Petya Ransomware Response
Petya Ransomware Response: CyberArk, Ivanti, LogRhythm, Malwarebytes and Tenable
Ross Brewer, Vice President and Managing Director, International Markets, LogRhythm
“With WannaCry still so fresh in our minds, this follow-up attack proves just how real this is all becoming - and the worst is probably yet to come. These public outings of large, high-profile attacks are becoming more frequent, faster-acting and more damaging. Every organisation, regardless of size or industry, is vulnerable. As security vendors, we are often criticised for fear mongering and exaggerating the possible consequences of a cyberattack - but I think we can agree that recent events are starting to show that the warnings were warranted. These attacks are targeting our top businesses, banks, healthcare institutions and other critical national infrastructure, are revealing the chaos that ensues when organisations lose control of their data - when are we going to do something about it?
"The recent attacks associated with WannaCry and Petya have re-enforced the lack of accountability and focus on basic IT and security fundamentals. Core IT operational competencies, such as patch management, backups, disaster recovery, and incident response are not well implemented or maintained. These are absolutely essential in protecting your company from damaging cyber threats and without them you are left in a perpetually vulnerable state, a sitting duck for these types of attacks, merely hoping that you aren’t compromised. The only actions you take are responsive, only after some other unlucky company was compromised.
"Unfortunately, events like the Petya incident today and what occurred previously with WannaCry have been and will continue to be the normal state of things. A determined hacker only has to be right once. The odds are heavily in their favour with compromise likely, if not inevitable. As such, we need to stop focusing solely on defence and protection - and put more effort into monitoring, detection and response as true compensating controls to the mess that is IT today. As we saw with WannaCry and what I fully expect to see by the end of today,it’s not always about stopping the initial compromise, the inevitable, but how quickly you can respond and contain a threat before it becomes a full blown incident or global outbreak.”
Phil Richards, Chief Information Security Officer, Ivanti
“New ransomware is attacking global computing systems worldwide as of June 26, 2017. The ransomware, called Petwrap, is based on an older Petya variant, originating from the GoldenEye malware in December 2016. The new ransomware variant also includes the SMB exploit known as EternalBlue that was created by the United States National Security Administration, and leaked by the Shadow Brokers hacker group in April 2017. This malware appears to have been targeted to Ukraine infrastructure groups such as government workstations, power companies, banks, ATMs, state-run television stations, postal services, airports, and aircraft manufacturers. Since the initial infection it has spread to other markets, and beyond the Ukraine boarders. The actual malware is ransomware, requesting a ransom equivalent to $300 USD in bitcoins. The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record. The EternalBlue component enables it to proliferate through an organization that doesn’t have the correct patches or antivirus/antimalware software. This is a great example of two malware components coming together to generate more pernicious and resilient malware.”
Kobi Ben Naim, Senior Director of Cyber Research, CyberArk Labs
NotPetya malware is behind what is quickly emerging as another devastating global ransomware incident, one with the potential to be even more damaging than WannaCry. Initially thought to be a strain of the powerful Petya "ransomware, NotPetya is spreading using the incredibly efficient infection method used by WannaCry - a worm that quickly spreads the ransomware using the “eternalblue” SMB vulnerability in Microsoft systems. The combination is potent and has the potential to inflict massive damage on scales we have not witnessed before.
"Based on initial analysis by CyberArk Labs, what we know now is that NotPetya is different from WannaCry in that it appears to be sparing endpoints that use a US English-only keyboard. This seemingly self-imposed restriction has been seen in nation state attacks. Like WannaCry, any individual and organisation with an unpatched Microsoft system remains vulnerable to the worm. However, the organisation would only be protected from the attack method. Our research shows that NotPetya requires administrative rights to execute. So if a user clicks on a phishing link, the ransomware will still infect the network. Like Petya, this new malware is considered especially dangerous because it encrypts the Master Boot Record (MBR), instead of documents and applications, and prevents a user from rebooting. In addition to patching, organisations need to be focused on protecting privileged credentials at the endpoint to avoid them being utilised to execute this attack.”
Jim Cook, ANZ Regional Director – Malwarebytes
"Petya/ NotPetya is another example of a know, patchable vulnerability causing tremendous issues for people and businesses around the world. If possible apply MS17-010 Microsoft patch to all PCs immediately.
"If you are running unpatched systems with Admin privileges this malware has the ability to spread inside your network using the in-built PSExec utility, which our research team say makes it’s ability to damage businesses significant. If you are running Malwarebytes latest offerings you have been protected from Zero hour.
“If shadow brokers keeps it’s promise to continue releasing NSA exploits it seems that this sort of mass infection will become common- so now is the time to ensure you have a decent back up system, patch process and a current end point security solution in place."
Gavin Millard, Technical Director, Tenable
“The ransomware appears to be a new version of Petya that could possibly have similar characteristics to WannaCry, employing ETERNALBLUE to spread to other systems before encrypting files and demanding payment. One major difference between this outbreak and WannaCry though, is the possible inclusion of exploit code for another known vulnerability CVE-2017-0199, affecting Microsoft Office to further spread the payload.
"If this attack turns out to be leveraging the same vulnerabilities WannaCry leveraged to spread, or other known bugs that have had patches available for months, there are going to be some awkward conversations between IT teams that failed to patch or protect and businesses affected. The publicity around WannaCry couldn’t have been larger, probably eclipsing Heartbleed, yet if this is the same attack vector, it demonstrates a distinct lack of taking threats like this seriously.”