HIRT-PUB17010 : Security Alert: Ransomware NotPetya (Petya Variant) : Hitachi Incident Response Team : Hitachi

Last Update: October 10, 2017

1. Overview

Beginning from June 27, 2017, the ransomware NotPetya (also known as Petrwrap, GoldenEye and Nyetya) has been active in the wild.

1.1 Ransomware behavior

Ransom activities
NotPetya encrypts the MBR (Master Boot Record) of infected Windows computers, making affected machines unusable. In addition, it displays a ransom note like the one in Figure 1.

Diffusion activities
NotPetya attempts to propagate itself. In the process of propagating itself, this malware spreads by exploiting a vulnerability in Windows SMBv1 (vulnerability CVE-2017-0145, addressed by security update MS17-010) and by stealing the user's Windows credentials.

Figure 1: Ransom note

1.2 Incidents

June 27, 2017

Microsoft: More than 12,500 machines encountered the threat in Ukraine. And observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.
New ransomware, old techniques: Petya adds worm capabilities
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

1.3 Security alerts

Various organizations have issued the following security alerts.

JPCERT/CC
JPCERT-AT-2017-0023: Alert regarding PCs and servers that may be attacked via the Internet (June 28, 2017)
http://www.jpcert.or.jp/english/at/2017/at170023.html
IPA
About ransomware infection in the wild (June 28, 2017)
http://www.ipa.go.jp/security/ciadr/vul/20170628-ransomware.html
ICS-CERT
Petya Malware Variant (June 30, 2017)
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01
US-CERT
Petya Ransomware (July 01, 2017)
https://www.us-cert.gov/ncas/alerts/TA17-181A

2. Countermeasures

Periodically backup your files and store them at offline as preparation for restoring encrypted files in incident.
Keep your operating system and software up-to-date with the latest patches. Especially, apply the Microsoft patch, MS17-010.
Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing it.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. In the case of NotPetya, Microsoft recommends blocking all traffic on Port 139/TCP and 445/TCP to prevent propagation. Microsoft has also recommends that their users can also disable remote WMI (Windows Management Instrumentation) and file sharing.

3. Hitachi Product Information

Hitachi products using Microsoft Windows operating systems are affected to this issue.

HIRT recommends that the following measures are effective in your network environment such as information systems, healthcare systems, industrial control systems and etc. to prevent Ransomware NotPetya.

Restricting unauthorized access to the network and networked devices.
Making certain appropriate antivirus software and firewalls are up-to-date.
Monitoring network activity for unauthorized use.
Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
Developing and evaluating strategies to maintain critical functionality during adverse conditions.

4. References

4.1 Malware sample

Notpetya
SHA256:027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
MD5:71b6a493388e7d0b40c83ce903bc6b04

4.2 Diffusion activities

NotPetya(SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745) was executed on an infected PC in the experimental network environment. The following presents the results of an investigation into the probe method of new PCs for infection as characteristic of a network worm.

NotPetya on the infected PC uses the known IP address such as "All computers in the ARP cache", "All computers you have a current open network connection with" and etc. to access port 445/tcp, 139/tcp and 80/tcp on other PCs. For more information, please refer to the Symantec report.

Symantec
Petya ransomware outbreak: Here's what you need to know (June 27, 2017)
https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know

Figure 2 shows that NotPetya accesses a default gateway which provides Web administration interface on port 80/tcp. This is an example using IP addresses of "All computers in the ARP cache".

Figure 3 shows that NotPetya accesses PC which has connected with port 22/tcp of a current open network connection and in outside of subnetwork. This is an example using IP addresses of "All computers you have a current open network connection with".

Figure 2: An example using IP addresses of "All computers in the ARP cache"

Figure 3: An example using IP addresses of "All computers you have a current open network connection with"

Also NotPetya on the infected PC uses ARP packets to probe other operating PCs in the same network.

The following figure, Figure 4, shows the elapsed time of probing the same subnetwork (/24: about 250 IP addresses) by NotPetya and WannaCry. WannaCry is to about 30 secondes. The probing performance of NotPetya (about 15 minutes) is not particularly high, and it is that NotPetya operates with the assumption that its activities will access the known IP address over an intranet and the Internet, as a result to increase the speed of its diffusion.

Figure 4: Elapsed time of probing IP address order on the same subnetwork (/24: about 250 IP addresses).