Yesterday, Ivanti hosted a webinar focused on the latest global ransomware attack based on “Petya” malware. The featured speakers were Chris Goettl, Manager of Product Management for Security, and Phil Richards, Chief Security Officer at Ivanti. Amber Boehm, Manager of Product Marketing, moderated and fielded questions. Herewith, some key takeaways from the webinar.
How this Petya attack got started
In Ukraine, where the latest Petya attack has been most severe, there are only two companies through which other companies can file their taxes. Attackers were able to load malware into an update issued by M.E.Doc, one of those two tax-filing companies. This was likely the “opening salvo” of the current Petya attack, Chris Goettl said.
How the attack spread
Like the original Petya attack, the latest version encrypts the Windows Master Boot Record (MBR). It then schedules a reboot of the infected system, instead of rebooting immediately, after which system files are encrypted. The delayed reboot gives the attackers time to use that system as a “launch pad” to reach out to other connected systems.
It’s in the lateral spread of the infection that “Petya starts to become NotPetya,” Chris said. It uses a combination of EternalBlue (MS17-010), the stolen NSA exploit WannaCry used. The current Petya attack also uses the Windows Management Instrumentation Command-line (WMIC) and the Windows remote execution tool PsExec to spread to other systems. It tries one option—using the security tool mimikatz to grab passwords WMI and PsExec use, for example—and if that doesn’t work, it tries the next. As Phil Richards noted, it’s clearly equipped with a better mechanism for spreading itself than WannaCry.
After spreading, it encrypts the system files, rendering the system unusable. “The intent of this malware is not to encrypt everything on the disk,” but only the MBR, which lets the malware spread much more quickly, Phil said. He added that the malware “absolutely depends on admin privileges” to gain access and spread.
What was the goal of this attack?
WannaCry was a “huge success” in terms of how widespread it was, but incredibly unsuccessful in terms of monetization, Chris said. Characteristics of the current Petya attack indicate that its primary goal may not have been to generate revenue for its instigators.
Chris referred to a post by Brian Krebs at his widely read, widely respected Krebs on Security blog site. That post features comments from Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley. Weaver “said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain.”
“Weaver noted that Petya’s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim. Also, he said, Petya urges victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network that can be used to host Web sites which can be very difficult to take down. ’I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,’ Weaver said.”
“This is ransomware as window dressing only, and not ransomware as an actual attack” attempting to extort money from victims, Phil added. Instead, the primary goal of this attack appears to be broad disruption of business operations across Ukraine. “It becomes real clear that this malware is targeted primarily at Ukraine” and that “the malware is weaponized,” although it is not yet clear or proven that this was an attack by a nation state, Phil added.
What It All Means
Ransomware is becoming more sophisticated, and more of a weaponized tool. “One thing to recognize is that a lot of the proliferation capabilities were focused on internal networks. There was not a tremendous focus on expanding outside of [those] specific networks,” Phil said. This is another indication that this Petya attack was designed for disruption, not revenue generation.
This attack “has taken ransomware to a new level. This is a widespread, disruptive attack, not only [on] businesses, but at a social level and at an economic level,” Chris said. With this latest Petya attack, “it’s not just about our businesses anymore. It’s about the people around us and the economies around us.”
Ukraine is still recovering, and the effects of this attack are likely to persist for some time to come. Meanwhile, there are other vulnerabilities already apparently being exploited in the wild that could enable similarly disruptive attacks in the near future. As Chris asked near the end of the webinar, “if WannaCry was the ‘alpha,’ is this [attack] the ‘beta?’”
What You Should Do Now
Disabling the WMIC (wmic.exe) and/or PsExec can limit or stop spread of this latest Petya variation. You can also “vaccinate” uninfected systems on your network to make them immune to infection by the current Petya variation. An article at BleepingComputer.com explains how.
If you are keeping current on your Windows security rollups, Chris and Phil agreed that you’ve got the targeted vulnerabilities mostly patched. But patching alone is not enough. “These two ransomware attacks [WannaCry and Petya] underscore the importance of a defense-in-depth strategy,” Phil said. That strategy starts with timely, comprehensive patching, but must also include application control (to limit the ability to run WMIC and PsExec), antivirus, and privilege management (a “huge deal” for this particular attack), Phil added.
“An attack this sophisticated was designed to be able to get around one or two” security measures, making a multi-layered approach mandatory for effective defense, Chris said. “The bottom line,” Phil added, “is that there are some initial attack vectors you are not going to be able to defend against. What you can do is arrest its deployment throughout the rest of your environment.”
How Ivanti Can Help
The online Ivanti community has specific, detailed information about the latest Windows security patches and rollups, and on how to use Ivanti Endpoint Security to protect against ransomware such as Petya. Ivanti Patch for Endpoints, Patch for SCCM, and Patch for Windows Servers will also tell you what patches you have installed and what patches you need to get and stay ahead of malware.
To help accelerate your implementations of multi-layered malware defenses, Ivanti is also offering current and new customers significant discounts on combinations of select Ivanti cybersecurity solutions. Check out the details online, and see how much you can save on improving your enterprise’s ransomware and malware protections.
If you missed or want to revisit today’s webinar, you can register for complimentary, on-demand access. And look for a follow-up post here soon that will include questions asked during the live webinar, and answers from our cybersecurity experts.