WannaCry II: How to Stop NotPetya Infections with the Cato CloudJune 29, 2017
Just a little more than a month after WannaCry delivered the “largest” ransomware attack in history, the industry was reeling from it’s sequel, NotPetya.
Like WannaCry, NotPetya leverages the SMB protocol to move laterally across the network, an EternalBlue exploit attributed to the National Security Agency (NSA) and leaked by the Shadow Brokers hacking group last April.
But the ransomware, a variant of the NotPetya ransomware discovered more than a year ago, significantly improves on WannaCry. First, NotPetya extracts user credentials from the infected machine’s memory using Mimikatz, an open-source tool. Using the harvested credentials, the malware employs the PsExec Microsoft utility and WMIC (Windows Management Instrumentation Command Line), a utilities bundled with Windows, to execute commands on remote machines.
IT managers should take action to protect users and their networks even if they have already done so against WannaCry. All Windows-based machines should be updated, including industrial devices, such as ATMs, and Windows 10 devices. Detailed steps for protecting your network with Cato are provided below, including a video illustrating EternalBlue-based attacks.
Inside The Attack
While the source of the NotPetya campaign has been speculated, Microsoft now claims to have evidence that “patient zero” is MeDoc, a Ukraine-based software company. Attackers allegedly planted the malware in the company’s update servers. The company then erroneously distributed the malware as part of a software update. Ukraine was indeed the primary victim for this attack.
Other attack vectors that were found in the wild are Microsoft Office documents armed with embedded HTAs (HTML Applications) that are designed to exploit CVE-2017-0199, first discovered in April 2017. Once the document is opened the HTA code executes and drops the malware to the attacked computer. The machine is then forced to reboot, encrypting the files and locking the computer. Victims are asked to pay $300 to remove the infection (see Figure 1). A total of 3.8 Bitcoin (BTC), approximately $8,000, have been collected to date by NotPetya.
Figure 1: Ransomware screen from a computer infected by NotPetya
What You Can Do
If machines have not already been updated, Cato Research recommends that all organizations update them. To protect the network, take the following actions:
- Use URL filtering to block malicious sites.
- Add a read-only file to user machines, preventing NotPetya from executing.
- Scan incoming files with anti-malware.
- Use IPS to detect and block incoming attacks.
Do not attempt to pay the ransom. The mailboxes that were used by the attackers have been disabled by the email provider. It’s also unlikely that paying the ransom will provide a decryption key (Figure 2). Recent reports indicate that encryption key may randomized and therefore impossible to provide. Notify users that if their computer restarts abruptly to shut down immediately and alert IT. This way the malware will not be able to encrypt files and can be extracted by IT personnel.
Figure 2: The email account used by NotPetya has been blocked.
Use URL filtering to block malicious sites
As was documented with WannaCry, URL filtering can minimize the attack surface available to NotPetya (Figure 3). Any malicious domain should be blocked, if not already done so. With Cato, malicious domain are blocked by default.
Figure 3: IT should block access to malicious domain
Add a Read-Only File to User Machines to prevent infection
While WannaCry could be stopped by preventing the malware from communicating back to the C&C server, no such kill-switch exists with NotPetya. However, Amit Serper, a security researcher from Cybereason, has discovered that adding a read-only file to the C:\windows directory with the same name as the malicious DLL, perfc (without an application extension), disables the execution of the malware (Figure 4).
Figure 4: Placing a file named perfc in the Windows directory will prevent installation of NotPetya in a machine.
Scan incoming files with anti-malware
Threat protection should also be enabled to scan every download and payload (Figure 5). With Cato’s anti-malware capabilities, customers are protected by blocking HTTP/S traffic containing NotPetya. Even if an email attachment contains NotPetya, the payload is still transferred across HTTP and will be blocked.
Figure 5: Cato threat protection blocks infected files and messages
Additional rules monitor for suspicious SMB traffic. To date, SMB traffic patterns pointing to the malware have not been detected on our network.
The above actions should protect your organization against NotPetya. To see Cato security in action and how it defends against any EternalBlue attack, watch this video: