Threat Advisory: “Petya” Ransomware Update
June 27, 2017
Multiple sources have reported the spread of the “Petya” ransomware in countries around the world.
Ransomware is a type of malicious software that infects a computer and restricts users' access to the infected machine until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.
There have been a large number of conflicting reports about the source and cause of this global incident.
Herjavec Group has aggregated information from what we believe to be the most credible sources and researchers to provide the following advice and recommendations.
- The malware is usually described as Petya, Petna, or Goldeneye. It uses some code from previously-known Petya ransomware, but has many new capabilities. There may be more than one variant in circulation.
- An infected machine will display a fake “CHKDSK” screen, warning users that their drive is being checked for errors.
- The initial and earliest infections are associated with a software package “medoc”, which is widely used in Ukraine. Multiple sources confirm that immediately after an auto-update of the software, the infection was observed. If you use medoc in your organization, or any affiliated organization, disable auto-update until this is resolved.
- Once infected, the malware can spread laterally through a network using WMIC and PSExec to run PowerShell.
- This malware will attempt to capture passwords, and reuse them for privilege escalation, which can make the attack more devastating.
- A scheduled task for RUNDLL32.exe is created. If a machine is not rebooted before that task executes, administratively removing the scheduled task may prevent execution.
- This malware exploits ETERNALBLUE, which was patched with MS-017-10. However, patched machines may be vulnerable to attacks from already-infected machines via the use of WMIC and Powershell with captured credentials to spread throughout the domain.
- There are multiple sources asserting that the infection starts with a Phishing email associated with a job application. This has not been confirmed.
Mitigating Techniques for this Current Incident
- Paying the ransom will not work, as the ransom relies on email, and the attacker’s address has been suspended. Also, given the scale of the attack and the manual nature of email, it is unlikely that a timely response would be possible even if the address is restored.
- The malware checks for the existence of the file “C:\Windows\Perfc” and terminates if it exists. It may be practical to create a null file with that name as a short-term inoculation.
- Consider disabling auto-update for ME-DOC accounting software if it is in use.
- Patch all machines with MS017-10.
- Review recovery strategy and capability for critical files. Move important files off local machines or create backups of local devices
- Renew an anti-phishing message with all staff, particularly warning about WORD, EXCEL, and PDF documents – do not open unexpected attachments, and DO NOT run macros if prompted.
- Update all AV signatures immediately and track acceptance to the entire fleet. Keep refreshing those updates through the day.
- Develop and test a GPO to remove the ability to execute software from %temp% and %appdata% Windows directories if there are no business dependencies that prevent it.
- Possible hash values to search for infection or to block with content filtering rules
- Avoid the use of privileged accounts on machines where possible, particularly avoiding domain admin or other privileged accounts in “local Administrators” group.
General Ransomware Mitigation Steps
- Train your staff to recognize a phishing scam and other common social engineering tactics used by cybercriminals.
- Regularly back up all data on all computers to lower the risk of data loss.
- Unplug the network cable and turn any infected machine off to remove it from the internal network and stop the ransomware from spreading to other devices.
- Consider examining your endpoint protection strategy. Deploying advanced endpoint protection, and Privilege Access Management (PIM/PAM) or PEDM tools to control how privileged accounts can operate can be very disruptive to ransomware.
- If your business has a BYOD (bring-your-own-device) policy, ensure that your staff are aware of any risks associated with using their own devices at work.
- Regularly update and patch all applications to avoid being exploited by vulnerabilities used by cybercriminals to propagate the ransomware.
- When downloading any documents through email, always disable macro scripts and using Office Viewer software to view the downloaded documents.
- Restrict the ability to install software applications using the “Least Privilege” principle for all systems and services.
- Build a stronger security plan by whitelisting certain trusted applications that may be used by employees and requiring the use of a VPN for remote work.
For more information on how you can protect your organization from ransomware, or on the current ransomware incident in particular, please connect with one of our security specialists here.
About Herjavec Group
Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. Herjavec Group delivers SOC 2 Type 2 certified managed security services supported by state-of-the-art, PCI compliant, Security Operations Centers, operated 24/7/365 by certified security professionals. This expertise is coupled with leadership positions across a wide range of functions including consulting, professional services & incident response. Herjavec Group has offices globally including across Canada, the United States, and the United Kingdom. For more information, visit www.herjavecgroup.com.