Threat Flash Alert: New Ransomware Outbreak   20170627:1641

Summary

Similar to the WannaCrypt outbreak last month, another round of ransomware attacks has been launched.  Initially identified as a new Petya ransomware variant, research by Kaspersky Labs suggests this is not actually Petya but a new, never-seen-before, ransomware that they have labeled as NotPetya.  Regardless, it has hit numerous sites across the globe, with confirmed outbreaks in Russia, Ukraine, Spain, France, the United States and elsewhere.

This ransomware is using the NSA’s EternalBlue exploit to propagate, meaning it is exploiting Microsoft vulnerability MS17-010, a critical vulnerability affecting Server Message Block, which is primarily used for accessing files, printers, and enabling communications between network devices.  Microsoft issued the patch in March of this year, and during the WCry outbreak, they released patches for their non-supported operating systems.

This being said, there are sporadic reports that “fully patched systems” are also being exploited. However, it is unclear if said “fully patched systems” were actually patched properly and fully.

Once inside a network, it further propagates via remote Windows Management Instrumentation (WMI) and PsExec, not just SMB.  It spreads very fast with one researcher seeing 5000 system compromised in under 10 minutes.

While there are some similarities to the WannaCrypt malware, research indicates that this malware appears much more advanced and could have a much larger impact.  The fact that it does not have a kill-switch and propagates via WMI and PsExec supports this assessment.

Research is ongoing as we are in the early stage of discovery on this outbreak. As we learn more, we will update you with new information and corrections to existing information.

Impact Assessment

Infection of this Ransomware would have a major negative effect on the impacted system and prevent any files from being accessed or used.  As such, any critical files residing on that device would be inaccessible.

Because of its propagation method: it worms through a network, any devices not currently patched for MS17-010 are at risk of infection.

Security-On-Demand Actions

SOD has been monitoring the events closely.  Our Security Operations Center is on high alert and hunting for applicable indicators across all of our clients.  We will immediately inform our customers of any indication that an incident may be occurring or has occurred in their network.

Mitigation Recommendations

For Organizations currently unaffected:

• If not already done, apply Microsoft Patch MS17-010. Based on what we know at the current time, this completely prevents infection.
• Disable admin share via GPO

Currently affected:

• If files are backed up or stored on a network share, ensure that the backup location or share is not infected. We recommend wiping and restoring the affected system.
• If files are not backed up, follow applicable corporate policy.
• Disable admin share via GPO across network to stem further propagation

Long-Term Ransomware Protection

• Develop a security policy and procedures for handling Ransomware
• Do not store important files on local systems.
• Employ a Disaster Recovery and Business Continuity Plan that includes data backup and restoration procedures

Sources

• Twitter.com
• https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba4575
• https://nvd.nist.gov/vuln/detail/CVE-2017-0199
• https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100

Tags: Petya, WCry, WannaCrypt, Ransomware

Indicators