Overnight we have seen yet another Global Ransomware Outbreak, again beginning in Europe. It’s not yet known of the full extent of the outbreak, but this advisory is designed to provide the most up to date information for our customers as at 9.48am on Wednesday 28th June 2017 AEST.
If you are using Symantec Email Security.cloud or up to date Symantec Endpoint Protection 14, indications at this stage are that you are protected. However, you should still patch your Microsoft systems with MS17-010, if not already done following the Wannacry outbreak.
HOW DO YOU GET INFECTED?
- Critically, the attack is currently evolving and it’s delivery mechanism may also vary.
- We understand that this malware variant is leveraging a modified version of the Eternal Blue Exploit kit and MS17-010 SMB vulnerability used by WannaCry, there is as yet no confirmed reports of email being used as the initial infection vector.
- Additionally, researchers have identified that propagation is also occurring via the use of the Software Update mechanism built into an accounting program known as M.E.Doc, a program used by the Ukrainian Government and its connected entities.
- It is believed that this variant may include additional payload capabilities, including the use of a bundled tool known as LSADump designed to gather passwords and steal credential data from Windows machines and Domain Controllers found on the network.
- The email service which was hosting the address to which infected victims were instructed to send ransom payments has now closed the account, meaning that file recovery via ransom payment is currently not possible
IS IT RANSOMWARE?
Yes – The ransomware element of Petya requires Window Administrator rights, however with basic level Window User Rights, Petya is still able to propagate onto other insecure Windows devices it sees on the connected local area network.
ATTACK CHAIN
- The malware overrides and encrypts the Master Boot Record (MBR) and Master File Tree (MFT). Overriding the MBR makes it impossible boot the system without remediation, effectively forcing the users to pay the ransom in order to regain access.
- The user is presented with a pop up window advising that the machine is about to reboot.
- Following the reboot, rather than loading the Operating System, it is reported that the user is faced with a fake CheckDisk/ChkDsk operation.
- The use of the fake CheckDisk/ChkDsk operation is intended to afford the Ransomware more time to encrypt the key files on the system prior to being detected and stopped by the user.
- Rather than checking your hard disk, the Ransomware is encrypting your files.
- The resulting ransom message demands payment of $300 worth of Bitcoin.
HOW DO I PROTECT MY COMPANY?
AT THIS EARLY STAGE, WE RECOMMEND THE FOLLOWING:
- Advise users to be vigilant and to disconnect and isolate any systems suspected of being infected.
- Ensure the Microsoft MS17-010 security update is applied to all Windows systems or disable SMBv1, as it prevents Petya from rapidly spreading within your network.
- Adopt a robust Patch Management Process, ensure all Critical Security updates are quickly applied, they are marked as critical for a reason!
- Have Anti-Virus running on all Microsoft Windows systems, with AV definitions kept up-to-date. Most anti-virus solutions are now detecting and preventing the latest Petya strain – see Virus Total.
- Ensure Firewall rules are appropriately locked down to prevent the exploit of the vulnerability through ports associated with SMBv1 (e.g. port 445).
WHAT IF YOU BELIEVE YOU ARE INFECTED!
- If you feel your environment they already are infected disconnect and isolate the machine from your network.
- Recover the machine (where possible) from a recent back up.
- Scan your environment using the below MD5 hash to determine whether other instances of the malware (Endpoint/Network ATP required).
Malware hashes
MD5: 71b6a493388e7d0b40c83ce903bc6b04
SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d