Another outbreak, another nightmare for those who were not prepared. While this latest attack is similar to the earlier WannaCry threat, there are some differences in this latest malware which is a variant or new strain much like Petya. Dubbed, NotPetya by some, this strain has a lot of problems for anyone who encounters it. It might encrypt your data, or make the system completely inoperable. And now the email address that you would be required to contact to ‘maybe’ unencrypt your files, has been taken down so you’re out of luck getting your files back.
Plenty of details to the actions of this threat are publicly available, but I wanted to touch on the fact that Ziften customers are protected from both the EternalBlue exploit, which is one mechanism used for its propagation, and even better still, an inoculation based upon a possible flaw or its own type of debug check that eliminates the threat from ever executing on your system. It could still spread however in the environment, but our protection would already be rolled out to all existing systems to stop the damage.
Our Ziften extension platform enables our customers to have protection in place against certain vulnerabilities and malicious actions for this threat and others like Petya. Besides the specific actions taken against this particular variant, we have taken a holistic approach to stop certain strains of malware that conduct various ‘checks’ against the system before executing.
Fig 1. Petya inoculation extension available in Ziften console
We can also use our Search capability to look for remnants of the other propagation techniques used by this threat. Reports show WMIC and PsExec being used. We can search for those programs and their command lines and usage. Even though they are legitimate processes, their use is usually rare and can be alerted on.
Fig 2. Search for PeExec process that spawns a child process (cmd.exe) which has certain command line parameters
With WannaCry, and now NotPetya, we expect to see a continued rise of these types of attacks. With the release of the recent NSA exploits, it has given ambitious hackers the tools needed to push out their wares. And though ransomware threats can be a high commodity vehicle, more damaging threats could be released. It has always been ‘how’ to get the threats to spread (worm-like, or social engineering) which is most challenging to them.