The Petya/NotPetya Ransomware Campaign

This is an ongoing, emerging story and may be updated after posting.

There is a new wormlike ransomware campaign on the loose today and you wouldn't be mistaken if you're experiencing a little WannaCry deja vu. The campaign has been called Petya, NotPetya, PetWrap, or Pnyetya depending on whom you talk to and it exploits a least one of the same vulnerabilities exploited in order to spread WannaCry, namely EternalBlue (Petya also uses the EternalRomance exploit). These exploits were publicly disclosed as a part of the Shadow Brokers alleged NSA release back in April. Microsoft patched the vulnerabilities back in March in the MS17-010 bulletin. In the wake of WannaCry, Microsoft later released patches for even legacy Windows operating systems like Windows XP.

While the malware has the capacity to spread via the EternalBlue/EternalRomance vulnerabilities, the malware appears to be more focused on spreading on the Local Area Network rather than out to the Internet. One of its first actions it performs on an infected system is to pull local credentials and then attempt to use those credentials to spread to other locally networked systems. To accomplish this lateral spread, the malware uses the common Windows tools, WMI and PSExec. This means that damage can be spread wider if a system with network administration credentials is exploited. Finally it appears that infection can occur through a fake update for a piece of Ukrainian software called MeDoc. Some researchers are currently suggesting that the MeDoc infection process may have been the initial method of getting the ransomware out there.

The actual ransomware that is eventually dropped on the victim's system seems to emulate a ransomware family called Petya and specifically the GoldenEye variant first discovered toward the end of 2016. Other malware analysts have suggested that the ransomware is not Petya directly but a completely new variant or family.

Regardless of the ransomware's pedigree, it is a bit unique in the ransomware arena. While most ransomware encrypts your important files, like documents, movies, and images, NotPetya takes an extra step and, after encrypting your files, it encrypts your entire hard drive. By encrypting the system volume, Master File Table and the Master Boot Record, Petya prevents the system from booting normally and hooks it into Petya's own bootloader with the ransom note displayed on the screen. This prevents attempts at file recovery using standard forensic techniques such as booting to a LiveCD or other OS.

After infection Petya demands approximately 300$USD in bitcoins in order to decrypt your files. After transferring the bitcoins you are supposed to email the criminals your sending wallet's address so that they can verify the transaction and respond with the decryption keys. However, since the criminal's email address has apparently already been taken down, paying the ransom in order to decrypt your files is currently not possible. With such a poor payment chain, many are suggesting that collecting ransom was not the goal of the malware.

Ransomware continues to be a one of the most popular threats in the wild today, especially to large organizations with both valuable data and legacy systems hidden unpatched in the cracks and corners of their networks. Consistent and up-to-date system backups are critical to recovering from a ransomware infection. Criminals can't hold data hostage if it is recoverable.

Keeping your systems patched and upgrading legacy systems will also go a long way toward preventing infection to begin with. Microsoft has had patches available for the vulnerabilities exploited in this attack since March.

Our Forensic and Incident Response team also put together a Threat Brief back in May during the WannaCry outbreak. The brief includes a lot of technical information surrounding WannaCry and is basically a how-to guide for companies to protect themselves against EnternalBlue based attacks. Since the same exploit is being used, this would also apply to preventing how Petya spreads.

Trustwave customers will find active protection against this campaign in many of our security offerings including:

  • Trustwave Managed Detection & Response (MDR) for Endpoints
  • Trustwave AV (which can detect the ransomware itself)
  • Trustwave UTM (which will block MS17-010 exploitation attempts)
  • Trustwave Vulnerability Scanner (which will detect if a system is missing the MS17-010 patch)

Finally, if you find yourself or your organization infected, our Trustwave Incident Response team is happy to help you. You can visit https://www.trustwave.com/Services/SpiderLabs-Services/Incident-Response-and-Readiness/ for more information or call our 24 hour Incident Response Hotline: +1 (866) 659-9097 and select "Option 5".

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.