Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

NotPetya ransomware: Attack analysis

October 20, 2017

  • Blog
  • Archive

On June 27, 2017 a number of organisations across Europe began reporting significant system outages caused by a ransomware strain referred to as Petya. The ransomware is very similar to older Petya ransomware attacks from previous years, but the infection and propagation method is new, leading to it being referred to as NotPetya. Due to the sudden and significant impact of the attack, it was immediately likened to the WannaCry outbreak causing concerns globally.

The best defence against this threat is to remove admin accounts, allow list applications and patch systems. This prevents the attacker from gaining a foothold, launching payloads and exploiting known vulnerabilities.

There is some confusion about the initial delivery mechanism of the malware, with speculation about phishing emails. Microsoft analysis points to MeDoc accountancy software executing a malicious command matching the known attack pattern of this malware. This would indicate the infection occurred due to a compromised supply chain.

Analysis

Avecto’s initial analysis shows that “patient zero”, the first user targeted, must be an admin user for the attack to succeed. Without admin rights, the malware is unable to overwrite the critical system areas, capture credentials or embed itself in the operating system. Much of the functionality, including clearing event logs and overwriting boot records, is reliant on admin privileges.

Once an infection has occurred, the attackers primary method of spreading is using LSADump a modified version of the Mimikatz tool used to perform Pass the Hash attacks by exploiting admin accounts and credentials stored in memory. This explains how organisations who believe they were patched with MS17-010 were still impacted. Removal of admin rights is key to preventing this type of credential theft and lateral movement, which is often used by malware and hackers.

It’s important to consider that even temporary use of administrator accounts can leave credentials in memory that can be abused by an attacker. This is a mistake many organisations make by allowing domain admins to remote into users’ endpoints exposing the credentials. Privilege management not only prevents theft of credentials but can also remove the need for risky administrator logins.

The malware also contains code for the EternalBlue exploit, which was used by WannaCry to spread. In March, Microsoft released a patch for this for all systems, including the now unsupported Windows XP. Those organisations who have not yet patched and are still vulnerable should disable SMBv1 on unpatched systems and segregate these systems at a network level to prevent the spread.

Figure 1- Screen during encryption

Figure 1- Screen during encryption

Once a system is infected the malware triggers a reboot which causes the attackers boot loader to be executed. This displays a fake Chkdisk screen which appears to be repairing the disk whilst encrypting the files. In the event this screen appears users should power off immediately to preserve as much data as possible. As the malware crashes the system to trigger the reboot organisations should consider disabling reboot on system error.

The email addresses linked to this malware have been suspended by the providers and there is no evidence that paying the ransom will result in files being decrypted. The best advice is to never pay ransom demands.

Key findings and recommendations:

  • Admin accounts were the primary targets to gain a foothold and propagate within a network
  • Removal of admin rights is a key mitigation strategy
  • Where possible organisations should patch with MS17-010, or disable SMBv1
  • The attackers email account has been disabled so even if organisations pay the ransom they have no way to contact the attackers and arrange decryption
  • The malware is only designed to spread across a local network, so is less likely to spread with the same speed as WannaCry
  • The attackers use multiple tools dropped to disk including Microsoft’s PSExec, which is not native to the Windows OS. These can be blocked with Application Control.
  • Deny network login to all local admin accounts (https://technet.microsoft.com/en-us/library/dn745900(v=ws.11).aspx#SEC_Deny_Network_Logon)
  • Implement LAPS for local admin accounts to ensure unique & rotated local admin passwords. (https://technet.microsoft.com/en-us/mt227395.aspx)

Summary

This malware attack highlights the importance of proactive measures such as least privilege, allow listing and patching. These measures are proven to be the most effective defences against the majority of cyber attacks.

James Maude

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.