Ukraine’s power distributor, one of the world’s largest snack companies, and even Chernobyl’s radiation monitoring systems were among the hundreds of businesses and organizations around the globe reporting that they’d been infected by ransomware from the Petya family on Tuesday.
Though the initial attack vector has not yet been identified, F-Secure analysis finds this strain of Petya uses the EternalBlue exploit that first Microsoft patched in March, which gained prominence in May of 2017 thanks to WannaCry, the largest ransomware outbreak ever. These exploits, identified by the National Security Agency, did not become public until the hacking group the Shadowbrokers released them publicly early this year.
F-Secure Labs has been warning about the dangers of leaked government surveillance tools being weaponized by criminals for years. These warnings have now become a reality that businesses will have to contend with for years to come.
WannaCry proved a viable business model for criminals. Ransomware that spreads like a worm through a network could hold much of an organization’s data hostage, demanding cash delivered in the form of Bitcoin in return for relief. But WannaCry’s damage was quickly minimized due to sloppy coding that allowed for a kill switch to be activated by malware researcher who was actually on vacation at the time.
Now Petya appears to be a much more professional attempt to employ similar methods.
“This is what WannaCry looks like in the big leagues,” said Sean Sullivan, F-Secure Security Advisor. “Amateurs infected a lot of people last time. This time these guys want to cash in.”
Unlike other ransomware, Petya has an “evil twist” – it encrypts portions of the hard drive making Windows inaccessible. Though the family has been around more than a year, no version of it has used network exploits before.
As of Tuesday afternoon, more than $6,000 had already been collected in the Bitcoin wallet into which Petya demands payment, according to this Twitter account tracking payments.
Here’s the good news: F-Secure products block the new Petya variant
Our endpoint products prevent all examples of the threat. F-Secure vulnerability management product flags the used vulnerabilities within the system for remediation. Finally, F-Secure managed incident response service detects the attack and enables immediate response to the threat.
F-Secure endpoint products offer protection against the Petya ransomware on several layers to ensure that the attack can be stopped in multiple points during the attack chain.
- F-Secure’s integrated patch management feature, Software Updater, prevents the new Petya ransomware variant attack from exploiting the EnternalBlue vulnerability by automatically deploying the related security patches.
- F-Secure’s Security Cloud functionality detects and blocks the DLL file used by the ransomware.
- F-Secure’s Anti-Malware engine detects and blocks the threat via multiple complementary signature detections.
- F-Secure’s default firewall settings prevents the Petya attack from spreading laterally in the environment and encrypting files.
F-Secure’s vulnerability manager, F-Secure Radar, flags the missing Microsoft security patch and the vulnerable 445 port for immediate action for IT administrators, giving them ample time to fix the vulnerabilities before the outbreak.
F-Secure’s managed incident response service, F-Secure Rapid Detection Service, detects a large number of the TTP techniques used by Petya, such as abusing rundll-32 and other Microsoft components, allowing our customers to take immediate remediative actions in the case the infection is detected.
What should you do?
F-Secure endpoint products block the Petya attacks with its default settings. However, it is good to check that all security functions are enabled. Also, you should take steps to mitigate the exploited vulnerability and prevent the attack from spreading in your environment.
- Ensure DeepGuard and real-time protection is turned on in all your corporate endpoints.
- Ensure that F-Secure Real-time Protection Network is turned on.
- Ensure that F-Secure security program is using the latest database update are available.
- Identify endpoints without the Microsoft issued patches (4013389) with Software Updater or other available tool, and patch them immediately.
- Apply MS17010 to Windows Vista and later (Windows Server 2008 and later)
- Apply Microsoft’s patch to Windows XP or Window Server 2003.
- In case you are unable to patch it immediately, we recommend to disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 in order to reduce attack surface
- Ensure that F-Secure firewall is turned on in its default settings. Alternatively, configure your firewall to properly block 445 in- and outbound traffic within the organization to prevent it from spreading within the environment.
What should you do if you were infected?
- Change all file permission rights to read-only access for all users on internal file network shares. OR disconnect all major file share drives, NAS, SAN, etc. where possible to limit any potential infection where read-only access cannot be configured.
- Check your system health monitoring infrastructure to see which IT assets have shot up in disk drive activity for reading and writing drives.