Print Divider Print Divider Branding

Threat Intelligence Update: July 2017



Social Logo Social Logo Social Logo Social Logo

The June ransomware attack, now known as NotPetya or Petwrap, was distributed through the tax accounting software M.E.Doc and impersonated the Petya ransomware.

Unlike traditional ransomware, this malware does not only encrypt files on a victim’s system. Instead, the malware first stays dormant and schedules a system shutdown. It then reboots victims’ computers, encrypts the hard drive’s master file table (MFT), and replaces the master boot record (MBR) with code that displays a ransom note to the victim, leaving the computer inoperable and unable to boot. Although the ransom note informs victims to contact an email address to pay the ransom for file decryption, victims are urged not to pay the ransom because the email address was shut down shortly after the malware began spreading globally. 

Security researchers that have analyzed the malware claim that it is not true ransomware, as the attackers have no way of restoring an infected system.  Similar to the WannaCry outbreak in May, this malware also leverages the EternalBlue SMB exploit to spread through a network. However, NotPetya has some new tricks up its sleeve that make it a bigger threat than WannaCry. The bug harvests credentials from memory on an infected system and uses the extracted credentials to spread throughout the network to other systems using PSEXEC and the built-in Windows Management Instrumentation Command-line tool (WMIC). These techniques allow it to spread to patched systems as well as vulnerable systems.

LBMC Information Security continues to gather and utilize threat intelligence to prevent and detect future and current threats such as Petya and NotPetya. LBMC Information Security has various signatures to detect activity from both NotPetya and WannaCry, including use of the EternalBlue exploit and suspicious SMB traffic or worm activity. LBMC Information Security treats the detection of any of this activity as a number one priority.

After the outbreak of WannaCry and NotPetya, we recommend applying the Microsoft patch that addresses the SMBv1 vulnerability in MS17-010, or to disable SMBv1 altogether. Additionally, we recommend monitoring the use of privileged accounts in your environment and to follow a “least privilege” access model for accounts. Last, but not least, creating regular backups of your systems will guarantee that a current backup of your data will be ready at a moment’s notice in the event an additional safety net is needed to recover from ransomware incidents.

Additional resources: