Thousands of machines have been infected by the global NotPetya cryptolocker outbreak. Patch your systems to avoid being the next victim.
The campaign seems to have originated in the Ukraine and is now spreading globally. The NotPetya cryptolocker is a hybrid of Win32/Petya  and WannaCry. The attack vector appears to involve a software supply-chain threat involving the Ukrainian company which develops tax accounting software; it attempts to spread itself to other computers using both MS17-010 (WannaCry) and system tools like PsExec and WMI , which allow commands to be executed remotely. NotPetya also checks for cached administrator credentials and attempts to authenticate to other machines.
WHO IS IT AFFECTING?
The Ukraine government, banks, and electricity grid were initially hit hardest.The Ukraine state power utility and Kiev’s airport and metro system were also affected. The cryptolocker is spreading rapidly, and companies in 64 countries, including Belgium, Brazil, Germany, Russia, and the United States have been impacted. The radiation monitoring system at Chernobyl was reportedly taken offline as a direct result of this attack.
WHAT IS IT AND WHY HAS IT BEEN SO EFFECTIVE?
Similar to WannaCry, NotPetya exploits a known vulnerability in Microsoft Windows Server Message Block (SMB) protocol [CVE-2017-0145], which allows for remote code execution on a vulnerable system. Code named ‘EternalBlue,’ this exploit was stolen from the NSA’s Equation Group and then later made public by the Shadow Brokers hacking group on April 14th, 2017. Microsoft issued a patch for this vulnerability two months ago, on March 14th, 2017 [MS17-010].
What is notably different from WannaCry is the inclusion of additional functionality designed to steal cached credentials from the compromised local system, and then use them to authenticate and run commands on other remote systems on the local area network, resulting in potential propagation to patched machines.
The Petya family of malware overwrites the victim computer’s boot sector and makes it point to a separate operating system that performs the file encryption.  Infected computers display a message demanding a Bitcoin ransom worth $300. Those who pay are asked to send confirmation of payment to an email address. However, that email address has been shut down by the email provider.
HOW DOES IT WORK?
The initiating attack vector is a supply chain updater process, or direct infection through the SMB exploit if a machine can be addressed. The threat arrives as a dropper Trojan contained within MEDoc software updater process (EzVit.exe). This cryptolocker then drops a credential dumping tool (typically as a .tmp file in the %Temp% folder). The lateral movement of this malware utilizing pass the hash techniques, are what make it a serious threat inside a corporate network. There are multiple droppers to include deployment via psexec, wmi and propogation via EternalBlue and EternalRomance.
Notably, the dropper checks for the presence of the file “C:\Windows\perfc”, and the threat does not infect the system further with the cryptolocker if the file is present. That kill switch method only works on the WMI/PSExec and is not a full stop; this characteristic of the dropper was identified by a security researcher in the Boston area. NotPetya then creates a shutdown scheduled task, then copies itself to %AppData\Temp%, along with another file.
WHAT SHOULD YOU DO TO PROTECT YOUR ORGANIZATION?
To avoid becoming the next victim of the NotPetya cryptolocker outbreak, you should:
1. Start by patching your systems
For Windows 7 and Windows Server 2008 system, this means applying the MS17-010 patch to address the SMBv1 Remote Code Execution vulnerabilities. Microsoft also released a patch for older operating systems including Windows XP, Windows 8, and Windows Server 2003. Besides installing the updates, Microsoft also advises that the SMBv1 protocol is disabled, as it is an old protocol that has been superseded by newer versions. You should also consider adding a rule on your router or firewall to block incoming SMB traffic on port 445.
|Security update rollup||
|Windows 10 / Server 2016 v1703||N/A but KB4022725 is available||N/A|
|Windows 10 / Server 2016 v1607||KB4022715 (OS Build 14393.1358)||N/A|
|Windows 10 / Server 2016 v1511||KB4022714||N/A|
|Windows 10 / Server 2016 Initial Release||KB4022727||N/A|
|Windows 8.1 / Server 2012 R2||KB4022717||KB4012213|
|Windows 8 / Server 2012||N/A||KB4012598|
|Windows 7 / Server 2008 R2||KB4022722||KB4012212|
|Windows Vista / Server 2008||N/A||KB4012598|
|Windows XP / Server 2003||N/A||KB4012598|
2. Get your backups in order
One of the most fundamental protections against cryptolocker is the ability to restore from recent backups reliably. You will want to have multiple backups, with the ability to rollback to any point in time;these should not be connected to the source machine, or they could get encrypted as well. Various cloud service providers offer good options here, with many professional backup services available.
3. Reduce the likely success of phishing emails
Enable strong spam filtering to reduce the probability of phishing emails reaching end users. Authenticate inbound email using Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) to prevent email spoofing. Educate your users and outline the dangers and the potential impact of cryptolocker on your business. Make them suspicious of every email, link and attachment they receive that they are not expecting.
4. Update monitoring capabilities
Update detection/prevention technologies with the latest signatures and implement appropriate indicators of compromise within security analytics solutions, as they continue to become available.
Indicators of Compromise
1. File MD5
2. Scheduled Reboot Task:
NotPetya scheduled random time between 10 and 60 minutes from the current time
- schtasks /Create /SC once /TN “” /TR “<system folder>\shutdown.exe /r /f” /ST <time>
- cmd.exe /c schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR “C:\Windows\system32\shutdown.exe /r /f” /ST <time>
Search for EventId 106 (General Task Registration) to display tasks registered with the Task Scheduler service.
3. Lateral Movement (Remote WMI)
“process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1″
4. Network indicators
If NetFlow data is available, subnet-scanning behavior may be observed by the query below:
- Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope
- Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes
5. And if you become a victim?
Implement internal incident response and recovery processes to quickly contain propagation and contact law enforcement when appropriate. If necessary, seek help from your trusted cybersecurity partner.
IF YOU NEED HELP?
Please contact our cybersecurity executives for immediate assistance.
PRINT VERSION OF THIS ADVISORY:
For a print version of the advisory, please download the advisory below:
TÜV Rheinland – Security Advisory – NotPetya – June 27, 2017
-  https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Petya
-  https://nvd.nist.gov/vuln/detail/CVE-2017-0145
-  https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
-  End of Support.
-  https://labsblog.f-secure.com/2016/04/01/petya-disk-encrypting-ransomware/
-  https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt
-  https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/