.
Before we will go into details how you can protect your company in the future, check few MOST IMPORTANT facts and answers.
Quick facts and answers
Here are few fast facts and answers you need to get to assess the situation fully:
Q: Is this malware attacking only un-patched and old systems?
A: NO, even most recent and patched systems are vulnerable!
Why? This malware is not using only holes in the system as previous WannaCry worm and which was an initial assessment. It is very sophisticated and written by PROs.
It uses many various technics to infect and spread across the network, and thus even fully patched machines can be infected.
PATCHING is IMPORTANT – it limits the attack vector. DO IT! No excuses.
Q: I was HIT! My machine is not working! Should I pay the ransom and get it back?
A: NO, this isn’t true ransomware and paying it will not help to get your data back.
NonPetya is not a true ransomware. It is wiper – malware builds to destroy data. It is just faking being ransomware. Even if you pay it, there is no way to retrieve your data as encryption keys are discarded by malware after the operation is done. Code which is displayed for you for your payment is just some random data.
Q: I get it, no ransom! Is there any way I can recover the data other than ransomware?
A: NO, your data is lost.
We don’t like to deliver the bad message, but this is true – your data is lost. This was the attack to destroy the data. Focus on damage control and recovery.
Q: We are being attacked. What can we do?!
A: Act fast! Shut down everything and contain damage, then recover!
You are being hit! Stop READING THIS RIGHT NOW, shut down your machines and contain damages. Then do the control and star recovery. You can read our article later.
How to not get infected?
If you are good by now and this malware does not hit you, IT DOESN’T MEAN you are SAFE! The outbreak continues, and it will stay for a long time with us.
What you can do to prevent infection:
- PATCH and UPDATE your systems, make sure that all your machines are up to date not only from OS perspective but also other components like Office (one of attack vector for this malware) and supporting tools like AV software.
- Educate your users to NOT OPEN ATTACHMENTS from unknown addresses or not looking as legit e-mails – We’ve learned it the hard way, and this can be stopped only with education.
Note on attachments: this is long term strategy game, but try to remove e-mail attachments from your business flow. If people get used to sending links to your drives on the cloud or locally, they will get more aware that attachment is something dangerous and not common.
Some organizations are blocking all attachments at the moment to prevent infection. Radical move but it might be a sound strategy! Consider it!
This is nothing new Mr. Obvious! Anything more?!
Some less obvious advice to prevent Petya and similar malware:
- Do not use your admin credentials on workstations which can be infected. Limit attack vector. Why? Petya is using a code from mimikatz to obtain access to processes and extract credentials. If it obtains AD credentials, it will spread using legit username and passwords. This will make it harder. Our advice given in this blog post on general security, still
- If you have used admin credentials on the workstation, reboot it after using to get rid of these credentials from memory. It is important. It is what is fueling this worm to get to fully patched systems.
- There are some “vaccines” for Petya, things which will stop it from spreading, not from infecting your machines. You can read about them in many places, including F-Secure blog.
BEFORE YOU JUMP to execute them, first spend time on doing things like:
PATCHING, UPDATING your AV and making sure you have right BACKUP for all your important data!
What can you do more to limit the damage?
What else can be done to limit the spreading, preventing the damages or protecting my systems? There is plenty of ways and methods, to point out few that you can use if you use on-line services (the one we know to be able to give you sound advice).
Azure Security Center has right now Petya attack detection and prevention implemented. This is something where cloud services can act on speed. Make sure you checked it and if you use security center that you have right monitoring in place for it.
Segment your network and contain the traffic. Network segmentation and traffic control between segments can in the future prevent or limit the damages caused by that kind of worms.
If you use Office 365 and OneDrive, it might happen that local copy of files will get encrypted. Most of the malware (not Petya) changes the extensions of the encrypted file. You can block specific extensions from being synchronized to Office 365. Lists of known ransomware file extensions can be found in many places, for example on GitHub here.
Be sure you have right backups, stored in right locations and MOST IMPORTANT – procedures to execute to recover your organizations from it. Not single server, not single database, but the entire organization.
Why is Petya different and so important?
Here are few thoughts about it from our CTO, Tomasz Onyszko, who took his time to sum it up for you.
With this infection, we have entered into a new area of malware outbreaks. Lots of clues indicate that this worm was well prepared to destroy data from the beginning, with target indicated by its entry vector on a specific country.
Its most likely initial entry vector was updated to software distributed by the external company. This adds a new element to the never ending security landscape – you need to manage and secure your entire supply chain with all vendors and software used by your organization.
It is very sophisticated and uses multiple technics to spread. Patching alone is not enough. You need to secure your network not only to prevent infection but also not to allow it to harvest your credentials over a network. We should do it a long time ago, but here we have it exploited at scale. There is no way around it anymore.
Last but most important – your organization needs to be prepared to recover its operations from the state of total disaster. It is not single machine infected. It is not single server lost.
What if your entire system is lost? Where will you start to recover?
There is a movie 28 days later. It shows the world after virus outbreak where only a few people survived. This is its digital equivalent. All is lost, and you need to recover.
Is anything destroyed providing real world damages or life threat?
What is minimal service level you need to restore to keep your business running?
What should be up and running a day after?
How will you get there?
We need to answer all these questions in the post-Petya world.
In my almost 20 years of professional career, I think I’ve met only 5% of organizations who had forest recovery plan for their Active Directory ready. Now is the day, when some of them need to use it.
Do you have yours ready?
How Petya works?
Finally, it is time for some technical details on how it works and spreads. Our consultant Artur Brodziński took his time and prepared this summary for you based on the available technical information. Read it thoroughly to get additional details and understand it better.
How it spreads across the network?
Petya is a worm, which means that in the first step it builds a list of computers which should be affected and later worm is propagated to each machine. It infects all kinds of devices and also fully patched once because it uses network credentials to do so.
It was observed that Petya infected and took down up to 5000 computers within few minutes, so it is really hard to stop it once it enters your network.
A full list of computers is prepared by the worm with following sources:
- All resources in Active Directory it can obtain and dump
- IP addresses and DHCP servers of all network adaptors
- DHCP clients of the DHCP server if ports 445/139 are open
- IP addresses within the subnet as defined by the subnet mask if ports 445/139 are open
- Computers you have a current open network connection with
- Computers in the ARP cache
- Resources in the Windows Credential Manager
How can it connect to another computer if it doesn’t have credentials to other systems?
Petya also builds a list of users and passwords which are stored in memory. To gather this information following methods are used:
- Credentials are taken from Windows Credential Manager
- Credential dumper is executed
Once both lists are built, it uses two methods to spread on the network
- SMB exploits – it uses same Eternal Blue exploit which was used during WannaCry ransomware attack. Exploits use SMB version 1 and TCP port 445 to propagate.
- Network shares execution – warm attempts to spread to the target computers by copying itself to COMPUTER NAME\\admin$ using the credentials from the earlier created list. Windows Management Instrumentation Command-line (WMIC) and PsExec tools are used for this.
How does it work?
Petya uses 3 steps to infect a computer:
- MBR Overwrite – It overwrites the hard drive’s Master Boot Record and implants custom boot-loader. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time.
- MFT Encryption – Uses custom boot-loader from point 1 to encrypt all Master-File-Table (MFT) records, which renders the file system completely unreadable.
- Ransom Demand – once the MBR and MFT encryptions are complete, computer boots and following ransom instruction is shown to end user. But as you already know, it is just smoke to cover its true actions.
This ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for C:\Windows:
IMPORTANT! ENCRYPTION happens before reboot so at the moment you see your computer is being rebooted your data is already gone.
Ransomware probably will become so common that we will stop noticing them in a while.
This one is not ransomware but a malware with a target to destroy the data. It bundled exploit and hacked technics to spread so fast and so wide.
It has caught a lot of companies unprepared. Investments in external protections were made but it is always the weakest point which needs to be broken. And in this case, there were internal protection and good security practices.
Be sure it will happen again with new variant or worm and this one will be around for a long time.
Better get prepared now. Talk with our experts.