Update: We've discovered a vaccination that disables the NotPetya ransomware.
Ransomware with functionality that’s similar to Petya ransomware has infected organizations across Europe, bringing business to a standstill. Ukraine businesses have so far beared the brunt of the attack. Supermarkets, gas stations and banks in the country along with its public transportation system and major telecommunications provider reported that their systems have been compromised. Like the WannaCry attack, this ransomware supposedly uses the EternalBlue exploit to spread.
Other affected organizations include British advertising agency WPP, Danish shipping company Maersk and Russian oil company Rosneft. The infection began Tuesday morning as European workers arrived at the office and turned on their computers and is believed to be spreading west as the day progresses.
After infecting systems, the ransomware demands $300 in bitcoin. As of 2:30 p.m. EST, blockchain records show that 27 transactions have been made to the target wallet, totaling $6,820.
The attack shares some of the functionality of the Petya ransomware family, but cannot be conclusively tied to that family or campaign as of yet.
- It kills itself prior to infection if the en_US keyboard layout is the only keyboard layout installed
- It overwrites the Master Boot Record of the System with a malicious payload
- It either forces a Hard Error within Windows which reboots the system, or creates a scheduled task to initiate a reboot after a set delay (eg, 2 hours)
- Upon reboot, code inserted into the Master Boot Record which executes and encrypts user files on the system
- It creates a scheduled task on the infected system prior to reboot that will re-encrypt the system if it is recovered through other means
- The “ransom” message is displayed to the user telling them how to pay for a recovery key
Behavioral indicators & PREVENTION
- The parent process of the infection will be “wevtutil.exe” with a command line that contains the word “security”
- There will be a child process “cmd.exe” with a commandline that contains the word “deletejournal”
Below are action steps the Cybereason Intelligence Team recommends for prevention and mitigation:
Add the following hashes to your blacklist, and if the prevention driver is installed, mark them for prevention.
If you are not using SysInternals’ PSExec as an administrative tool in your environment, consider blacklisting the hash of the psexec version that is used in the attack:
Block the Malware IPs at the Network Layer
Add the following IPs and domains to your firewalls and other network control measures (inbound and outbound):
Block Lateral Movement at the Network Layer
Block SMBv1 across your organization to prevent lateral movement. Block SMB traffic from the internet to your internal network ranges.
Apply Windows Patches to Prevent Lateral Movement
Patch all Windows distributions against the EternalBlue exploit (Patch MS17-010).
Install MBR filtering
Install an MBR filter by TalosIntelligenceNote: this tool is not officially supported or endorsed by cybereason; liability remains with the user.
Warn users about unexpected restarts
Instruct users that if the machine suddenly and inexplicably restarts - shut it down immediately and don't restart it. IT Support Teams can restore the original MBR using a Windows boot disk to prevent encryption of files if the machine is powered off quickly enough.
Enable secure boot
Turn on secure boot when applicable (mostly laptops)