New Petya Ransomware Attack Moving Laterally to Exploit Users

The Petya ransomware attack hits Ukraine the hardest, but overall the impact in the U.S and other nations has been limited compared to the WannaCry malware outbreak in May.

NotPetya-ransomware-note

The impact of the global ransomware cyberattack, identified by some security vendors as Petya and others as NotPetya or GoldenEye, is still being calculated, a day after the attack began. The Petya ransomware attack makes use of the EternalBlue exploit that Microsoft patched in March to initially gain access to a system and then is able to move laterally across a network in several different ways. 

According to Microsoft's analysis, the new Petya ransomware shares code similarities with the Mimikatz code stealing tool and uses that capability to gain Windows administrator privileges on a network. The new Petya ransomware attack also makes use of PSEXEC remote command tool in Windows as well WMIC (Windows Management Instrumentation Command-line) to deploy malware that encrypts user data on an infected network.

An analysis of the impact of the new Petya ransomware by the Symantec Threat Intelligence Team, requested by eWEEK, found that despite the media hype the overall number of infections it has detected are low and primarily in Ukraine, or in organizations that have offices or subsidiaries in Ukraine.

As of 8 AM ET on June 28, Symantec's researchers said that according to its intelligence, less than 150 organizations have been affected in Ukraine and under 50 in the US. Though the new Petya ransomware uses the same EternalBlue exploit used by the WannaCry ransomware worm that hit global organizations in May, it doesn't use the same technique for movement. Symantec's researchers explained that the new Petya ransomware seems to mainly search for local IP addresses and not across the Internet like WannaCry.

"It is safe to say that the spreading method chosen and also the fact that most computers have the SMB patch installed limited the spreading," Symantec's researchers said.

Juniper Networks also isn't seeing all that much impact from the new Petya ransomware either. Lee Fisher, security specialist at Juniper Networks told eWEEK that so far his firm has seen very few infections in its customer base.

"Given the niches that we typically play in, being large Fortune 500 with rigid and robust patch management policies and processes, this isn't overly surprising," Fisher said. "Some of the SMB and endpoint vendors may see more, given the attack vector." 

Fisher added that in his view, some of the media hype around the new Petya ransomware outbreak yesterday was somewhat overdone. He noted that not only is it targeting a vulnerability that WannaCry forced organizations to fix, the other attack vectors are not as efficient, requiring either user interaction, or poor security administration.

"Looking at the malware behavior of Petya, once the infected computer powers off, it is no longer able to spread, that is it doesn't boot, compared to how WannaCry continued to try to infect other network assets," Fischer said. "Petya doesn't do this, so the infection speed was always going to be slower."

Petya or NotPetya?

Early reports called the ransomware Petya, though some security vendors and in particular Kaspersky Lab, have argued that the ransomware is different, dubbing the malware, NotPetya. Trying to give the new malware a proper name is not an easy process.

"It's not like malware has genetic sequencing and there's no governing body for naming standards. So we name it as we see fit, and everybody else does the same," ESET Security Researcher Bruce Burrell, told eWEEK.

According to Uri Sternfeld, Lead Researcher at Cybereason, the original Petya ransomware, operates differently than the one that impacted organizations on June 27. The original Petya ransomware triggered a blue-screen immediately after infection instead of creating a scheduled task two hours later, which is what is happening with the new malware.

"The current attack is the only ransomware we know of other than Petya that overwrites the MBR (master boot record) and does encryption during boot, so they are at the very least related," Sternfeld said.

Remediation

There are several ways that organization can help to limit the risk of infection from the new Petya ransomware variant. The first is to install all Microsoft patches, especially MS17-010 and disable SMBv1 services. 

Microsoft also recommends that organizations consider blocking incoming SMB traffic on port 445. For its enterprise customers, Microsoft suggests that organizations use Device Guard to provide kernel-level virtualization-based security that will limit the risk of un-authorized processes from running.

At an even simpler level, Cybereason's researchers discovered a simple one line fix that can mitigate the impact of the new Petya ransomware attack.

"To activate the vaccination mechanisms users must locate the C:\Windows\ folder and create a file named perfc, with no extension name," the Cybereason Intelligence Team stated in a blog post. "This should kill the application before it begins encrypting files."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.