The Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) offers excellent information and advice that explains various cyber threats and methods to mitigate threats.
ICS alert 17-181-01A regarding the Petya Ransomware Malware threat against computers with Microsoft Windows Operating Systems can be found at the ICS-CERT web page:
A second alert was posted here:
A third update was posted here: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01C
According to the ICS bulletins, the malware is someHelvetica also known as “NotPetya,” “Petrwrap,” “GoldenEye,” and “Nyetya.” It is described as a self-propogating worm that moves through a network, steals user credentials and exploits server message block (SMB) vulnerabilities. It uses the Windows Management Instrumentation Command-line tool and PSExec Network Management to assist in scanning for additional systems to infect. The attack uses ports 139/TCP and 445/TCP and overwrites the Master Boot Record (MBR) or wipes sectors of the drive.
An interesting analysis of the threat is also provided by the Guardian at:
Although the malware is characterized as ransomware, the Cyberwire reported that persons who pay the Bitcoin ransom are not subsequently able to retrieve their data. Possible motives for the malware attack may be political, involving Russia vs the Ukraine or involving rival business operations.
See: The Cyberwire Daily Podcast:
Security expert Bruce Schneier believes that the malware is better characterized as a data wiper and not ransomware. Schneier also discounts the attributions to government or big business sources. See: https://www.schneier.com/blog/archives/2017/07/goldeneye_malwa.html
Reports indicate that the source of Petya may be a supply chain attack against the accounting software MeDoc. MeDoc is reported by Fortune to be a Ukranian financial accounting firm that makes software that assists in tax preparation.
In July 2017, The Register reported that a Twitter user known as Janus, issued a Master Decryption Key for Petya. Unfortunately, the key does not work for some of the other strains of the malware. See: https://www.theregister.co.uk/2017/06/29/petya_help/
Security Researcher Raul Alvarez from Fortinet provides an excellent technical analysis about the differences between Petya and NotPetya here: http://blog.fortinet.com/2017/07/08/key-differences-between-petya-and-notpetya
Information from ICS-CERT about how to mitigate the Petya Malware threat includes the following advice:
NotPetya is being placed in a new category called "ransomworm" because it increases automatic propagation of the malware across local and extended networks.
Backups are always a recommended part of the recovery process in most ransomware and malware situations. An informative discussion about backups can be found at the Society of Electrical Engineers web page:
Patching Operating Systems is considered essential security hygiene. Microsoft patch MS17-010 is described at the following link:
How to block traffic at TCP port 139 (session services) is described my Microsoft at the following link: https://technet.microsoft.com/en-us/library/cc940063.aspx
How to block TCP port 445 is described by AOMEI at the following link: http://www.backup-utility.com/anti-ransomware/how-to-block-port-445-in-windows-3889.html
SMB1 – Audit Active Usage using Message Analyzer is described by Microsoft here:
Knowbe4, a security awareness company, reports the following email subject lines as being frequently used for ransomware phishing purposes:
Wireshark for network traffic analysis can be found here: https://www.wireshark.org/#download
Rapid7 offers detection information here:
SMBv1 is described by Netfort Technologies at the following link:
Subscribe to ICS alerts here:
FAQ's
What is a server message block (SMB)? (from Techopedia)
What is a worm? (From Techopedia)
What is Ransomware? (From UC Berkley):
What is Encryption? (from Wisegeek):
What is Bitcoin? (From Penn State University):
What is a supply chain attack? (From Software Engineering Institute):
What is a Master Boot Record? (from Techopedia)
=-=-=-=-=-=
Permalink: https://kardasz.blogspot.com/2017/07/Ransomware-Petya.html
