Petya Ransomware Response: CyberArk, Ivanti, LogRhythm, Malwarebytes and Tenable
Ross Brewer, Vice President and Managing Director, International Markets, LogRhythm
“With WannaCry still so fresh in our minds, this follow-up attack proves just how real this is all becoming - and the
worst is probably yet to come. These public outings of large, high-profile attacks are becoming more frequent,
faster-acting and more damaging. Every organisation, regardless of size or industry, is vulnerable. As security vendors,
we are often criticised for fear mongering and exaggerating the possible consequences of a cyberattack - but I think we
can agree that recent events are starting to show that the warnings were warranted. These attacks are targeting our top
businesses, banks, healthcare institutions and other critical national infrastructure, are revealing the chaos that
ensues when organisations lose control of their data - when are we going to do something about it?
"The recent attacks associated with WannaCry and Petya have re-enforced the lack of accountability and focus on basic IT
and security fundamentals. Core IT operational competencies, such as patch management, backups, disaster recovery, and
incident response are not well implemented or maintained. These are absolutely essential in protecting your company from
damaging cyber threats and without them you are left in a perpetually vulnerable state, a sitting duck for these types
of attacks, merely hoping that you aren’t compromised. The only actions you take are responsive, only after some other
unlucky company was compromised.
"Unfortunately, events like the Petya incident today and what occurred previously with WannaCry have been and will
continue to be the normal state of things. A determined hacker only has to be right once. The odds are heavily in their
favour with compromise likely, if not inevitable. As such, we need to stop focusing solely on defence and protection -
and put more effort into monitoring, detection and response as true compensating controls to the mess that is IT today.
As we saw with WannaCry and what I fully expect to see by the end of today,it’s not always about stopping the initial
compromise, the inevitable, but how quickly you can respond and contain a threat before it becomes a full blown incident
or global outbreak.”
Phil Richards, Chief Information Security Officer, Ivanti
“New ransomware is attacking global computing systems worldwide as of June 26, 2017. The ransomware, called Petwrap, is
based on an older Petya variant, originating from the GoldenEye malware in December 2016. The new ransomware variant
also includes the SMB exploit known as EternalBlue that was created by the United States National Security
Administration, and leaked by the Shadow Brokers hacker group in April 2017. This malware appears to have been targeted
to Ukraine infrastructure groups such as government workstations, power companies, banks, ATMs, state-run television
stations, postal services, airports, and aircraft manufacturers. Since the initial infection it has spread to other
markets, and beyond the Ukraine boarders. The actual malware is ransomware, requesting a ransom equivalent to $300 USD
in bitcoins. The Petya component includes many features that enable the malware to remain viable on infected systems,
including attacking the Master Boot Record. The EternalBlue component enables it to proliferate through an organization
that doesn’t have the correct patches or antivirus/antimalware software. This is a great example of two malware
components coming together to generate more pernicious and resilient malware.”
Kobi Ben Naim, Senior Director of Cyber Research, CyberArk Labs
NotPetya malware is behind what is quickly emerging as another devastating global ransomware incident, one with the
potential to be even more damaging than WannaCry. Initially thought to be a strain of the powerful Petya "ransomware,
NotPetya is spreading using the incredibly efficient infection method used by WannaCry - a worm that quickly spreads the
ransomware using the “eternalblue” SMB vulnerability in Microsoft systems. The combination is potent and has the
potential to inflict massive damage on scales we have not witnessed before.
"Based on initial analysis by CyberArk Labs, what we know now is that NotPetya is different from WannaCry in that it
appears to be sparing endpoints that use a US English-only keyboard. This seemingly self-imposed restriction has been
seen in nation state attacks. Like WannaCry, any individual and organisation with an unpatched Microsoft system remains
vulnerable to the worm. However, the organisation would only be protected from the attack method. Our research shows
that NotPetya requires administrative rights to execute. So if a user clicks on a phishing link, the ransomware will
still infect the network. Like Petya, this new malware is considered especially dangerous because it encrypts the Master
Boot Record (MBR), instead of documents and applications, and prevents a user from rebooting. In addition to patching,
organisations need to be focused on protecting privileged credentials at the endpoint to avoid them being utilised to
execute this attack.”
Jim Cook, ANZ Regional Director – Malwarebytes
"Petya/ NotPetya is another example of a know, patchable vulnerability causing tremendous issues for people and
businesses around the world. If possible apply MS17-010 Microsoft patch to all PCs immediately.
"If you are running unpatched systems with Admin privileges this malware has the ability to spread inside your network
using the in-built PSExec utility, which our research team say makes it’s ability to damage businesses significant. If
you are running Malwarebytes latest offerings you have been protected from Zero hour.
“If shadow brokers keeps it’s promise to continue releasing NSA exploits it seems that this sort of mass infection will
become common- so now is the time to ensure you have a decent back up system, patch process and a current end point
security solution in place."
https://blog.malwarebytes.com/cybercrime/2017/06/petya-esque-ransomware-is-spreading-across-the-world/
Gavin Millard, Technical Director, Tenable
“The ransomware appears to be a new version of Petya that could possibly have similar characteristics to WannaCry,
employing ETERNALBLUE to spread to other systems before encrypting files and demanding payment. One major difference
between this outbreak and WannaCry though, is the possible inclusion of exploit code for another known vulnerability
CVE-2017-0199, affecting Microsoft Office to further spread the payload.
"If this attack turns out to be leveraging the same vulnerabilities WannaCry leveraged to spread, or other known bugs
that have had patches available for months, there are going to be some awkward conversations between IT teams that
failed to patch or protect and businesses affected. The publicity around WannaCry couldn’t have been larger, probably
eclipsing Heartbleed, yet if this is the same attack vector, it demonstrates a distinct lack of taking threats like this
seriously.”
ENDS