Matt Hillman, Security Researcher
3 mins read
The initial infection path was through a poisoned supply chain; the Ukrainian accounting software MeDoc delivered a malicious software update. This served not only as a delivery mechanism, but also a disguise, as legitimate software was hijacked. The limited target group may help non-Ukraine-based CISOs sleep at night, but with its ability to worm through interconnected networks the ransomware quickly turned into a nightmare for some.
Updating software regularly is what you are supposed to do, it is meant to make your network safer. Yet in this instance, it proved to be the cause of a potential disaster. Could you contain the situation if your supply chain was compromised?
What can you do?
After gaining access to an endpoint, Petya/NotPetya is able to spread to further machines via multiple methods. For instance, the malware is able to use both EternalBlue and EternalRomance Server Message Block (SMB) exploits. However, the recent WannaCry ransomware outbreak drew attention to the Microsoft Security Bulletin MS17-010, which patched both exploits, meaning infrastructure may have been more likely to have been updated against them.
Just for such an eventuality Petya/NotPetya also attempts to steal credentials and authenticated tokens that can be used to access other machines. If credentials can be obtained, Microsoft’s psexec and Windows Management Instrumentation (WMI) framework become the vectors to spread across the network. This makes Petya/NotPetya a particularly challenging threat to block, as simply ensuring all patches are applied and that you have strong passwords set will not be sufficient. Rather, alongside patching and password policy, the network as a whole needs to be designed with containment in mind. Segregation at the network and user account level, and the principle of least privilege and minimum access for user groups becomes very important.
What to do
The Petya ransomware family encrypts the Master File Table (MFT), which is needed to properly read files from the hard drive. This variant of Petya/NotPetya, however, throws away the encryption key and does not save the information required to decrypt it again. This makes it impossible for the authors to decrypt your drive, which is why some people characterize it as a wiper, not true ransomware. The intentions of the authors remain uncertain.
That this malware arrived so soon after WannaCry’s rapid spread suggests that high impact, targeted ransomware is going to become more prevalent and relevant to large organizations. When breaches occur, having practiced internal processes can help mitigate the impact. For serious breaches many organizations need the specialized support of an accredited incident response team.
More detail on this topic can be found in F-Secure Countercept’s analysis and FAQ on Petya/NotPetya.