On June 27, 2017, a “wormed” ransomware outbreak started being reported by several companies in the Ukraine and around Europe. Bringing back bad memories of WannaCry from May, PetrWrap (Petya, NotPetya, GoldenEye) has spread quickly, affecting several Ukrainian companies – the Ukrainian national bank, their largest airport, the state power company, metro system, and others – as well as companies located in the UK, Russia, Spain, France, and India. As of this write up, one US target has also been confirmed: pharmaceuticals company Merck.
Alert Logic “Experts Included” in Action
Alert Logic® ActiveWatch™ team members immediately confirmed the link with (EternalBlue) MS17-10 which is related to the Shadow Broker dump. Researchers also confirmed that the Alert Logic coverage update released in April handles identification of the Windows Server vulnerability. Our SOC analysts have been escalating ETERNALBLUE attacks actively taking place in our customer’s environments.
Alert Logic Coverage
Alert Logic has had detection coverage and incident escalations deployed globally for the ETERNALBLUE threat vectors used by this ransomware for over 2 months. We have scanning coverage, active signatures (IDS) and incident creation already in production for ETERNALBLUE.
- ETERNALBLUE incidents will indicate attacks as well as successful execution against systems vulnerable to the MS17-010 exploit.
Alert Logic Services:
- Cloud Defender: IDS Signatures have been deployed for EternalBlue since mid-April 2017. Incidents will be generated by Alert Logic for successful execution of these threats. ActiveWatch team members are actively monitoring for these threats. Web vectors have not been observed for this exploit.
- Threat Manager™ and Cloud Insight™ vulnerability scanning services: Signatures for assessing the EternalBlue vulnerability and detecting active attacks have been deployed since mid-April 2017.
- Web Security Manager Premier (in-line WAF): We have not observed PetrWrap using any Web vectors, therefore there are no indications at present that this technology would detect these threats.
- Log Manager: There are no indications at present that these threats can be detected effectively via this data source.
Mitigation Recommendations for Customers
- Patch your systems—all vulnerable versions of Windows are effectively patchable (Microsoft also released patches for unsupported systems with the original WannaCry outbreak). The patch for this vulnerability applies to Windows Vista systems and newer and can be found in the Microsoft Security Bulletin MS17-010 - Critical security update.
- Run a detailed vulnerability scan against all systems in your environments to identify systems missing the MS17-010 security update.
- Disable SMBv1 in Windows unless it is absolutely necessary. If necessary, ensure it isn’t accessible via open internet.
- Lock down administrative privileges as much as possible on individual machines and user accounts to prevent infection using Windows internal tools.
- Placing the file perfc.dat in the C:\Windows\ directory will stop encryption of files provided that the infected user does NOT have administrative privileges.
- Establish strict needs-based access to network resources and segment networks where possible.
- Backup your data using offline media options as the ransomware worm attempts to infect any connected resources (USB drives, mapped network drives etc.)
- Keep current with our network, web application, scanning and log alerts.
- Ars Technica Article: https://arstechnica.com/security/2017/06/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide/
- The Verge Post: https://www.theverge.com/2017/6/27/15879480/petrwrap-virus-ukraine-ransomware-attack-europe-wannacry
- Forbes.com Article: https://www.forbes.com/sites/thomasbrewster/2017/06/27/ransomware-spreads-rapidly-hitting-power-companies-banks-airlines-metro/#c11036c7abd
Alert Logic posted information on the recent WannaCry ransomware attack in May, following the publication of assessment and detection techniques in April, resulting from the Shadow Brokers toolset release. PetrWrap is exploiting some of the same flaws used by WannaCry, so customers have coverage based on the same assessment and detection methods Alert Logic deployed in mid-April 2017. Our ActiveWatch™ team has asked customers to ensure they do the following to further mitigate their risks (see mitigation recommendations for customers below) for PetrWrap, WannaCry, and any inevitable future variants of this attack.