Platte River Networks’ Response to Petya (NotPetya, PetyaWrap/PetrWrap, ExPetr)

We are currently tracking a new ransomware using a variant malicious code known as “Petya”. This is part of a new wave of multi-vector ransomware attacks that we are calling “ransomworm” which takes advantage of timely exploits. The ransomworm is designed to move across multiple systems automatically, rather than stay in one place. It appears that the Petya ransomworm is using similar current vulnerabilities that were exploited during the recent Wannacry attack but also differs in important ways.

Note: Platte River’s Clients are Protected by Default

On June 27, Platte River sought out and received verification that our tools were protecting against current known samples.

The Fortinet Security Fabric is providing comprehensive protection against the Petya ransom worm through several integrated and automated means, including automatic intrusion detection (IPS/IDS), intrusion prevention (anti-virus), real-time analysis of suspicious code (FortiSandbox), and automated information sharing. Both your firewall and endpoint protection are verified to prevent this exploit and keep your data secure. More details about what Platte’s done to ensure our client’s network safety below.

Petya Background

We wrote about WannaCry and WannaCrypt when it was sweeping throughout the world, and for clients, there was no need to worry. But we also knew that worm was just the beginning of a new generation of malware. W.Cry brought attention to a less malicious malware, dubbed Adylkuzz, that used the same exploit. Adylkuzz and W.Cry leverage MS17-010, also known as EternalBlue, to compromise computers. EternalBlue is an advanced exploit that was developed and used by, and later stolen from, the National Security Agency. 46 percent of the ransomware attacks they observed were caused by email or phishing scams, according to research from Datto. All the new exploits leverage EternalBlue, but now, hackers are diversifying exploits, repurposing old exploits, and improving virulence.

Weeks after W.Cry made headlines, the community noticed new breeds of ransomware, and referred to them as ransomworms due to their new modes of spreading. Attackers scan the internet for vulnerable computers to install their malware and target vulnerable users in a variety of ways, which is why patches can only do so much to safeguard and endpoint security is a must. Moving beyond email, ransomworms can use social media, apps, connected LANs and anyone with network privileges to spread.

Enter Petya, Stage Right

The PetyaWrap attack repurposed a separate NSA exploit dubbed EternalRomance. The ransomware exploits the vulnerability CVE-2017-0144 in Microsoft’s implementation of the Server Message Block protocol. It encrypts a system’s master boot record and files—a double stroke that renders the disk inaccessible and prevents most users from recovering anything on it. The endgame for PetyaWrap isn’t ransomware, though it appeared to be initially. Hackers are referring to it as a wiper which destroys victim’s computer data entirely. NATO is debating whether to consider it’s release an act of war since it targeted Ukranian institutions and infrastructure. Since the initial attack vector is unclear Russia, a suspect, hasn’t been outright accused of sponsoring the attack. The aggressive worm-like behavior helps spread the ransomware beyond Ukraine.

Microsoft patched the underlying vulnerabilities for both of the exploits in March, four weeks before a hacker group, Shadow Brokers, leaked advanced NSA hacking tools, but for many, the fix was too little, too late. The NSA hacking kid gave cybercriminals with only moderate technical skills a powerful vehicle for delivering virtually any kind of digital warhead to systems that weren’t patched, and more worryingly, some patched systems were still compromised.

Besides use of EternalRomance, the PetyaWrap attack demonstrates several improvements over W.Cry, the most notable was the use of the Mimikatz hacking tool to extract passwords from other computers on a network. With network credentials in hand, infected computers use PSExec, a legitimate Windows component known as the Windows Management Instrumentation, and possibly other command-line utilities to infect other machines, even machines that aren’t vulnerable to the EternalBlue and EternalRomance exploits.

Additional Security for Clients

Beyond patching and robust endpoint security, we implemented a ‘vaccination’ that pushed out a scripted batch file to block the ransomware from executing should Petya find its way onto a machine. Still concerned? Feel free to give us a call to learn more about how Platte River Networks can keep your business safe and secure.

The Resource Hub

Get Complete Managed Services Insights

Visit our Resource Center for up-to-date news and stories for technology and business leaders.

Three IT Service Techs Working together at desks in office

Move Forward with IT Services for Business

Use managed services for small and mid-sized businesses that help you reach your goals.

Work With Us