- What has happened?
A new outbreak of ransomware, a form of malware which encrypts your files and demands a ransom payment to recover them, has hit organisations globally. It appears to be a derivative of the previously seen Petya ransomware, but with some differences. Many researchers have cast doubt on whether this really is a variant of Petya or something just designed to look like Petya, hence it has been dubbed NotPetya.
The outbreak began in the Ukraine with a compromised update to the MEDoc accounting software used by many Ukrainian companies. Due to its worm capabilities, which allow it to automatically spread to other machines, it has found its way into organisations all over the world. Unlike the recent WannaCry ransomware outbreak however, it does not appear to spread over the Internet, but only on an organisations internal network after initial infection. This is thought to be because some non-Ukrainian companies also use MEDoc, or in some cases due to multinational organisations with interconnected networks.
- Why is this outbreak particularly nasty?
NotPetya has the ability to spread between computers using stolen credentials obtained from any machine it infects. This means even if you have fully patched and its exploit attempts fail, it can still spread. This technique is commonly used in cyber attacks, but is rarely seen in use by fully automated malware with destructive potential. Additionally, the initial infection vector was through a malicious update injected into a legitimate software product, and as such was almost impossible to differentiate from a legitimate, safe update.
- What systems are vulnerable?
Computers running Microsoft Windows. NotPetya will attempt to spread over all versions of Windows.
- How does infection start?
All confirmed cases have begun with a malicious update delivered through the legitimate update mechanism of the MEDoc software. No other confirmed cases have been found which show the infection originating from any other source at this time. Once infected, NotPetya will attempt to spread through your internal network by a number of means, as discussed in “How does it spread?”
- Is it spread by email?
No confirmed cases of NotPetya spreading by email have yet been found. It is not impossible that some may be discovered, but at this stage it does not appear to spread by email. There were early reports that it did, but these were later proven to be mistaken. It is of course possible that threat actors could repackage the ransomware and distribute it in email form, but this has not been seen yet.
- How does it spread?
An infected machine will make use of several methods to attempt to spread to other Windows machines on the same network (in the same subnet the host is on). These include exploiting unpatched software vulnerabilities and recovering credentials for user accounts from the computer’s memory. Critically, this means it can spread even to fully patched computers.
Specifically, it will use the following:
- SMB exploits EternalBlue and EternalRomance, addressed by Microsoft bulletin MS17-010
- Plaintext credential recovery with the Mimikatz tool
- Windows Access Token theft
- The Windows utility psexec, used to execute the malware on remote systems using stolen tokens or credentials
- Windows Management Instrumentation (WMI), also used to execute the malware on remote systems using stolen tokens or credentials
- I’m fully patched, including against MS17-010, am I safe?
No; at least not just because of your patching. NotPetya can spread without the use of exploits meaning that it can spread to fully patched systems. For more details see “How does it spread?”
- I don’t use MEDoc, am I likely to be affected?
It seems unlikely anyone not using the MEDoc software will be affected, as no confirmed cases have been found which do not have MEDoc as a likely source at this time. If your network is interconnected with partners who use MEDoc it is possible for the infection to spread over this connection depending on the layout of the network. No cases have been seen of it spreading over the Internet however.
- What data is encrypted?
NotPetya has two encryption mechanisms; the first encrypts files with certain extensions, and the second encrypts the Master File Table (MFT), which is a critical data structure allowing files from the hard drive to be read correctly. The MFT encryption occurs via a modification to the Master Boot Record (MBR) which control how the system starts up. A malicious MBR is used to start an MFT encryption routine that looks like the CHKDSK utility.
The file extensions of files that NotPetya will encrypt are listed below. It will not encrypt any files in the C:\Windows folder.
- Is this a ransomware or actually a wiper?
There have been reports that NotPetya never intended for files to be recoverable, and was instead therefore a destructive wiper. Some of these claims proved technically invalid. One that has some merit is that the key used to encrypt the Master File Table (MFT), a critical structure that allows files to be read from the disk correctly, is thrown away. Previous versions of Petya displayed the cryptographic material needed for the attackers to decrypt your drive in the “installation key” of the ransom message, but NotPetya does not do this. This makes it impossible to decrypt the MFT and properly read the drive.
What is not clear is whether this was an error made by the attackers, or a deliberate alteration to cause as much damage as possible while masquerading as ransomware. It does seem like an unusual thing to do if it is not deliberate, but we cannot know for sure.
- Is this part of a broader threat to Ukrainian organisations?
This cannot be concluded by purely technical means, but it is worth noting that there have recently been several ransomware attacks that appear to be directed against, or have disproportionately affected the Ukraine. For example, see https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/.
- Can I recover my files?
At this point there is no simple way to do this. However, depending on circumstances, you may be able to recover some data using digital forensic techniques; your mileage may vary and there is no guarantee of success. Work is ongoing to identify any better techniques for data recovery.
If your MBR was not infected, you should find that only the first 1 MB of each affected file is encrypted. Some useful data may be recoverable depending on the file type.
If your MBR was infected, but your MFT was not encrypted, you can restore your MBR using Windows installation media recovery tools. You may still find your files encrypted, but as above, this should only affect the first megabyte and therefore you may be able to recover some useful information depending on the file type.
If your MFT has also been encrypted, you may still be able to carve files from a raw disk image. These files may still have the first megabyte encrypted, and this may make file carving more difficult as the file header will not be clear. You may be able to recover some useful information, but your chances are even more slim.
This all requires fairly sophisticated forensic techniques, standard forensic packages will struggle in these circumstances. It may actually not be worth the effort, but we provide these ideas anyway in case they are useful to anyone.
- Should I pay?
We do not recommend you pay the ransom. The contact email address used in the ransom note has been taken down by the email provider, so the chances of successfully communicating with the attackers is low. Additionally, there are serious doubts about whether the attackers have demonstrated any intention of ever decrypting anyone’s files, or whether it is even practical for them to do so.
- What can I do to minimise the chances of being hit by NotPetya?
If you use the MEDoc software you should attempt to segregate it from the rest of your network as far as practical. In particular, outbound connectivity to ports 445 and 139 should be restricted to prevent any infection from spreading. You may want to consider disabling automatic updates of MEDoc until these segregation steps are taken.
It is also important to patch all Windows systems, particularly the patches specified in MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) as these address vulnerabilities exploited by NotPetya.
- What can be done to contain NotPetya?
Ultimately, a network structured with defence in depth in mind is the best way to contain this. This means things like:
- Good network segregation to divide parts of the network up into logical zones that have limited, controlled communication between each other
- Segregation of domain user groups to disallow logins by users on machines they should not need access to
- Network filtering to limit communication inbound and outbound from individual hosts an between network zones
- Avoiding shared passwords for local admin accounts
- Ensuring systems are fully patched
- Keeping regular offline backups to fall back to if the worst happens
This can help to limit any cyber attack to smaller parts of your organisation. While all of this is good security practice, it is probably not something you can do in the immediate term if you are concerned by this outbreak.
As such, the following temporary measures than can be taken to limit the spread of a NotPetya infection. Some of these steps may affect the normal operation of your network, so care should be taken when implementing.
- Block port 445 and 139 on host based firewalls to prevent SMB communication
- Make use of the Protected Users security group to limit Mimikatz effectiveness (see https://technet.microsoft.com/en-us/library/dn466518.aspx)
- For Windows versions prior to 8.1, ensure the KB2871997 (https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a) patch is installed and set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TokenLeakDetectDelaySecs = 30 in the registry. This will clear credentials of logged off users after 30 seconds, mimicking the behaviour of Windows 8.1+. In addition, set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0 in the registry to prevent Wdigest credentials being stored in memory, again as is the default for Windows 8.1+
- Disable SMBv1 (this may break Windows XP or 2003, but you shouldn’t be running those anyway as they are out of support), see https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
- Disable administrative shares (such as ADMIN$) by setting the following registry values:
HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWks = 0 (for workstations)
HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer = 0 (for servers)
- Enable UEFI Secure Boot (this will not stop file encryption but should stop the malicious MBR encrypting the MFT)
- Block remote execution through psexec with the command:
FOR /F “usebackq tokens=2 delims=:” %a IN (`sc.exe sdshow scmanager`) DO sc.exe sdset scmanager D:(D;;0x00040002;;;NU)%a
- Use a WMI ACL (see https://msdn.microsoft.com/en-us/library/aa822575(v=vs.85).aspx)
By Matt Hillman, Principle Security Researcher on MWR’s Countercept division.