Securing business data

Blog Item

Global Ransomeware Outbreak. What we know.

by Shannon Simpson | Jun 27, 2017
Update 28th June 2017

Here's a summary of the NotPetya outbreak:

The malware uses a number of tools to move through a network, infecting machines as it goes. It uses a tweaked build of open-source Minikatz to extract network administrator credentials out of the machine's running memory. It uses these details to connect to and execute commands on other machines using PsExec and WMIC to infect them.

It also uses a modified version of the NSA's stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the EternalRomance SMB exploit, to infect other systems by injecting malicious code into them. These cyber-weapons attack vulnerabilities patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates.

Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organisations employ flat networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved.

One way to gain admin access is to use the NSA exploits. Another way is to trick a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges. Incredibly it is still common place in IT environments where system administrators use domain admin privileges on their own PC’s or local admin rights are assigned to a user in the vain attempt to not bother IT techies with constant requests for the ‘admin’ password to allow a piece of software to run!

Another way is to feed a malicious software update to an application suite running as admin or domain admin, which starts running the malware on the corporate network again with high privileges. Current theories include NotPetya got into corporate networks as an admin via a hijacked software update for a Ukrainian tax software tool, and via phishing emails, although this does not explain the global infection rates seen.

With admin access, the malware can not only lift credentials out of the RAM to access other internal systems, it can rewrite the local workstation's hard drive's MBR so that only it starts up when the machine reboots, rather than Windows, allowing it to display the ransom note; it can also encrypt the filesystem tables and files on the drive.

NotPetya uses AES-128 to scramble people's data. Needless to say, don't pay the ransom – there's no way to get the keys to restore your documents as the email account provided in the ransom note no longer is accessible.

The spread of this new ransomware is likely to be much slower than last month's WannaCry attack, researchers predict, as code analysis showed the new attack did not attempt to spread itself beyond the network it was placed on.

If you have not done this from WannaCry outbreak, the following is highly recommended:

·        Back up your data and store or separate environment

·        Patch, patch, patch

·        disable SMBv1 for good measure

·        block outside access to ports 137, 138, 139 and 445,

·        follow best practices and not allow local administrators carte blanche over the network

·        reduce workstation and laptop user accounts down from local administrator

·        tightly limit access to domain admin accounts and privileges

·        Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.

·        Re-iterate to all users not to open attachments from unknown senders and follow internal security guidelines for reporting suspected security incidents including attempts to compromise e.g. phishing emails!

Whilst many Anti-virus vendors are producing updates and signatures to detect and combat against this latest threat, relying on AV vendors as your main defence would be ill advisable.

27th June

A global ransomware outbreak is currently impacting a large number of organisations across many countries. The outbreak appeared to originate in the Ukraine with infections reported in the UK, Spain, France and other European nations.

A number of early warning signs are pointing towards yet another large scale ransomware styled attack; while the early temptation is to draw comparisons to the previously noted WannaCry outbreak we should be clear - there are some similarities but this is not WannaCry Version 2.

Early analysis points to the use of the Eternal Blue exploit code being used in part for propagation; patches for this were released a while back by Microsoft and should be applied accordingly as a first step in protecting systems from such malware. 

Solution

EternalBlue

Addressed byMS17-010

EmeraldThread

Addressed byMS10-061

EternalChampion

Addressed byCVE-2017-0146&CVE-2017-0147

“ErraticGopher”

Addressed prior to the release of Windows Vista

EsikmoRoll

Addressed byMS14-068

EternalRomance

Addressed byMS17-010

EducatedScholar

Addressed byMS09-050

EternalSynergy

Addressed byMS17-010

EclipsedWing

Addressed byMS08-067

It should be noted at this stage that the new strain of malware is thought to be based around older malware variants named Petya, and has subsequently been dubbed Petya-EternalBlue by some analysts given its use of the exploit as a propagation vector.

Once infected the malware will demand a payment of $300 in bitcoin, using the contact details wowsmith123456@posteo(.)net

The Petya malware is particularly nasty in that it can rewrite the Master File Table (MFT) and Master Boot Record (MBR) of the operating system and install its own custom bootloader to display a ransom message to the victim. Information thus far about the malware is somewhat misleading - initial analysis suggests it does not possess the ability to encrypt files, while this may be true of old variants - the latest most certainly can.

The inspiration of WannCry can defiantly be felt, however, unlike WannCry, there is no kill switch (at least at the time of writing), so expect this malware to be around for some time as it will not be so easily stopped.

On a closing note for now, the malware drops in a couple of interesting files - PsExec being the headline act for now; this tool is part of the Sysinternals suite and is subsequently not often detected by anti-virus systems. It can however be used to login to systems remotely via SMB and perform a large number of administrative tasks, it's presence here is worrying and would suggest that following an initial foothold into an environment using something like the Eternal Blue exploit, it could potentially be spreading using this tool as well, which for now would likely go undetected until it is too late.

CNS Group are all still researching this latest outbreak, therefore content may change suddenly as more details are identified.

Please contact the CNS SOC on 0345 0945 065 or soc@cnsgroup.co.uk if you have any concerns.
call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere