CybersecurityPetya variant hobbles European businesses

Published 25 July 2017

In the wake of May’s WannaCry attack, which affected more than 230,000 computers in over 150 countries, a fast-moving malware malware outbreak was reported 27 June at targets in Spain, France, Ukraine, Russia, and other countries. The attack infected large banks, law firms, shipping companies, and even the Chernobyl nuclear facility in the Ukraine. The new malware is thought to be a variant of Petya, a wiper malware designed to destroy systems and data with no hope of recovery.

In the wake of May’s WannaCry attack, which affected more than 230,000 computers in over 150 countries, a fast-moving malware malware outbreak was reported 27 June at targets in Spain, France, Ukraine, Russia, and other countries. The attack infected large banks, law firms, shipping companies, and even the Chernobyl nuclear facility in the Ukraine. As with WannaCry, hackers employed malicious software using the EternalBlue vulnerability in older Microsoft Windows systems to rapidly spread across an organization. The new malware is thought to be a variant of Petya, a wiper malware designed to destroy systems and data with no hope of recovery.

“This new malware, dubbed Petya—or NotPetya, as it seems to be a completely new form of malware—is far more destructive than WannaCry,” says Timothy Crosby, Senior Security Consultant for Spohn Security Solutions. “The motivation behind WannaCry seems to have been merely financial, while the Petya variant aimed to create widespread system destruction where data was not as easily recovered.” In addition, the Petya variant corrupts the MBR (master boot record) and MFT (master file table), making complete system restoration incredibly difficult—if not impossible—for those infected.

Using EternalBlue, both WannaCry and the Petya variant exploit a vulnerability in the SMB (server message block) data transfer protocol used to share files and printers across local networks. WannaCry, a traditional form of malware, resides on a computer or device in the form of files, either embedded in or masquerading as non-malicious files. After the WannaCry attack, Microsoft released a patch for the SMB vulnerability. However, the Petya variant goes a step further by employing two additional ways of spreading rapidly within an organization, by targeting a network’s administrator tools. So, if the SMB route failed, the Petya variant is able to harvest credentials from the infected system and, using PsExec and WMIC administrative tools, gain access to other systems on the network.

Malware, such as the malicious software used in the Petya variant attacks, is growing increasingly sophisticated, employing techniques that are not easily remediated. Fileless malware, for instance, resides in areas not normally scanned, such as in RAM (random access memory) or even the operating system kernel itself. Because it does not rely on files in order to run, propagate and accomplish its purpose, fileless malware is virtually impossible to detect using standard cyber security.

“To remediate in a NotPetya-like situation, a cyber security team must be vigilant about the activity on the network,” advises Crosby. “Security teams should monitor for aberrant and unexpected behavior, such as accounts being used at odd hours, at multiple locations or while on vacation.” To prevent permanent damage to data and network systems, businesses should employ a host of protection programs that notify personnel when a threat exists.7 This includes Security Information and Event Management (SIEM) systems that automatically aggregate events and alerts based on anomalous activity. These programs can mitigate risk by halting the spread of ransomware throughout the entire network and alerting IT when malware is attempting to contact external resources that store the keys used to encrypt files.

Crosby adds that most attacks can be easily prevented by following a few simple rules. First, use only supported versions of windows (Windows 7 and Server 2008 are the oldest supported versions as of this date). Ensure that antivirus software is up-to-date and fully patched. Remind employees to not open any files received from unknown sources. And, lastly, back-up computers regularly, keeping backup files off-site.