In the last half of 2016, the rise of ransomware became a force to be reckoned with, with several new variants being discovered weekly. That trend has shown no signs of stopping in 2017. With one of the latest variants – called Petya by parts of the security community – it’s clear that attackers are getting more discerning in their methodology as well, targeting system management tools used in large enterprises.
Petya, like WannaCry, is spreading across the Internet with recycled spy-agency tools exploiting MS17-010, but this time, authentication re-use and domain trust policy is being targeted to gain traction in horizontal spread. Some sources say they’ve seen Petya use both Windows Management Instrumentation (WMI) and PSexec from the SysInternals PsTools package to spread. Both of these are frequently deployed in enterprise Windows/Active Directory environments.
[Article updated 2017-06-28 14:08 UTC]
Seth Elo, a malware reverse engineer for RA Labs, had hinted that this may not be a new variant of the Petya ransomware that hit Ukraine earlier, but something else that is using the same name to cause confusion. Indeed, that is the case. There are a pair of good write-ups about “NotPetya” from both BDS and The Grugq this morning. The BDS article describes how to create a file that will stop the ransomware from infecting a computer, but it’s clear that local administrator rights on enterprise endpoints are a crucial part of the infection vector.
RiskAnalytics’ ThreatSweep detects the internet-facing SMBv1 attacks targeting MS17-010 (such as EternalBlue), and can send alerts when a protected system is implicated in an attack. As with previous worms and ransomware we’ve written about, patching, disabling insecure services, and maintaining backups of critical data can reduce the likelihood or impact of an incident in the face of a broad-scale outbreak. It’s also probably a good time to review your domain trust policy, roles, groups and local administrator privileges for end users.
An earlier revision of this post advocated disabling the admin shares. This will likely cause more problems than it solves. Our advice for handling this outbreak:
• Review the need for local administrator rights on employee PCs, and revoke those rights if possible.
• Ensure your security patches are up-to-date, especially the one for MS17-010.
• Don’t expose core Windows services such as SMB to the Internet, and perhaps disable SMBv1 entirely.