NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

NotPetya ransomware: Attack analysis

October 20, 2017

  • Blog
  • Archive

On June 27, 2017 a number of organisations across Europe began reporting significant system outages caused by a ransomware strain referred to as Petya. The ransomware is very similar to older Petya ransomware attacks from previous years, but the infection and propagation method is new, leading to it being referred to as NotPetya. Due to the sudden and significant impact of the attack, it was immediately likened to the WannaCry outbreak causing concerns globally.

The best defence against this threat is to remove admin accounts, allow list applications and patch systems. This prevents the attacker from gaining a foothold, launching payloads and exploiting known vulnerabilities.

There is some confusion about the initial delivery mechanism of the malware, with speculation about phishing emails. Microsoft analysis points to MeDoc accountancy software executing a malicious command matching the known attack pattern of this malware. This would indicate the infection occurred due to a compromised supply chain.

Analysis

Avecto’s initial analysis shows that “patient zero”, the first user targeted, must be an admin user for the attack to succeed. Without admin rights, the malware is unable to overwrite the critical system areas, capture credentials or embed itself in the operating system. Much of the functionality, including clearing event logs and overwriting boot records, is reliant on admin privileges.

Once an infection has occurred, the attackers primary method of spreading is using LSADump a modified version of the Mimikatz tool used to perform Pass the Hash attacks by exploiting admin accounts and credentials stored in memory. This explains how organisations who believe they were patched with MS17-010 were still impacted. Removal of admin rights is key to preventing this type of credential theft and lateral movement, which is often used by malware and hackers.

It’s important to consider that even temporary use of administrator accounts can leave credentials in memory that can be abused by an attacker. This is a mistake many organisations make by allowing domain admins to remote into users’ endpoints exposing the credentials. Privilege management not only prevents theft of credentials but can also remove the need for risky administrator logins.

The malware also contains code for the EternalBlue exploit, which was used by WannaCry to spread. In March, Microsoft released a patch for this for all systems, including the now unsupported Windows XP. Those organisations who have not yet patched and are still vulnerable should disable SMBv1 on unpatched systems and segregate these systems at a network level to prevent the spread.

Figure 1- Screen during encryption

Figure 1- Screen during encryption

Once a system is infected the malware triggers a reboot which causes the attackers boot loader to be executed. This displays a fake Chkdisk screen which appears to be repairing the disk whilst encrypting the files. In the event this screen appears users should power off immediately to preserve as much data as possible. As the malware crashes the system to trigger the reboot organisations should consider disabling reboot on system error.

The email addresses linked to this malware have been suspended by the providers and there is no evidence that paying the ransom will result in files being decrypted. The best advice is to never pay ransom demands.

Key findings and recommendations:

  • Admin accounts were the primary targets to gain a foothold and propagate within a network
  • Removal of admin rights is a key mitigation strategy
  • Where possible organisations should patch with MS17-010, or disable SMBv1
  • The attackers email account has been disabled so even if organisations pay the ransom they have no way to contact the attackers and arrange decryption
  • The malware is only designed to spread across a local network, so is less likely to spread with the same speed as WannaCry
  • The attackers use multiple tools dropped to disk including Microsoft’s PSExec, which is not native to the Windows OS. These can be blocked with Application Control.
  • Deny network login to all local admin accounts (https://technet.microsoft.com/en-us/library/dn745900(v=ws.11).aspx#SEC_Deny_Network_Logon)
  • Implement LAPS for local admin accounts to ensure unique & rotated local admin passwords. (https://technet.microsoft.com/en-us/mt227395.aspx)

Summary

This malware attack highlights the importance of proactive measures such as least privilege, allow listing and patching. These measures are proven to be the most effective defences against the majority of cyber attacks.

Photograph of James Maude

James Maude, Lead Cyber Security Researcher

James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.