Cyber Alert: Petya Ransomware

Date Issued: June 27, 2017

UPDATED – June 28, 2017

The MS-ISAC continues to monitor the Petya ransomware outbreak.

Over the last 24 hours, security researchers have conducted multiple analyses of the Petya ransomware. Within the open source reporting a consensus is forming that the Petya ransomware originated with a legitimate software updater for the financial software MeDoc. Kaspersky also indicates that a second initial infection vector occurred via a watering hole attack hosted on Bahmut, Ukraine’s municipal website. Petya is not believed to spread over the Internet and is instead limited to internal networks. The widespread outbreak of Petya is attributed to the infection of large corporations with extensive business-to-business (B2B) intranets and extranets.

According to open sources Petya enumerates network adapters and open ports and utilizes multiple propagation vectors to traverse a network:

Execution of EternalBlue and EternalRomance on devices with ports 445 and 139 available; or
Execution of a modified Mimikatz tool to extract credentials from the lsass.exe process. Harvested credentials are then utilized to distribute Petya inside the network using PsExec or Windows Management Instrumentation Command-line (WMIC). A single infected system with administrative credentials is capable of spreading the infection across the entire network.

Security researchers have also identified limited recovery and mitigation options. Petya’s encryption of the Master File Table (MFT) allows for system recovery by booting from a LiveCD or bootable removable media, immediately following a system crash (blue screen of death) and prior to the second stage of infection. In order to mitigate potential losses, disable the automatic restart after system failure setting. The ability to recover files following the second stage is unconfirmed at this time.

According to VirusTotal, 52/61 anti-virus solutions are now detecting this ransomware. MS-ISAC strongly recommends updating anti-virus to detect Petya infections.

Original Cyber Alert June 27, 2017:

The MS-ISAC is aware of new ransomware activity similar to WannaCry using the Petya ransomware. Petya encrypts the Master File Table (MFT) for NTFS partitions and overwrites the Master Boot Record (MBR) with a custom bootloader. The ransomware demands an average payment of $300 in bitcoins. According to reporting by security researchers, Petya leverages the EternalBlue exploit that was made public in April by The ShadowBrokers and used by WannaCry to spread between systems on a network. EternalBlue utilizes a known SMB 1.0 vulnerability affecting most versions of Windows. Systems that have already had Microsoft’s MS17-010 security patch applied are not vulnerable to the EternalBlue exploit used by Petya. The MS-ISAC originally released a cybersecurity advisory on March 14, 2017, detailing the specifics of this vulnerability and recommending that MS17-010 be applied. Patches that mitigate the vulnerabilities have been made available through manual download for end-of-life Microsoft Windows operating systems that no longer receive mainstream support.

The initial propagation vector for Petya remains undetermined.

According to the email provider Posteo, the cyber criminals were using a Posteo address for decryption key delivery, and this address has been disabled.

Systems Affected:

- Microsoft Windows Vista, 7, 8.1, RT 8.1, 10
- Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016
- Microsoft Windows Server Core Installations 2008, 2008 R2, 2012, 2012 R2, 2016
- Microsoft Windows; XP SP2/SP3, Embedded SP3, 8 RT
- Microsoft Windows Server 2003 SP 2

Recommendations: (Updated recommendation in Bold)

MS-ISAC recommends organizations work to determine if older versions of the identified software are currently running on systems and develop a proper migration plan to ensure software is upgraded appropriately.

- Blacklist the execution of perfc.dat as well as the PSExec utility from Sysinternals Suite.
- Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Block ingress and egress traffic to TCP and UDP ports 139, 445, and 3389 at your demarcation point.
- It is advised to immediately remove un-patchable hosts from the network.
- Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.
- Update anti-virus solutions to retrieve signatures for detecting Petya ransomware.
- Consider disabling the automatic restart after system failure setting in Windows to allow for potential recovery.