U.S. Government Issues NotPetya Malware Alert
The Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) issued a technical alert Friday,
July 28, warning businesses and other government entities to protect
themselves against the newest "Petya" malware variant known as
"NotPetya."
On June 27, 2017, the NCCIC was notified of Petya
ransomware events occurring in multiple sectors in nations around the
globe. The "NotPetya" malware variant works differently than Petya. It
encrypts files with extensions from a hard-coded list. If the malware
gains administrator rights, it encrypts the master boot record
(MBR) making the infected Windows computers unusable.
NotPetya
differs from previous Petya malware primarily in its propagation
methods. NotPetya leverages multiple propagation methods to spread
within an infected network using the lateral movement techniques below:
- PsExec - a legitimate Windows administration tool
- WMI - Windows Management Instrumentation, a legitimate Windows component
- EternalBlue - the same Windows SMBv1 exploit used by WannaCry
- EternalRomance - another Windows SMBv1 exploit
Microsoft released a security update for the MS17-010 SMB vulnerability on March 14, 2017, which addressed the EternalBlue and EternalRomance lateral movement techniques.
Technical Details: NCCIC
received a sample of the NotPetya malware variant and performed a
detailed analysis. It was discovered NotPetya encrypts the victim’s
files with a dynamic, 128-bit key and creates a unique ID of the victim.
However, there is no evidence of a relationship between the encryption
key and the victim’s ID. This means it may not be possible for the
attacker to decrypt the victim’s files even if the ransom is paid as
NotPetya behaves more like destructive malware rather than ransomware.
NCCIC
observed multiple methods used by NotPetya to propagate across a
network. The first and most effective method uses a modified version of
the Mimikatz tool to steal the user’s Windows credentials. The cyber
threat actor can then use the stolen credentials, along with the native
Windows Management Instrumentation Command Line (WMIC) tool or the
Microsoft SysInternals utility, psexec.exe, to access other systems on
the network.
Another method for propagation uses the EternalBlue
exploit tool to target unpatched systems running a vulnerable version of
SMBv1. In this case, the malware attempts to identify other hosts on
the network by checking the compromised system’s IP physical address
mapping table. Next, it scans for other systems that are vulnerable to
the SMB exploit and installs the malicious payload.
NotPetya
encrypts the compromised system’s files with a 128-bit Advanced
Encryption Standard (AES) algorithm. The malware then writes a text file
on the “C:\” drive that includes a static Bitcoin wallet location as
well as unique personal installation key intended for the victim to use
when making the ransom payment and the user’s Bitcoin wallet ID.
The
NotPetya malware modifies the master boot record (MBR) to enable
encryption of the master file table (MFT) and the original MBR and then
reboots the system. Based on the encryption methods used, it appears
unlikely that the files could be restored even if the attacker received
the victim’s unique key and Bitcoin wallet ID.
The delivery
mechanism of NotPetya during the June 27, 2017, event was determined to
be the Ukrainian tax accounting software, M.E.Doc. The cyber threat
actors used a backdoor to compromise M.E. Doc as far back as April 14,
2017. This backdoor allowed the threat actor to run arbitrary commands,
exfiltrate files, and download and execute arbitrary exploits on the
affected system. Organizations should treat systems with M.E.Doc
installed as suspicious and should examine them for additional malicious
activity.
Potential Impact: According
to multiple reports, this NotPetya malware campaign has infected
organizations in several sectors including finance, transportation,
energy, commercial facilities, and healthcare. While these victims are
business entities, other Windows systems are also at risk, such as:
- Those that do not have patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145
- Those who operate on the shared network of affected organizations
Negative Consequences of Malware Infection Include:
- Temporary or permanent loss of sensitive or proprietary information
- Disruption to regular operations
- Financial losses incurred to restore systems and files
- Potential harm to an organization’s reputation.
What You Should Do: NCCIC
recommends against paying ransoms as doing so enriches malicious actors
while offering no guarantee encrypted files will be released. In this
NotPetya incident, the email address for payment validation was shut
down by the email provider so payment is especially unlikely to lead to
data recovery.
NCCIC recommends organizations coordinate with
their security vendors to ensure appropriate coverage for this threat.
Given the overlap of functionality and the similarity of behaviors
between WannaCry and NotPetya, many of the available rulesets can
protect against both malware types when appropriately implemented.
DHS
encourages recipients who identify the use of tools or techniques
discussed in this document to report information to DHS or law
enforcement immediately. To request incident response resources or
technical assistance, contact NCCIC at 888-282-0870. You can also report cyber crime incidents to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.
If You Have Dox Managed Services: You're
protected! Systems that are covered under a Dox Managed Services
Agreement already received the patches to fix the MS17-010 SMB
vulnerability.
Prevention: Regularly
train and remind staff not to click on any attachments or links they
were not expecting, even from people they know. When in doubt, don't click. Instead, contact the sender and ask if it is legitimate. If you have Dox
Managed Services, remind your staff of the importance of leaving their
computers powered on but logged out when they leave on Tuesday nights so
Dox can patch them automatically overnight.
