The world of IT has changed on 27th of June 2017. The outbreak of Petya has defined a new era of malware which threatens the security of organizations’ IT systems. But are we completely helpless against it? Not necessarily so. Read on to find out everything you need to know about Petya and how you can secure your data against a wiper malware attack.
By now most of you are aware that on 27th of June, we have entered a new era of security in information systems. The new type of malware has hit networks and started to infect computer systems within Ukraine and then spreading fast across the world.
Petya, a new variant of the previously known ransomware, has attacked small and large organizations, hitting some very big companies like Maersk, Cadbury, Merck, Deutsche Post and many others.
Their users woke up to see a notice demanding ransom on their screens. We know now that it was a fake request from the start!
It has spread too fast for IT departments to stop it. Damaged are servers, and most of the organizations hit by it are right now in a damage control mode.
What is important?
This malware, Petya or NonPetya as it is called by now, IS HERE TO STAY. It will be EXTREMELY hard to eradicate it. And others will follow.
Before we will go into details on how you can protect your company in the future, here are the MOST IMPORTANT facts and answers.
Quick facts and answers
Here are few fast facts and answers you need to get to assess the situation fully:
Q: Is this malware attacking only un-patched and old systems?
A: NO, even the most recent and patched systems are vulnerable!
Why? This malware is not using only holes in the system as previous WannaCry worm and which was an initial assessment. It is very sophisticated and written by PROs.
It uses many various technics to infect and spread across the network, and thus even fully patched machines can be infected.
PATCHING is IMPORTANT – it limits the attack vector. DO IT! No excuses.
Q: I was HIT! My machine is not working! Should I pay the ransom and get it back?
A: NO, this isn’t true ransomware and paying it will not help to get your data back.
NonPetya is not true ransomware. It is a wiper – malware built to destroy data. It is just faking being ransomware. Even if you pay it, there is no way to retrieve your data as encryption keys are discarded by malware after the operation is done. Code which is displayed to you for your payment is just some random data.
Q: I get it, no ransom! Is there any way I can recover the data other than ransomware?
A: NO, your data is lost.
We don’t like to deliver the bad message, but this is true – your data is lost. This was the attack to destroy the data. Focus on damage control and recovery.
Q: We are being attacked. What can we do?!
A: Act fast! Shut down everything and contain damage, then recover!
You are being hit! STOP READING THIS RIGHT NOW, shut down your machines and contain damages. Then do the control and star recovery. You can read our article later.
How not to get infected?
If you are good by now and this malware does not hit you, IT DOESN’T MEAN you are SAFE! The outbreak continues, and it will stay with us for a long time.
What you can do to prevent infection:
- PATCH and UPDATE your systems, make sure that all your machines are up to date not only from the OS perspective, but also other components like Office (one of attack vectors for this malware) and supporting tools like AV software
- Educate your users to NOT OPEN ATTACHMENTS from unknown addresses or not looking as legit e-mails – We’ve learned it the hard way, and this can be stopped only with education.
Note on attachments: this is long term strategy game, but try to remove e-mail attachments from your business flow. If people get used to sending links to your drives in the cloud or locally, they will become more aware that attachment is something dangerous and uncommon.
Some organizations are blocking all attachments at the moment to prevent infection. Radical move but it might be a sound strategy! Consider it!
This is nothing new Mr. Obvious! Anything more?!
Some less obvious advice to prevent Petya and similar malware:
- Do not use your admin credentials on workstations which can be infected. Limit the attack vector. Why? Petya is using a code from mimikatz to obtain access to processes and extract credentials. If it obtains AD credentials, it will spread using legit usernames and passwords. This will make it harder. Our advice given in this blog post on general security, but still
- if you have used admin credentials on the workstation, reboot it after using to get rid of these credentials from memory. It is important. It is what is fueling this worm to get to fully patched systems.
- There are some “vaccines” for Petya, things which will stop it from spreading, not from infecting your machines. You can read about them in many places, including F-Secure blog.
BEFORE YOU JUMP to execute them, first spend time on doing things like:
PATCHING, UPDATING your AV and making sure you have right BACKUP for all your important data!
What more can you do to limit the damage?
What else can be done to limit the spreading, preventing damages or protecting my systems? There are plenty of ways and methods, to point out a few that you can use if you use on-line services (the ones we know to be able to give you sound advice):
- Azure Security Center right now has Petya attack detection and prevention implemented. This is something where cloud services can act on speed. Make sure you checked it, and if you use security center, that you have right monitoring in place for it.
- Segment your network and contain the traffic. Network segmentation and traffic control between segments can in the future prevent or limit the damages caused by that kind of worms.
- If you use Office 365 and OneDrive, it might happen that local copy of files will get encrypted. Most malware (not Petya) changes the extensions of the encrypted files. You can block specific extensions from being synchronized to Office 365. Lists of known ransomware file extensions can be found in many places, for example on GitHub here.
- Be sure you have the right backups, stored in the right locations and MOST IMPORTANTLY – procedures to execute to recover your organizations from it. Not for a single server, not for a single database, but the entire organization.
Why is Petya different and so important?
Here are few thoughts about it from our CTO, Tomasz Onyszko, who took his time to sum it up for you.
With this infection, we have entered a new area of malware outbreaks. Lots of clues indicate that this worm was well prepared to destroy data from the beginning, with target indicated by its entry vector on a specific country.
Its most likely initial entry vector was updated to software distributed by the external company. This adds a new element to the never ending security landscape – you need to manage and secure your entire supply chain with all vendors and software used by your organization.
It is very sophisticated and uses multiple technics to spread. Patching alone is not enough. You need to secure your network not only to prevent infection but also to not allow it to harvest your credentials over a network. We should have done it a long time ago, but here we have it exploited at scale. There is no way around it anymore.
Last, but most important – your organization needs to be prepared to recover its operations from the state of total disaster. It is not a single machine infected. It is not a single server lost.
What if your entire system is lost? Where will you start to recover?
There is a movie 28 days later. It shows the world after virus outbreak where only a few people survived. This is its digital equivalent. All is lost, and you need to recover.
Is anything destroyed providing real-world damages or life threat?
What is the minimal service level you need to restore to keep your business running?
What should be up and running a day after?
How will you get there?
We need to answer all these questions in the post-Petya world.
In my almost 20 years of professional career, I think I’ve met only 5% of organizations who had forest recovery plan for their Active Directory ready. Now is the day, when some of them need to use it.
Do you have yours ready?
How does Petya work?
Finally, it is time for some technical details on how it works and spreads. Our consultant Artur Brodziński took his time and prepared this summary for you based on the available technical information. Read it thoroughly to get additional details and understand it better.
How does it spread across the network?
Petya is a worm, which means that in the first step it builds a list of computers which should be affected and later worm is propagated to each machine. It infects all kinds of devices and also fully patched ones, because it uses network credentials to do so.
It was observed that Petya infected and took down up to 5000 computers within few minutes, so it is really hard to stop it once it enters your network.
A full list of computers is prepared by the worm with following sources:
- All resources in the Active Directory it can obtain and dump
- IP addresses and DHCP servers of all network adaptors
- DHCP clients of the DHCP server if ports 445/139 are open
- IP addresses within the subnet as defined by the subnet mask if ports 445/139 are open
- Computers you have a current open network connection with
- Computers in the ARP cache
- Resources in the Windows Credential Manager
How can it connect to another computer if it doesn’t have credentials to other systems?
Petya also builds a list of users and passwords which are stored in memory. To gather this information, the following methods are used:
- Credentials are taken from Windows Credential Manager
- Credential dumper is executed
Once both lists are built, it uses two methods to spread on the network
- SMB exploits – it uses the same Eternal Blue exploit which was used during WannaCry ransomware attack. Exploits use SMB version 1 and TCP port 445 to propagate.
- Network shares execution – warm attempts to spread to the target computers by copying itself to COMPUTER NAME\\admin$ using the credentials from the earlier created list. Windows Management Instrumentation Command-line (WMIC) and PsExec tools are used for this.
How does it work?
Petya uses 3 steps to infect a computer:
- MBR Overwrite – it overwrites the hard drive’s Master Boot Record and implants custom boot-loader. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time.
- MFT Encryption – uses custom boot-loader from point 1 to encrypt all Master-File-Table (MFT) records, which renders the file system completely unreadable.
- Ransom Demand – once the MBR and MFT encryptions are complete, computer boots and following ransom instruction is shown to end user. But as you already know, it is just smoke to cover its true actions.
This ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for C:\Windows:
IMPORTANT! ENCRYPTION happens before reboot so at the moment you see your computer is being rebooted your data is already gone.
Ransomware probably will become so common that we will stop noticing it in a while.
This one is not ransomware but a malware with a target to destroy the data. It bundled exploit and hacked technics to spread so fast and so wide.
It has caught a lot of companies unprepared. Investments in external protections were made but it is always the weakest point which needs to be broken. And in this case, there were internal protection and good security practices.
Be sure it will happen again with a new variant or worm and this one will be around for a long time.
Better get prepared now. Talk to our experts.