Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Petya/NotPetya Ransomware Campaign

This is an ongoing, emerging story and may be updated after posting.

There is a new wormlike ransomware campaign on the loose today and you wouldn't be mistaken if you're experiencing a little WannaCry deja vu. The campaign has been called Petya, NotPetya, PetWrap, or Pnyetya depending on whom you talk to and it exploits a least one of the same vulnerabilities exploited in order to spread WannaCry, namely EternalBlue (Petya also uses the EternalRomance exploit). These exploits were publicly disclosed as a part of the Shadow Brokers alleged NSA release back in April. Microsoft patched the vulnerabilities back in March in the MS17-010 bulletin. In the wake of WannaCry, Microsoft later released patches for even legacy Windows operating systems like Windows XP.

While the malware has the capacity to spread via the EternalBlue/EternalRomance vulnerabilities, the malware appears to be more focused on spreading on the Local Area Network rather than out to the Internet. One of its first actions it performs on an infected system is to pull local credentials and then attempt to use those credentials to spread to other locally networked systems. To accomplish this lateral spread, the malware uses the common Windows tools, WMI and PSExec. This means that damage can be spread wider if a system with network administration credentials is exploited. Finally it appears that infection can occur through a fake update for a piece of Ukrainian software called MeDoc. Some researchers are currently suggesting that the MeDoc infection process may have been the initial method of getting the ransomware out there.

The actual ransomware that is eventually dropped on the victim's system seems to emulate a ransomware family called Petya and specifically the GoldenEye variant first discovered toward the end of 2016. Other malware analysts have suggested that the ransomware is not Petya directly but a completely new variant or family.

Regardless of the ransomware's pedigree, it is a bit unique in the ransomware arena. While most ransomware encrypts your important files, like documents, movies, and images, NotPetya takes an extra step and, after encrypting your files, it encrypts your entire hard drive. By encrypting the system volume, Master File Table and the Master Boot Record, Petya prevents the system from booting normally and hooks it into Petya's own bootloader with the ransom note displayed on the screen. This prevents attempts at file recovery using standard forensic techniques such as booting to a LiveCD or other OS.

After infection Petya demands approximately 300$USD in bitcoins in order to decrypt your files. After transferring the bitcoins you are supposed to email the criminals your sending wallet's address so that they can verify the transaction and respond with the decryption keys. However, since the criminal's email address has apparently already been taken down, paying the ransom in order to decrypt your files is currently not possible. With such a poor payment chain, many are suggesting that collecting ransom was not the goal of the malware.

Ransomware continues to be a one of the most popular threats in the wild today, especially to large organizations with both valuable data and legacy systems hidden unpatched in the cracks and corners of their networks. Consistent and up-to-date system backups are critical to recovering from a ransomware infection. Criminals can't hold data hostage if it is recoverable.

Keeping your systems patched and upgrading legacy systems will also go a long way toward preventing infection to begin with. Microsoft has had patches available for the vulnerabilities exploited in this attack since March.

Our Forensic and Incident Response team also put together a Threat Brief back in May during the WannaCry outbreak. The brief includes a lot of technical information surrounding WannaCry and is basically a how-to guide for companies to protect themselves against EnternalBlue based attacks. Since the same exploit is being used, this would also apply to preventing how Petya spreads.

Trustwave customers will find active protection against this campaign in many of our security offerings including:

  • Trustwave Managed Detection & Response (MDR) for Endpoints
  • Trustwave AV (which can detect the ransomware itself)
  • Trustwave UTM (which will block MS17-010 exploitation attempts)
  • Trustwave Vulnerability Scanner (which will detect if a system is missing the MS17-010 patch)

Finally, if you find yourself or your organization infected, our Trustwave Incident Response team is happy to help you. You can visit https://www.trustwave.com/en-us/company/about-us/spiderlabs/ for more information or call our 24 hour Incident Response Hotline: +1 (866) 659-9097 and select "Option 5".

Latest SpiderLabs Blogs

Important Security Defenses to Help Your CISO Sleep at Night

This is Part 13 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More