A massive ransomware attack using a new variant of the Petya malware originated in Ukraine yesterday and spread to companies across the globe. We are monitoring the situation for our global customers. Here is what we know about the malware, including possible attack vectors, what you can do to help protect yourself, and how we are protecting our SpamStopsHere customers.
With help from developer Greg C.
What We Know
Although the original attack vector is as of yet unconfirmed, it is apparently spreading through Windows systems via an exploit known as EternalBlue that Microsoft made a patch available for in March 2017. With this exploit, remote attackers can execute code on a target computer through the SMB version 1 (SMBv1) server used by various versions of Windows. It runs the ransomware on the target machine and spreads it to connected computers on the network that have the same vulnerability.
What It Does
There is speculation that this variant can run with either user-level or admin access. With user-level access, it will only encrypt certain files. However, with admin rights, it overwrites the master boot record on the system, schedules the computer to reboot, then boots itself. The actual encryption may occur before or after the reboot. Our analyst has looked at the malicious code and confirmed at least a portion of this.
Fake CHKDSK During Reboot
During the reboot, it displays a fake CHKDSK screen pretending to repair the computer's file system. This is probably to throw off the victim while the malicious code is encrypting files:
Petya Ransomware Fake CHKDSK Screen During System Reboot
Bitcoin Payment Demand Screen
After the files are encrypted, it displays the ransom screen where it demands payment in Bitcoins to decrypt your files:
Petya Ransomware Bitcoin Payment Demand Screen
The FBI discourages paying the ransom in these situations. Even if you are considering doing so, there is no guarantee you will regain access to your files. There are reports that the communication method for this scam has been shut down, meaning that even if you pay the ransom, you may not be able to get the decryption key.
This variant of Petya may also be using WMI (a component of Windows) and PsExec (a Windows tool), along with credentials found on infected machines to access others on the network, according to Talos.
Possible Attack Vectors
The original vector is still unknown as of this writing, but we do know that a version of Petya was spread via email in 2016. It may be attacking via email with a new variant now. Other possible attack vectors could be through “malvertising” or browser exploit kits. In either of those cases, the attacker tries to exploit vulnerable versions of browsers or browser plugins to infect the target machine. From there, the malware can spread directly to networked vulnerable systems without using email.
What We're Doing to Protect Our Customers
Even though the original attack appears to have been somewhat targeted and the attack vector unknown, we are taking steps to protect our global customers from potential email-based Petya attacks. Any attached executables would have been blocked by existing filter rules and we have confirmed that it was not attached to emails bound for our customers yesterday. To bolster our defenses even further, we have created new signatures to detect this particular variant.
What You Can Do (Best Practices)
Regardless of the antivirus protection you have, you should observe best security practices, including:
- Maintain Staff Awareness: The human factor is still the weak link in the system, so email remains the most common original attack vector exploited by cyber criminals. Constantly update staff training to be able to recognize malicous email, phishing scams, CEO/invoice spam, other social engineering techniques, and more
- Patch systems promptly: Some IT departments still test updates before pushing them on all systems. That is no longer a best practice. Malware changes too frequently today to delay installing security patches.
- Rotate Offline Backups: Make and rotate backups frequently and store backups offline, as this and other malware will attack all connected vulnerable systems.
- Network Segmentation: Some companies have all of their machines (workstations, servers, public wifi, etc.) on the same network segment, so any infected machine can attack all of the others. If you haven't already done so, you might consider separating your systems into "subnetworks", based on common access requirements. For example, public (visitor) wi-fi, back-office workstations and Point-of-Sale systems could be separated. It would be more difficult for an attacker who gains access to one segment to move across to others. This requires additional planning and maintenance, but can be accomplished by configuring routers, firewalls, vlans, etc. as appropriate.
- Use Premium Email Threat Protection: While still important to have, traditional installed antivirus is no longer your best line of defense. Email-based attack methods include malicious code hidden in Word, PDF, and other email attachments, as well as links in emails to hacked websites that download the payload. Only a Cloud-based system like SpamStopsHere with live threat analysts, multilayered filtering and updates every few minutes can possibly provide the zero-HOUR protection needed today.
To find out more about SpamStopsHere, visit our product page, check out our simple pricing and start a FREE 30-Day trial, or contact us anytime via phone (800-458-3348 | 734-426-7500), chat or email. We're always here. 24/7/365.