For Petya’s sake, learn from these attacks!

Matt Hillman, Security Researcher
July, 2017
3 mins read

Update that MeDoc!

The initial infection path was through a poisoned supply chain; the Ukrainian accounting software MeDoc delivered a malicious software update. This served not only as a delivery mechanism, but also a disguise, as legitimate software was hijacked. The limited target group may help non-Ukraine-based CISOs sleep at night, but with its ability to worm through interconnected networks the ransomware quickly turned into a nightmare for some.


Updating software regularly is what you are supposed to do, it is meant to make your network safer. Yet in this instance, it proved to be the cause of a potential disaster. Could you contain the situation if your supply chain was compromised?


What can you do?

  • Segregate your network into logical zones using firewall rules, user groups and overall architecture. Consider supply chain issues as well as machine type and business unit.
  • Be aware of connections to partners or regional offices and what types of communication can occur between them.
  • Where possible, audit suppliers.


Escalation and expedition

After gaining access to an endpoint, Petya/NotPetya is able to spread to further machines via multiple methods. For instance, the malware is able to use both EternalBlue and EternalRomance Server Message Block (SMB) exploits. However, the recent WannaCry ransomware outbreak drew attention to the Microsoft Security Bulletin MS17-010, which patched both exploits, meaning infrastructure may have been more likely to have been updated against them.


Just for such an eventuality Petya/NotPetya also attempts to steal credentials and authenticated tokens that can be used to access other machines. If credentials can be obtained, Microsoft’s psexec and Windows Management Instrumentation (WMI) framework become the vectors to spread across the network. This makes Petya/NotPetya a particularly challenging threat to block, as simply ensuring all patches are applied and that you have strong passwords set will not be sufficient. Rather, alongside patching and password policy, the network as a whole needs to be designed with containment in mind. Segregation at the network and user account level, and the principle of least privilege and minimum access for user groups becomes very important.


What to do

  • For Petya/NotPetya, Patch MS17-010; in general, ensure all patches are regularly applied.
  • Limit what credentials can be recovered with Windows features like Protected User Groups (example 1 and example 2). Disable old protocols like SMB version 1; this version is a factor in the exploits used by Petya/NotPetya.
  • Avoid using administrator accounts when there is no need to do so.
  • For detecting malware in general, detect bad behavior as well as just using static signatures like traditional Anti-Virus.


Lost keys

The Petya ransomware family encrypts the Master File Table (MFT), which is needed to properly read files from the hard drive. This variant of Petya/NotPetya, however, throws away the encryption key and does not save the information required to decrypt it again. This makes it impossible for the authors to decrypt your drive, which is why some people characterize it as a wiper, not true ransomware. The intentions of the authors remain uncertain.


That this malware arrived so soon after WannaCry’s rapid spread suggests that high impact, targeted ransomware is going to become more prevalent and relevant to large organizations. When breaches occur, having practiced internal processes can help mitigate the impact. For serious breaches many organizations need the specialized support of an accredited incident response team


More detail on this topic can be found in F-Secure Countercept’s analysis and FAQ on Petya/NotPetya.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs