- Microsoft Windows 10 Enterprise includes a feature called “Credential Guard”. This feature can prevent certain attacker tools from compromising administrative credentials using well known techniques such as a Pass the Hash attack. Having this feature enabled would have prevented NotPeya from harvesting local credentials to spread within a local network (one of the methods used by the worm component). More Information: below:
- Microsoft is also releasing a new feature for Windows 10 in September/October which enables certain files and folders and should provide end users and enterprises another tool to protect against ransomware. This feature is being called “Controlled Folder Access”. More Information:
- The malcode used to create the installation ID which would presumably then be used to create a customized decryption key for each victim was randomly generated and useless. Kudelski Security reiterates: DO NOT PAY THE RANSOM.
UPDATE: 5:30 P.M. EST
As we often see in these global outbreak and response scenarios, information can change quickly. The following are a few updates based on what we’ve learned since our initial advisory.
- The ransomware is not actually petya.a. It does use some its components but the malcode used in today’s attacks was built to look like petya instead
- There does appear to be a kill switch in this first variant that stops the local encryption. The malcode looks for a copy of itself in C:\windows. The file name has been identified as perfc.dat. Unfortunately, it still appears to attempt its spread across the network.
- There are reports that “patient zero” is a finance technology company based in Ukraine
- We have seen reports of thousands of devices compromised within a just a few minutes at several different organizations
- CVE-2017-0199 is not part of this malcode. It was mentioned early on as related but was likely a misattribution due to near simultaneous detections of different attacks
- General steps of the infection
- ARP Scan
- Check/Get credentials (mimikatz or similar)
- Psexec to execute WMI
- If psexec fails use eternalblue
- Reboot to encrypt
- If clients can catch the reboot before it completes, it has been reported that files can be saved by not turning on the computer and recovering files offline.
- We urge caution when looking for some the common IOC’s that have been released so far. Some of them will generate high volumes of false positive alerts, in particular those related to CVE-2017-0199 (see #5)
- The malcode used a fake MS certificate and XOR to avoid most of the current AV detection routines.
- DO NOT PAY the ransom. The email associated with the bitcoin wallet is not valid.
- This attack and the code associated with it is far more professional and dangerous than what we saw WannaCry.
- Expect to see new and creative ways that attackers can automate propagation of malcode through an environment.
The following breaking information is subject to change as new data continues to pour into the CFC Threat Monitoring group.
Kudelski Security’s Cyber Fusion Center’s initial analysis has revealed that this attack is a new combination of pre-existing delivery, download, and malware/ransomware components. The initial infection vector is likely via phishing email or via the network (neither confirmed). Once the machine is initially infected, the Petyawrap’s worm component begins spreading the ransomware to other machines on the local network via several different methods, including the Equation Group’s EternalBlue exploit (similar to WannaCry). However, this worm is also leveraging PSEXEC (a way to remotely manage computers) and Windows Management Instrumentation (WMI) to infect machines already patched against EternalBlue.
Once a machine is initially exploited (either via EternalBlue or WMI), the worm begins to install the Petya Ransomware variant (https://securelist.com/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/77762/), which then restarts the affected endpoint and begins the encryption process. It’s important to note that the ransomware is leveraging vulnerabilities that were patched by Microsoft in March and built in Windows functions (such as WMI and PSEXEC) to spread. The usage of WMI and PSEXEC makes this worm effective against machines that may have already been patched against EternalBlue and other exploits. This ransomware variant has successfully automated the usage of highly effective methods traditionally used by advanced attackers to silently move laterally within a network by remotely executing code.
This variant can easily spread through the network because it lacks a Wannacry like “kill switch” to slow it’s spread.
Due to the usage of both the EternalBlue exploit and built in Windows management functions (WMI), the Cyber Fusion Center recommends that clients take the following actions:
- Disable inbound SMB on all external firewalls
- Disable inbound SMB connections using the built-in windows endpoint firewalls
- Disable SMBv1 for all endpoints and severs in the organization
- Fully patch all Windows systems
- Ensure that employees are not local administrators on domain joined machines (used to spread the worm via WMI and PSEXEC without exploits)
- If PSEXEC and WMI is not strictly controlled within the environment, it is highly advisable to temporarily disable WMI (Note: This may impact legitimate administrative tools such as SCCM, disable WMI with extreme caution)
Other outlets reporting details (rapidly evolving):
Our previous high-level recommendation:
Organizations must review and evaluate their vulnerability and patch management programs to ensure confidence, comprehensiveness, and effectiveness. Security patches are a fundamental and critical foundation of any organizations security program and should be tested and applied quickly. Organizations should also perform a “health checkup” and review backup strategies, test backups regularly, and ensure backups are easily accessible while also being protected from encryption and deletion. Additionally, organizations should be looking to implement strick controls to limit the usage Windows tools commonly used by attackers such as PSEXEC and WMI.
The CFC will continue to monitor client’s environments for indicators or this variant.
If you have questions or concerns please reach out to the CFC at firstname.lastname@example.org or call the CFC hotline (regional based, refer to the Client Portal for your number.)