For Petya’s sake, learn from these attacks!

Petya/NotPetya raised important questions as much of the security good practice that would have helped prevent previous ransomware attacks did not fully apply.

While questions continue to be asked about whether Petya/NotPetya was true ransomware or rather a wiper designed to simply cause damage and disruption, security and IT professionals should look to take action to make their systems more resilient to these kinds of attacks, whatever the motivation behind them.

Update that MeDoc!

The initial infection path was through a poisoned supply chain; the Ukrainian accounting software MeDoc delivered a malicious software update. This served not only as a delivery mechanism, but also a disguise, as legitimate software was hijacked. The limited target group may help non-Ukraine-based CISOs sleep at night, but with its ability to worm through interconnected networks the ransomware quickly turned into a nightmare for some.

Updating software regularly is what you are supposed to do, it is meant to make your network safer. Yet in this instance, it proved to be the cause of a potential disaster. Could you contain the situation if your supply chain was compromised?

What can you do?

  • Segregate your network into logical zones using firewall rules, user groups and overall architecture. Consider supply chain issues as well as machine type and business unit.
  • Be aware of connections to partners or regional offices and what types of communication can occur between them.
  • Where possible, audit suppliers.

Escalation and expedition

After gaining access to an endpoint, Petya/NotPetya is able to spread to further machines via multiple methods. For instance, the malware is able to use both EternalBlue and EternalRomance Server Message Block (SMB) exploits. However, the recent WannaCry ransomware outbreak drew attention to the Microsoft Security Bulletin MS17-010, which patched both exploits, meaning infrastructure may have been more likely to have been updated against them.

Just for such an eventuality Petya/NotPetya also attempts to steal credentials and authenticated tokens that can be used to access other machines. If credentials can be obtained, Microsoft’s psexec and Windows Management Instrumentation (WMI) framework become the vectors to spread across the network. This makes Petya/NotPetya a particularly challenging threat to block as simply ensuring all patches are applied and that you have strong passwords set will not be sufficient.

Rather, alongside patching and password policy, the network as a whole needs to be designed with containment in mind. Segregation at the network and user account level, and the principle of least privilege and minimum access for user groups becomes very important.

What to do  

Lost keys

The Petya ransomware family encrypts the Master File Table (MFT), which is needed to properly read files from the hard drive. This variant of Petya/NotPetya, however, throws away the encryption key and does not save the information required to decrypt it again. This makes it impossible for the authors to decrypt your drive, which is why some people characterize it as a wiper, not true ransomware. The intentions of the authors remain uncertain.

That this malware arrived so soon after WannaCry’s rapid spread suggests that high impact, targeted ransomware is going to become more prevalent and relevant to large organizations. When breaches occur, having practiced internal processes can help mitigate the impact. For serious breaches many organizations need the specialized support of an accredited incident response team

More detail on this topic can be found in Countercept’s analysis and FAQ on Petya/NotPetya



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.