WannaCry 2.0? Thoughts on the Petya Malware

Gui Cozzi
| 6/29/2017
WannaCry 2.0? Thoughts on the Petya Malware

A new ransomware variant has hit organizations across the world. It shares a name with similar ransomware strains from 2016, Petya/NotPetya. At this time, it seems that governmental and infrastructure organizations in Europe were most affected by this malware. Petya is exploiting a vulnerability in Microsoft Windows presumed to have been discovered and weaponized by the National Security Administration (NSA). Earlier this year, this cyber weapon, called EternalBlue, is believed to have been stolen and released publicly by a group called the Shadow Brokers.

Petya has only a few similarities to WannaCry beyond the use of EternalBlue. The threat actors who deployed Petya appear to have learned from WannaCry, and they seem to have used additional offensive techniques including the following:

  1. Once the initial computer is infected, the malware has the ability to spread within and to other computers by exploiting nearby systems vulnerable to EternalBlue.
  2. There is no “command and control” (C2) in which the malware contacts a system controlled by the threat actor. Blocking this had the unexpected effect of a “kill switch” for the WannaCry malware outbreak in May 2017.
  3. Petya takes advantage of weak endpoint configurations to steal credentials from an infected system and uses these to spread to nearby systems via common lateral execution techniques. This method can be used to infect systems that have been patched against the EternalBlue exploit.
  4. Systems that are unable to be encrypted due to lack of permissions by the malware process may still act as carriers for the malware and spread it to other systems in the network.
  5. Petya encrypts the system hard drive and the master boot record, resulting in the loss of all data on the primary hard drive. Some other ransomware strains encrypt only certain files on the local system and across network shares.

It is not clear if this new Petya ransomware has any connection to the Petya ransomware of 2016, although it uses similar tactics including the full-disk encryption. Crowe has seen these tactics in other ransomware, such as Mamba and Micha released in 2016, but there is no clear connection to a specific threat actor or group or to the intent of the ransomware.

While the malware is sophisticated in the use of credential theft, lateral movement, and full-disk encryption, questions remain about the authors’ intent and plan for the malware. This strain used a public email service based in Germany called Posteo, which took the email account down after the outbreak became public. Approximately 32 payments were sent by victims to the bitcoin address for payments before the email address was taken down. Additional payments were made after Posteo took down the email. Currently, the Petya malware has no way to be decrypted and no way for victims to contact the authors or receive a decryption key.

The fact that WannaCry had a kill switch greatly reduced its effectiveness and ability to spread. Could this have led some organizations to feel safe or overconfident once they learned hitting the kill switch was possible?

As Crowe has previously shared on its Cybersecurity Watch blog, WannaCry could have been prevented with basic and sound information security practices. The practices shared in a May 15, 2017, post remain 100 percent relevant.

When meeting malware threats, organizations don’t need special protections. They simply need to use a layered security approach to protect themselves. Organizations should consider implementing the following tactics:

  • Rapid patch management. Organizations should install MS17-010 – but that only solves today’s problem. What about tomorrow’s flavor of the day? A security program that is reactionary in nature is not going to be effective in the long run. Organizations should implement a robust vulnerability and patch management program to proactively identify vulnerabilities and patch them before adversaries can take advantage of them.
  • Principle of least privilege. Users should not have local administrative rights. If they do, they essentially are conducting some of the highest-risk activities (email and web browsing – where the majority of malware comes from) with the highest privilege, which could, in turn, inadvertently grant that right to malware.
  • Minimization. Only services that are necessary for a system to function should be exposed to the internet. Organizations that are good at the security principle of minimization (on both internal and external networks) drastically reduce the amount of data that can be attacked to make themselves a much smaller, harder-to-hit target for opportunistic threat actors.
  • Network content filtering. Controlling what is allowed in and out of the network through content filtering solutions (such as web proxies and email filters) can further reduce an organization’s exposure to attack and help prevent known threats.
  • Malicious code protections. These protections can come in many forms – including anti-virus and application whitelisting, both of which can be effective in helping prevent unwanted code execution.
  • Backups. Organizations should ensure they have the ability to recover their data if all other preventive controls fail.
  • Incident response plan. In addition to having backups, it is essential to have a plan outlining how to respond in the event of a cyber incident.

Ransomware is here to stay, and it will be part of cybersecurity for the foreseeable future. According to the 2017 Verizon Data Breach Investigations Report (DBIR), “51 percent of data breaches analyzed involved malware. Ransomware rose to the fifth most common specific malware variety [and] saw a 50 percent increase from last year’s report, and a huge jump from the 2014 DBIR where it ranked 22 in the types of malware used.”

Although we do not have all the information regarding Petya at this time, it is clear that the organizations that have been affected by this latest ransomware do not have all these above-mentioned practices in place. Especially after all the press coverage about the critical importance of installing MS17-010, why are so many organizations still vulnerable to these threats? Industry is replaying old mistakes. Did global organizations not learn after the Code Red computer worm in 2001 (Microsoft Security Bulletin MS01-033), in which a patch also was available one month before the vulnerability was exploited?

Implementing sound information security practices can be a challenging task for some organizations. As the saying goes, “Security is a journey, not a destination.” While the list of recommendations here can appear simple, each one of these line items represents a comprehensive program. And each has budget, people, process, and technology components that need to be accounted and planned for and correctly executed and monitored.

Security is everyone's responsibility. Sometimes it’s necessary to bring an external specialist in to help understand the specific challenges. Until these program items can be properly addressed, organizations will still be vulnerable to each new variant of ransomware and other similar malware. Complacency is not an option because now more than ever, the question is when, not if.

So, in the meantime, what should you do about Petya?

  1. Confirm that your organization has the latest security updates installed. Microsoft has released a patch to fix this vulnerability.
  2. Do not open email or attachments from unknown or untrusted sources.
  3. Make sure that your organization's business data is saved in an approved storage medium that is secure and properly backed up – preferably with a copy backed up offline.
  4. Report any suspicious computer activities to your IT or security department.
  5. Verify that your organization has an incident response plan to deal with a ransomware incident should it be affected. Especially, monitor for events indicating unexpected lateral movement on systems, including the use of PsExec and Windows Management Instrumentation Command-line (WMIC).

For comprehensive, in-depth cybersecurity guidance, contact us.