UPDATE: June 27, 2017  Chris Goettl

Petya Ransomware Attack: What Should Companies Be Doing Right Now?

Several critical vulnerabilities with known exploits or proof-of-concept code should be the focus of everyone’s attention. The SMB exploits (EternalBlue and its siblings) resolved in Microsoft’s March Patch Tuesday update are just the start. Reportedly these are the same vulnerabilities the latest Petya variant uses. And we shouldn’t rely on a kill switch to save the day. 

In addition, two more updates for known vulnerabilities, released on June Patch Tuesday, warrant attention. 

  • CVE-2017-8543 – A vulnerability in Windows Search could allow an attacker to take complete control of the system. It could also be exploited over the network without authentication through SMB. It was flagged as “Exploited” when Microsoft released the update on June Patch Tuesday. 
  • CVE-2017-8464  A vulnerability in Microsoft Windows could allow remote code execution if an LNK file is processed. An attacker could craft a shortcut icon that provides the same rights as the local user. It’s a perfect USB drop scenario.

Microsoft went a step further, given recent attacks, and released updates for XP, Vista, and 2003  The updates go as far back as MS08-067, which plugged the vulnerability Conficker used to infect more than 15 million machines back in 2008. 

Make sure you have the latest cumulative Security updates for Windows 7 and Server 2008 R2 up through Windows 10 and Server 2016 in place. This covers the Eternal family of vulnerabilities and the two latest known exploited vulnerabilities.  Any of the cumulative updates from March through June will suffice for the EternalBlue exploit, but June provides the best coverage including news exploited vulnerabilities. 

  • Windows 7\Server 2008 R2
    March: KB4012215 
    April: KB4015549
    May: KB4019264
    June: KB4022719
  • Windows Server 2012
    March: KB4012217
    April: KB4015551
    May: KB4019216
    June: KB4022724     
  • Windows 8.1\Server 2012 R2
    March: KB4012216
    April: KB4015550
    May: KB4019215
    June:  KB4022726
  • Windows 10\Server 2016
    March: KB4012606 (1507), KB4013198 (1511), KB4013429 (1607)
    April: KB4015221 (1507), KB4015219 (1511), KB4015217 (1607), KB4015583 (1703)
    May: KB4019474 (1507), KB4019473 (1511), KB4019472 (1607), KB4016871 (1703)
    June: KB4022727 (1507), KB4022714 (1511), KB4022715 (1607), KB4022725 (1703)

If you are using the Security Only bundle instead of the Monthly Cumulative Rollup, you need the Security Only bundle from March to resolve the original SMBv1 vulnerabilities. You also need the June Security Only bundle to resolve the two latest exploits, including the new SMB vulnerability. By OS you should have the following KBs applied:

  • Windows 7\Server 2008 R2
    March: KB4012212
    June: KB4022722
  • Windows Server 2012
    March: KB4012214
    June: KB4022718
  • Windows 8.1\Server 2012 R2
    March: KB4012213
    June: KB4022717

For those of you still running Windows XP, Vista, 8, or Server 2003, we recommend you have all the Bulletins and KBs described in the document in place on your systems. All are publicly downloadable, even those released after end of life for each operating system. 

Finally, if you haven’t yet, here are some additional security controls you should implement to defend against attacks like this:

  • Application control – Whitelisting can help you defend against untrusted payloads and is one of the most effective security measures to defend against ransomware. Patching plugs the holes attackers use to get onto a system, but in the case of zero days and fileless attacks, whitelisting can block the payload trying to execute (in this case, the ransomware and propagation to other systems).
  • Threat protection – Antivirus (AV) can’t be considered a first line of defense. In most cases, the latest attack could hit several systems before AV catches up to defend against it. Attacks like WannaCry and Petya can spread so quickly that AV can’t stop them before the damage is done. That said, though? AV is still a necessary layer of defense that can limit propagation and stop attacks in their tracks. 
  • HIPS (host intrusion prevention system) – While often more difficult to tune, making them harder to implement, HIPS or IPS systems are a great line of defense against attacks such as this.  The SMB exploits follow reference implementations a HIPS system could identify, report on, and shut down before the attack hits the system. 
  • User education\training – With WannaCry and Petya, exploiting SMB was likely not the first entry point into environments. It was more likely user-targeted attacks (phishing, drive-by downloads, watering hole attacks, etc.), or possibly systems attackers already controlled using CnC infections they put in place earlier. From there the malware used the SMB vulnerabilities to spread rapidly. Any one entry point is enough, if you have not patched those vulnerabilities, so user awareness is important. 
  • Backup and restore – With ransomware so commonplace, it’s even more important to have backup software at critical endpoints. With WannaCry, and so far with Petya, the number of ransoms paid was very small. Having a recent backup allows companies to re-provision and restore user data quickly to get back up and running.
  • Provisioning – Having a Unified Endpoint Management (UEM) solution seems like an operational issue: it enables the team to manage systems in a heterogenous environment. But there are Response capabilities in that UEM platform that are essential to combat cyber threats today. Any credible security practitioner will say that paying the ransom is a bad idea, and that having good backups and re-provisioning the system and restoring the data is the more efficient way to recover from a ransomware attack. 
UPDATE: June 27, 2017  CISO Phil Richards

Petwrap, Based on Petya Variant

New ransomware is attacking global computing systems worldwide as of June 26, 2017. The ransomware, called Petwrap, is based on an older Petya variant, originating from the GoldenEye malware in December 2016. The new ransomware variant also includes the SMB exploit known as EternalBlue that was created by the United States National Security Administration, and leaked by the Shadow Brokers hacker group in April 2017.

This malware appears to have been targeted to Ukraine infrastructure groups such as government workstations, power companies, banks, ATMs, state-run television stations, postal services, airports, and aircraft manufacturers. Since the initial infection it has spread to other markets, and beyond the Ukraine borders. The actual malware is ransomware, requesting a ransom equivalent to $300 USD in bitcoins.

The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record. The EternalBlue component enables it to proliferate through an organization that doesn’t have the correct patches or antivirus/antimalware software. This is a great example of two malware components coming together to generate more pernicious and resilient malware.

ransomware attack