29Jun 2017

Key lessons from ‘Petya’ ransomware attack

A hand draws a football play on a chalkboard with chalk leaving room for copy.

While the cyber security community is still working to understand the latest ransomware attack that has reportedly hit 60 countries, there are key lessons to be learned

Security researchers are struggling to reach consensus on whether the ransomware responsible for the latest global attacks is a new version of Petya or not, and even whether it was true ransomware, but what they have learned so far could help guide security strategies.

Those in support of retaining the Petya name point out that it essentially behaves in exactly the same way because it is designed to:

  • Encrypt files on disk without changing the file extension.
  • Forcibly reboot the machine upon infection.
  • Encrypt the Master Boot Record on affected machines.
  • Present a fake CHKDSK screen as a cover for the encryption process.
  • Present a near-identical ransom demand screen after completing its activities.

According to the latest update on the malware, Kaspersky Lab says code analysis has revealed it is technically impossible to decrypt victims’ disks.

To decrypt a victim’s disk threat actors need the installation ID, and in previous versions of “similar” ransomware like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery, researchers at the security firm said.

However, they found the new malware – which they have dubbed ExPetr – does not have any such recovery mechanism, which means the threat actor could not extract the necessary information needed for decryption.

In short, victims could not recover their data even if they paid the ransom, the researchers said, which again calls into question the motive behind the malware.

This discovery not only further endorses the security community’s earlier advice not to pay the ransom, but also raises further questions about the true purpose of the malware and is likely to fuel further speculation that it may have been intended purely as a means to cause disruption on to mask some other malicious activity.

This view is supported by the latest statement from the UK National Cyber Security Centre (NCSC) that while managing the impact to the UK of the incident, the NCSC’s experts have found evidence that questions initial judgements that the intention was to collect a ransom. “We are investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain,” the NCSC said.

Whatever the true purpose, analysis of the malware has confirmed some of the lessons learned from WannaCry and added others which organisations should consider in order to improve their cyber defence capabilities against future threats.

The key lessons that have emerged so far are:

1. Having the latest versions of software and ensuring they are patched up to date will go a long way in reducing organisations’ vulnerability to cyber attack.

2. Malware is increasingly using legitimate tools for malicious activity to go undetected. In the case of ExPetr, two common Windows administrative tools, Windows Management Instrumentation Command-line (WMIC) and PsExec were used.

According to risk management firm Kroll, while the use of these and other “non-malicious” tools by intruders to quietly move within networks is not new, their use in such a widespread and automated attack is novel.

This knowledge underscores the value of implementing modern threat detection and response systems and using trained staff or trusted external partners to identify and contain this type of attack, Kroll said in its latest advice to customers.

Lateral movement a security issue

Like WannaCry, security experts say ExPetr proves that lateral movement is a serious security issue, however, environments that have adopted software-defined perimeter architectures to limit lateral movement are likely to see far reduced impact compared to traditional open enterprise networks, according to security firm Cyxtera Technologies.

3. Malware is hijacking software updating mechanisms to spread malware, and is likely to use this technique increasingly in future.

Microsoft has confirmed that in some cases ExPetr hijacked the auto update facility of the M.E.Doc tax accounting software that is widely used in Ukraine, which is why the country was particularly hard hit.

In the light of this fact, organisations should recognise the very real risk posed by third parties, such as software suppliers and service providers. At a minimum, Kroll advises organisations to review all supplier rosk management processes and institute controls that mitigate potential vulnerabilities.

In October of 2016, Forcepoint Security Labs warned of rogue software updates being delivered by automated software update mechanisms in its Freeman Report, which documented the dangers of a rogue software update to a legitimate code analysis tool.

Forcepoint recommends that organisations vet third-parties who deliver software updates into their environment and that they seek to understand what unsupported or so-called abandoned software (abandonware) may still be running and accepting updates.

Multiple propagation techniques

However, multiple PDF and Word attachment samples have been collected, which highlights the likelihood of malware using multiple propagation techniques and the importance of organisations ensuring they have systems in place to detect malicious email attachments.

4. An appropriate and well-tested backup and recovery plan for critical systems and data will go a long way to mitigating the effects of ransomware and other malware attacks, regardless of its particular characteristics.

5. Malware is abusing security tools to discover usernames and passwords, which means organisations should ensure they have appropriate systems and procedures in place to prevent credential abuse.

ExPetr uses the publically available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users to spread itself on local networks.