A new global ransomware threat has been spreading quickly by exploiting the same vulnerabilities used in the WannaCry...
ransomware attacks, but researchers have found different ways to mitigate the damage.
Security researchers have been inconsistent in the branding of this global ransomware threat because it can be seen as a variant of both the Petya ransomware and GoldenEye, which itself was a variant of Petya. This led to a number of names being used, including NotPetya, ExPetr, PetrWrap, GoldenEye, Petya.A, Petya.C and PetyaCry.
However, Tod Beardsley, research director at Rapid7, based in Boston, said the name should not be the focus.
"We're mostly interested in the capabilities and indicators of compromise, and not so much what the real name is. After all, different security vendors end up calling malware samples like these different things all the time," Beardsley told SearchSecurity.
Petya-like global ransomware spreads
This new global ransomware attack was first detected in Ukraine government systems before spreading to a range of organizations around the world. A number of security research firms began analyzing the incidents and found multiple attack vectors.
Cisco Talos reported the initial point of entry to government systems in Ukraine was through a malicious software update for a tax accounting package called MeDoc.
However, the most common attack vector, reported by multiple research groups, was via phishing emails with malicious Office documents attached.
The malicious doc targeted systems that had not been patched against the EternalBlue vulnerability (MS17-010) in Windows Server Message Block version 1, and it contains the DoublePulsar NSA tool to help the infection spread. Both of these exploits were used in the WannaCry ransomware attacks.
Marco Ramilli, malware evasion expert and CTO of Yoroi, a threat intelligence firm based in Italy, told SearchSecurity via Twitter that Petya-like had a backup option to help this infection spread, compared to previous Petya variants:
The "new petya" steals Password from memory and tries to use them to propagate through PsExec. This is a big difference from Petya— Marco (@Marco_Ramilli) June 27, 2017
Lysa Myerssecurity researcher at ESET
According to Avira's Virus Lab, "The Trojan collects the locally stored Windows login credentials and misuses them with the PsExec tool. This is just a regular tool, usually used by system admins, to run other tools on remote machines they have regular access or logins to. This method works even if the system is fully patched, as PsExec is not an exploit, but a regular tool from Microsoft and Sysinternals."
Lysa Myers, security researcher at ESET, said using the PsExec tool, which is a trusted part of Windows, "means that there only needs to be one vulnerable machine on a network for it to get in; it can then spread to other machines within the network that have been properly patched."
Tying this global ransomware threat to the GoldenEye variant of Petya is the use of the Mischa component, which can encrypt individual files. But the main danger of Petya-like is it will encrypt the master boot record of a system after forcing a reboot.
Potential mitigation of the Petya-like global ransomware
Matthew Hickey, co-founder and director at London-based cybersecurity consultancy Hacker House, found one way to avoid damage from this ransomware begins at the reboot process:
Another mitigation technique against the Petya-like global ransomware came from Amit Serper, security researcher at Boston-based Cybereason, and Dave Kennedy, founder of Binary Defense and TrustedSec. Serper and Kennedy found one specific file that could be blocked and trigger a sort of "kill-switch."
For more preventative measures against this global ransomware threat, experts suggested the same precautions as for WannaCry, including patching against the EternalBlue exploit and blocking port 445 on any potentially vulnerable device.
Paul Vixie, CEO of Farsight Security, based in San Mateo, Calif., said there is one mitigation strategy that supersedes all others when it comes to any ransomware threat.
"The only proven defense against ransomware is backups of all important data," Vixie told SearchSecurity. "No one with backups has yet lost data to a ransomware attack. So, the most important thing, in my opinion, is to back up your data and have a plan for recovering from those backups."
Learn tips on how to avoid being hit by ransomware.
Find out how enterprises can mitigate ransomware as a service.
Get info on why global ransomware threats may expose the irrelevance of GDPR.