MyCERT Advisories, Alerts and Summaries for the year 2017
MA-670.062017: MyCERT Alert – New Petya aka NotPetya Ransomware
Date first published: 28/6/2017
MyCERT is aware of global worm spread ransomware known as New Petya aka NotPetya. This ransomware encrypt the Master File Tree (MFT) tables for NTFS partitions and overrides the Master Boot Record (MBR) of infected Windows computers, making affected machines unusable.
Behaving similarly to WannaCry — it infects unpatched Windows devices by exploiting a vulnerability in SMB server. It exploits a vulnerability found in Windows, known as EternalBlue, that Microsoft patched in March (MS17-010). The vulnerability is in the Windows Server Message Block (SMB) service (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx ).
The malware has three mechanisms used to propagate once a device is infected:
- EternalBlue - the same exploit used by WannaCry
- Psexec - a legitimate Windows administration tool
- WMI - Windows Management Instrumentation, a legitimate Windows component
• The hard drive of infected computer are encrypted and the owner is unable to access the computer until a ransom of $300 worth of Bitcoin is paid.
• Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored. Figure 1 shows how NotPetya is attempting to encrypt your files. Figure 2 shows the ransomnote found on the infected computer
Figure 1: NotPetya attempting to encrypt the files (source: Forbes.com)
Figure 2: NotPetya ransomnote (source: symantec.com)
3.0 Affected Versions
• Unpatched Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, Windows 2016.
- Users of this product are advised to review and patch the vulnerability described in MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- Microsoft Patch for Unsupported Versions such as Windows XP, Vista, Server 2003, Server 2008 can be referred here: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
- Users are advised to take the following preventive measures to protect their computer from ransomware infection:
- To immediately apply the security update MS17-010 as soon as possible.
- Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Block all SMB (445/tcp) traffic.
- A snort rule for ETERNALBLUE was released by Cisco as part of the "registered" rules set. Check for SID 41978, 42329-42332, 42340.
- Consider disabling WMI. WMI has been reported as a propagation method for this ransomware. Disabling WMI can help mitigate the spread of infection in a network.
- Consider disabling PsExec — this can help mitigate the spread of infection in a network.
- The kill file is reported to be called perfc. To implement this, create a file in c:\windows called “perfc”.
- Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline;
- Maintain up-to-date anti-virus software;
- Keep operating system and software up-to-date regularly with the latest patches.
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT