Petya or NotPetya – what you need to know

The attack targets computer systems running Microsoft's Windows XP operating system and later. It spreads primarily through two vulnerabilities ("EternalBlue" and "EternalRomance") that experts believe originated from a secret toolkit of the NSA, the U.S. National Security Agency. It has primarily affected companies in Russia, however, the Ukrainian government and central bank are also affected, as are the Kiev airport and other companies. One of the underlying vulnerabilities was previously exploited by the global WannaCry cyberattack. Despite this fact, the current NotPetya/Netya attack has still been successful, due not least to the use of additional methods to spread itself. 

Infected systems have their data encrypted by the ransomware, using a strong encryption algorithm (AES-128, RSA). It focuses on specific data types, such as compressed archives, PDF documents, Office files, e-mail folders, virtual machines and backup files. No free decryption tool is currently available. 

While it has the appearance of ransomware, its true aim seems to be to cause havoc and sabotage. We come to this conclusion for two reasons: firstly, because the infection methods are very novel and sophisticated for this kind of malware, and are more reminiscent of targeted attacks. The second reason is that the payment options presented to victims do not represent the state of the art and seem to have been implemented rather carelessly.

One of the methods NotPetya uses to spread itself is an update process of standard financial software that is widely used in the Ukraine. Therefore, we strongly suspect that the attack is intended to damage the Ukraine in particular.

So far, we have identified three vectors used to spread the malware: 

1.    Watering Hole  
Under the watering hole vector, the attackers target sources on the Internet that the target audience uses. Examples of such "watering holes" include suppliers, local news sources and government agencies. By manipulating the watering hole, attackers can compromise the systems of the people who use it. 

In this case, the attackers have exploited software delivered by MeDoc, a financial program, which is used to spread NotPetya: apparently, criminals have manipulated the update sources of the software, ensuring that malware is downloaded on all systems that have installed the MeDoc software and have activated its (weekly) update mechanism. Therefore, the malware reaches the computers through automatic updates. Because the MeDoc software is used primarily in the Ukraine, it leads us to suspect that the Ukraine is the specific target of the attack. 

2.    SMBv1 vulnerabilities "EternalBlue" and "EternalRomance" 
The spread through SMBv1 vulnerabilities (an outdated version of the Server Message Block protocol, which is used to exchange data between different computers through network shares) is highly targeted and only takes place on existing systems. Here, the results from reconnaissance of the Active Directory service are used to identify the systems in the domain. "EternalBlue" and "EternalRomance" are then used as exploits on the resulting systems. They were likely utilized by the NSA, the U.S. National Security Agency, to compromise Windows systems.

On March 12 and 14, 2017, Microsoft released two patches (MS17-010 and MS17-008) for the vulnerabilities known under CVE-2017-0144 (SMB Remote Windows Kernel Pool Corruption) and CVE-2017-0145 (Windows SMB Remote Code Execution Vulnerability).

On April 14, 2017, The Shadow Brokers, a hacking group, published the "EternalBlue" and "EternalRomance" exploits, claiming they were attack tools used by the NSA. 

On May 12, 2017, the CVE-2017-0144 vulnerability was exploited to spread the global attack of the WannaCry ransomware, which spreads like a worm. Once again, "EternalBlue" was used as an exploit. 

On June 27, 2017, this vulnerability was exploited yet again, for a new variant of the NotPetya ransomware. In addition to the "EternalBlue" exploit used by WannaCry, NotPetya also uses the exploit known as "EternalRomance". 

3.    Lateral movement through valid access credentials 
The third distribution vector uses valid access credentials to spread the malware through network shares and then execute them using the popular PsExec or WMIC (Windows Management Instrumentation Command line) administrator tools. Both tools are widely used in larger company networks, in particular, to to carry out blanket system configuration work. Accordingly, administrator permissions are used to execute them. If these permissions are obtained, they can also be used for the privileged execution of malware. To collect the access credentials, a separate mechanism for the extraction of passwords is integrated, which reads and restores passwords from memory in a way similar to the frequently used mimikatz tool. In addition, active session re-use has also been observed as an exploit. 

The targeted approach used by this malware, particularly for its spread, is controlled by two reconnaissance mechanisms:  

1.    Querying the AD servers for additional systems that also belong to the domain

2.    Capturing additional passwords on systems that have already been compromised

If additional systems are identified during the first step, the further attack vectors are applied specifically, to compromise those systems as well. Extracted access credentials are then used in distribution vector 3.

A number of different measures can help contain and inhibit the different distribution vectors: 
1.    Temporary deactivation of MeDoc updates 
2.    Installing the latest patch levels (particularly the available Microsoft patches) 
3.    Avoiding use of domain-wide administrator accounts 
4.    System vaccination/kill switch   
5.    Ensure that backups are up to date and recoverable

1.    DEACTIVATING MeDoc Updates 
Blocking the update server  

upd.me-doc.com.ua 

can prevent the manipulated updates from loading. This measure should only be implemented temporarily, but at least until the security incident has been completely resolved by MeDoc. 

2.    Keep PATCHES UP TO DATE 
Importing the patches and updates provided by Microsoft will eliminate the relevant vulnerabilities. As you can see in the timeline described above, the patches were released before the vulnerabilities were published.  

3.    Avoiding use of domain-wide administrator accounts 
If you do not use (or deactivate) domain-wide administrator accounts, you can prevent legitimate (authorized) mass program execution. Since these mechanisms are also used to execute malware with administrator permissions, abuse can be prevented. 

4.    System vaccination 
The program logic of the malware makes it possible to prevent its installation by creating certain files. The system changes, installed as a kill switch, can be implemented preventively as a vaccination. The ransomware checks for the existence of certain files in the C:\Windows folder: 

  C:\Windows\perfc 
  C:\Windows\perfc.dll 
  C:\Windows\perfc.dat 

If these files exist on the system, the ransomware stops its activities after a successful attack, which means the system is not encrypted. You can vaccinate your system by creating the above files (with any content) preventively. Since these parameters can be changed by the attackers easily, however, the long-term protection awarded by this method is rather weak. 

5.    Ensure that backups are up to date and recoverable 
By maintaining current backups and verified processes for recovering them, you can avoid the impact of both ransomware encryption and destructive deletion software without having to deal with ransom demands.