Likelihood (SOD Customers): MEDIUM
It increasingly is looking like this (Petya / NotPetya) was a targeted attack against Ukrainian entities with broader impact; not a wide-ranging global ransomware attack. Companies that either do not use the MEDoc accounting software anywhere in their environment or have any business elements in Eastern Europe appear to be largely immune from the attack. However, there is at least one report of alternative infection vectors. So diligence should still be maintained.
Due to the interconnectivity of the global business environment, companies with business units in Eastern Europe could be vulnerable to an infection depending on their network connections with other companies or entities in the region that may use the MEDoc software.
Security On-Demand Actions
SOD has been monitoring the events closely. Our Security Operations Center is on high alert and hunting for applicable indicators across all of our clients. We will immediately inform our customers of any indication that an incident may be occurring or has occurred in your network.
Yesterday’s Ransomware outbreak was initially identified as being an updated version of Petya ransomware. However, security researchers now generally agree that the malware is entirely new and never-before-seen. Some researchers have dubbed it NotPetya, but a standardized name has yet to be officially given.
The outbreak started in the Ukraine and quickly spread into Russia and Europe, with infections in many different countries. Once an initial infection occurs, the malware is designed to spread across internal, local networks very fast.
It is increasingly becoming likely that this was a targeted attack (probably against Ukrainian entities) that also affected international businesses with Ukrainian equities and used the Ukrainian-developed MEDoc accounting software product in their enterprise.
What is the infection vector?
Exploitation of MEDoc via a software supply chain attack that compromises the update mechanism of the software. Any company using this software within its enterprise is at risk of large-scale impact.
There is also one report of it being distributed via a watering hole attack affecting the government website for the city of Bakhmut in the Ukraine. Visitors to the website were fed a malicious file that was disguised as a Windows update.
Once infected, what happens?
Once infected the malware drops a tool, similar to the Mimikatz tool designed to steal domain or admin credentials to facilitate its spread through the victim’s network.
After attempting to spread beyond the initially infected system, the malware overwrites the Master File Table (MFT) and Master Boot Record (MBR). This suggests that it is essentially more of a wiper malware than a ransomware. The original Petya ransomware from 2016 similarly overwrote portions of the MBR, but did it in a way that could be reversed once the ransom was paid. By contrast, yesterday’s malware simply overwrites and destroys company data.
It should also be noted that despite the advanced quality of the malware, the payment functionality was weak and immature, as the email posted in the ransomware message that victims were to reach out to was quickly shut down by the email provider. As such, there is no way for victims to pay the ransom and get their files decrypted.
How does it spread?
Once the initial infection has occurred this ransomware spreads fast by three primary mechanisms. This is done to maximize the number of infections across an enterprise with the intent to essentially bring it to its knees.
- ETERNALBLUE: Same exploit as WCry, it worms through the network looking for systems with a particular SMB vulnerability (CVE-2017-0144) and patched by Microsoft in March via MS17-010.
- ETERNALROMANCE: Similar to ETERNALBLUE, but exploits CVE-2017-0145. This is also patched via MS17-010.
- Credential-stealing tool (similar to Mimikatz): Once it has collected valid credentials is scans the network looking for systems to compromise. If a response is returned, it tries to execute the malware remotely via PSEXEC (lightweight Telnet/remote access) or WMIC (Remote Windows management) tools.
Damage: HIGH – This malware does immense damage. Because there is no way to recover over-written/encrypted files, without backups that data is effectively lost. The fast-spreading nature of it means that once infection occurs, it can impact much of a local network within minutes.
- Keep MS Windows systems up-to-date. Specifically, ensure you have applied patched addressed in MS17-010.
- Disable ports 139 and 445 if not required for business purposes
- Apply firewall rules to block 445 traffic if not necessary for business functionality
- Update A/V and IDS/IPS systems. Most have pushed updates to identify and block infection.
- Researchers have discovered a workaround to disable the ransomware should infection occur. According to researchers at CyberReason, “to activate the vaccination mechanisms users must locate the C:\Windows\ folder and create a file named ‘perfc’ with no extension name. This should kill the application before it begins encrypting files”.
Caution: This Is The New Normal
The Ransomware problem is not going away anytime soon. As evidenced by WCry and other outbreaks, there is money to be made, and it is an effective way to do so as many companies who are not prepared will simply pay the ransom. To prepare yourself for Ransomware and other malware attacks it is critical that companies do the following:
- Develop and war-game a Disaster Recovery plan
- Develop and war-game an Incident Response plan, with specific focus on Ransomware
- Backup your data and shield those data stores from other parts of the network to prevent the backups from being encrypted as well.
- Implement a Ransomware policy that will govern the company’s response to a ransomware infection. (E.g. will you or will you not pay the ransom?).
Additionally, use of exploitation techniques developed by nation state elements, such as the National Security Agency, that have been released into the wild will continue to be used by hackers to improve the likelihood of success. Software vendors such as Microsoft release patches and updates regularly that address the vulnerabilities targeted by such exploits. If you do not already have a defined patching policy and process, it is important that one is developed. Keeping your systems up to date and isolating those that cannot be updated is critical.
Tags: Petya, WCry, WannaCrypt, Ransomware, NotPetya, Ukraine, Russia, medoc