Petya/NOPetya – Addressing the Destructive Ransomware Attack A brief research note for Info-Tech’s members.

The facts about Petya/NOPetya On June 27, 2017, a ransomware variant titled Petya/NOPetya was reported to be spreading across Europe. Since then, it has spread to at least 65 countries. This new variant exercises unique methods of both infection and propagation. Read on to learn more about this malware and how to protect your data. For more information, please visit: New ransomware, old techniques: Petya adds worm capabilities New Ransomware Variant "Nyetya" Compromises Systems Worldwide Petya, dead but still dancing 1 Trusted software updates were used by Petya/NOPetya to initially infiltrate devices – A legitimate software updater process (EzVit.exe) from M.E.Doc, a Ukrainian company offering tax software, is believed to have been the victim of software update hijacking which was responsible for the initial infections of Petya/NOPetya. These compromised updates were trusted by computers running the relevant software. Therefore, the hidden malicious code was able to slip past most defenses when EzVit.exe was downloaded and executed. 2 Petya/NOPetya exhibits worm-like behavior – After obtaining the current user credentials of infected machines via either the command line, the CredEnumerateW Windows API, or through two executables embedded within Perfc.dat, Petya/NOPetya attempts to spread laterally to other devices on the local network. Petya/NOPetya utilizes PsExec or WMI, and the obtained user credentials or token to install its wiper-ware on targeted devices. If these devices have not yet applied the MS17-010 patch, Petya/NOPetya will utilize the EnternalBlue or EternalRomance exploit (depending on the user’s operating system) to compromise the systems. 3 Petya/NOPetya’s encryption was not designed to be reversed – If administrative access was obtained, Petya/NOPetya will overwrite the master boot record (MBR) code. During this process, it schedules a task to reboot the machine and then attempts to encrypt the master file table (MFT). Once the computer has been rebooted, the MFT is removed, preventing the computer from normally booting, even if decryption keys could be received.

Petya/NOPetya’s unique trends Petya/NOPetya is smarter and more sophisticated than WannaCry. This new malware follows less than a month and a half after WannaCry affected over 200,000 endpoints in over 200 countries. Welcome to the new normal. 1 Petya/NOPetya used a unique vector for initial infection – Petya/NOPetya successfully utilized trusted software updates from a legitimate software company as its initial malware delivery mechanism. This is one of the first times that a legitimate supply-chain attack has been seen to spread wiper-ware through “trusted updates.” 2 Petya/NOPetya was specifically designed to not allow data to be recovered – If Petya/NOPetya is able to use the Windows API AdjustTokenPrivileges to obtain administrative privileges (i.e. highest privilege with SeDebugPrivilege enabled), it will attempt to overwrite the MBR code. Failing this, Petya/NOPetya instead erases the first ten sectors of the disk drive. In either case, no copies are saved before removal. 3 Petya/NOPetya is more sophisticated than WannaCry – Petya/NOPetya used several known exploits and legitimate administrative tools to pivot across networks. Patching simply was not enough to stop it. To reduce the impact of these types of attacks, consider the use of application whitelisting and segmentation within your network. For more information, please visit: New ransomware, old techniques: Petya adds worm capabilities New Ransomware Variant "Nyetya" Compromises Systems Worldwide Petya, dead but still dancing

Immediate actions – If you have not been infected Patch or Inoculate OS Update supported software with Microsoft’s March 2017 patch (MS17-010) as soon as possible. Inoculation is only effective for the variant based on the IOCs listed in the appendix of this document. Back Up Your Data Make the time to back up all critical data, ideally to devices that are kept offline. Create a disaster recovery plan for backing up and restoring critical data. Disable Unused Ports Close all unnecessary ports and adopt the principle of least privilege. The Petya/NOPetya threat specifically targets ports 139 and 445. Blocking traffic on these ports will prevent further propagation of Petya/NOPetya. Disable legacy protocol such as SMBv1; steps are documented in Microsoft Knowledge Base Article 2696547. Applications Consider application whitelisting and segmentation within your network to reduce the impact of these types of attacks. Communicate Send internal alerts to educate employees on the Petya/NOPetya threat and proper response/notification. Deliver security training sessions on threat mitigation tactics; foster a culture of organizational situational awareness. Send external alerts to clientele; proactively address any efforts undertaken to combat the threat. Schedule cadence meetings with your managed service providers and third-party vendors to discuss Petya/NOPetya. Address any/all corresponding security measures they have undertaken to combat it. Share this intelligence and actively collaborate with external stakeholders to manage any potential risk. Enterprises can demand proof of changes from vendors by asking for evidence such as records of change, patches deployed, etc. Threat Intelligence Review your threat intelligence programs (if there are none, refer to Info-Tech for guidance on setting them up) and ensure that they are being consumed and actioned. Timely intelligence can give you a crucial head start against threat actors. Endpoint Protection Install EPP vendor updates. Ensure endpoint protection solutions incorporate the most recent indicators of compromise and updated signature lists. Adopt machine learning and heuristic-based analysis to monitor threats in real time. Leverage IOCs Block relevant indicators of compromise. Reference the appendix for a comprehensive list of IOCs. Incident Response Formalize incident response procedures. Create detailed runbooks that actively address all mitigation and operational procedures in the event that an endpoint is infected. Actively distribute runbooks and collaborate internally so that all security members are aware of the required steps and procedures.

Immediate actions – If you have been infected Once the threat has been contained, refer back to the mitigation and prevention tactics on the previous slide. Action Shut Down Shut down and disconnect any infected systems as part of your overall risk mitigation strategy. Isolate the infected host if available. Do not attempt to clean the system or run any AV or malware scans. These processes are done later. Assess your organizational exposure for all internet-facing devices. Determine why open ports are open. Maintain a dynamic and frequently updated listing of active ports. Do not reboot infected devices. Recover any unencrypted data using a live disk/OS. Don’t Pay Payment should not be an option. In the case of Petya/NOPetya, paying the ransom will not result in getting files back. Analyze the Scope Create an inventory of infected devices so you know what must be restored from backup. Communicate Report your experience: organizations that have fallen victim to a ransomware attack are encouraged to work with their local law enforcement office. US-based companies should report the incident to the FBI Internet Crime Complaint Center (IC3). Send internal alerts to educate employees on the Petya/NOPetya threat. If client-facing operations have been impacted, work with your legal or field department to communicate to your customers. Proactively address any efforts undertaken to combat the threat. Locate Data Backups Google Drive, Dropbox, OneDrive – have you shared the data with someone else using a cloud-based storage service? Even if the data is encrypted, these services will often allow you to revert your files to a previous state. Removable media – did you put the files onto a USB, external hard drive, DVD, or some other removable media to transfer the data? If you find you have copies on removable media, then manually verify the files by restoring to a separate computer. It is essential to verify the files if using physical media, as these can tend to deteriorate.

These considerations result in the conclusion: A cost-benefit analysis can easily tell you what you should do when it comes to ransomware We live in the real world and often we work for companies looking to maximize their profits. It is practical for them to perform a risk-based cost benefit analysis to determine whether to pay or not. Consider these variables: What is the potential harm caused from losing that data or system? Is the data or system critical in nature? What is the potential impact to the information system, the business process, or the organization? Are there adequate backups and a recovery process to minimize operational interruptions? What is the relative cost associated with paying? Most ransom demands are meant to be reasonable to incite you to pay. For Petya/NOPetya, the ransom is reported to be 300 bitcoins. What is the probability that your data will be decrypted? Petya/NOPetya was designed to not allow data to be recovered from infected devices. Additionally, the email address associated with paying the ransom has been taken offline and, therefore, money can be paid but decryption keys cannot be delivered to users. What is the probability that once you pay, you may be extorted in the future? An attacker could leave malware on your systems in the form of a backdoor, which they could use to compromise you for additional ransom. An attacker could also spread the knowledge that you are willing to pay, inciting other cybercriminals to attack you. These considerations result in the conclusion: DON’T PAY It is the unequivocal recommendation from authorities, vendors, and Info-Tech that you do not pay the ransom. For the case of Petya/NOPetya, paying the ransom will never result in the recovery of your files.

Best practices moving forward Patching ≠ Security Just because a patch is available does not mean it has been deployed. Many organizations run a few patching cycles behind. Conduct an inventory of current operating systems and immediately patch vulnerable endpoints. Stay up to date with your patching efforts, and ensure other vulnerability management practices (e.g. hardening, virtual patching, system isolation) are in place where appropriate. Leverage Threat Intelligence Take a proactive approach to vulnerability identification. Leverage third-party open-source vendor websites and mailing lists to actively search for new indicators of compromise and CVEs. Schedule regular scans and prioritize your patching efforts. Back Up Your Data Get in the habit of periodically backing up all sensitive data. Whether through cloud-based solutions or offline devices, sensitive data must be frequently backed up and stored in a secure manner. Assess Port Security Assess port security and exposure of internet-facing services related to affected RDP and SMB services. Standard ports include 139 and 445. Consider disabling unused legacy protocol such as SMBv1. Plan For The Worst Formalize incident response procedures. Create detailed runbooks that actively address all mitigation and operational procedures in the event that an endpoint is infected. Actively distribute runbooks and collaborate internally so that all security members are aware of the required steps and procedures. Block Indicators Information alone is not actionable. A successful security program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives. Actively block indicators and act on gathered intelligence.

Maintain a holistic security program Petya/NOPetya is a good reminder that security threats are often unknown and unpredictable. The only way to maintain effective defense is through a comprehensive and flexible security program. Respond Analyze Detect Prevent Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Effective anti-malware, diligent patching and vulnerability management, and strong human-centric security are essential. Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs. Analyze: Raw data without interpretation cannot improve security, and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but provides visibility into your threat landscape. Respond: Organizations can no longer rely on an ad hoc response. Don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.

Use this opportunity to conduct a security program evaluation Leverage Info-Tech’s various security blueprints: Effective information security management will help you: Enhance your organizational security posture Risk reduction Enhanced compliance management Improved organizational situational awareness Design and Implement a Vulnerability Management Program Create and clarify accountability and responsibility Formalized role and process responsibility Enhanced internal and external communication Select and Implement a Next Generation Endpoint Protection Solution Control security costs Incident reduction Streamlined security operations processes Strategy alignment Integrate Threat Intelligence Into Your Security Operations Identify opportunities for improvement Defined measurement programs Defined opportunities for continuous improvement Develop and Implement a Security Incident Management Program Improve threat protection Intelligence-driven security operations process Optimized patch management program Improved effectiveness of internal controls Standardized operational use cases Defend Against Ransomware

Appendix: Indicators of compromise Below is a list of indicators of compromise issued. Take the time to ingest and actively block indicators within all security controls. Command Lines File Indicators 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d 9717cfdc2d023812dbc84a941674eb23a2a8ef06 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf 56c03d8e43f50568741704aee482704a4f5005ad In environments where command-line logging is available, the following command lines may be searched: Scheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the current time schtasks /Create /SC once /TN “” /TR “<system folder>\shutdown.exe /r /f” /ST <time> cmd.exe /c schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR “C:\Windows\system32\shutdown.exe /r /f” /ST <time> This may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service. Lateral Movement (Remote WMI) “process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1” Network indicators In environments where NetFlow data are available, this ransomware’s subnet-scanning behavior may be observed by looking for the following: Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes AMP Coverage W42.Ransomware.Nyetya.Talos SHA256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 (password stealer) Source: Microsoft | TechNet Source: Talos