Contact Us
Linkedin Twitter Youtube

The Chertoff Group

CHERTOFF GROUP ALERT: PETYA RANSOMWARE CAMPAIGN

The Chertoff Group continues to closely monitor the Petya ransomware attack.  The story is still evolving, but we wanted to provide a brief summary for those of you who may not have had time to review in detail and assess appropriate actions for your organization.

What happened?

  • A ransomware campaign, similar to the May WannaCry outbreak, is causing disruption to government and critical infrastructure systems around the world. The campaign has had particular impact in Ukraine, with effects also being felt in Europe and, to a lesser extent, in the United States. The bitcoin ransomware demand is equivalent to $300, the same amount as WannaCry.
  • Most reports thus far indicate the ransomware is an updated version of a variant known as “Petya,” which appeared last year. Security firm Kaspersky, however, has reported the ransomware is not the Petya strain, and has thus dubbed it “NotPetya.”
  • The Petya campaign reportedly leverages the same vulnerability in Microsoft Windows Server Message Block (SMB) that was exploited in the WannaCry campaign to gain control of machines, spread internally, and encrypt compromised devices, rendering them useless. As of this writing, the Petya perpetrator’s wallet has collected less than $10,000.
  • According to Symantec, the exploit in question, known as EternalBlue, was allegedly developed by the U.S. National Security Agency (NSA) and was leaked in April by the Shadow Brokers hacking group, making it widely known to the hacker community. It was previously used in the WannaCry ransomware campaign in May 2017.

Why it’s important?

  • While ransomware is nothing new, there appears to be a level of automation in Petya that, like WannaCry, makes its ability to scale alarming.
  • Given Petya is the second ransomware outbreak to leverage EternalBlue, the event will bring heightened focus and attention to both the U.S. government’s process for disclosing vulnerabilities and the slow adoption of critical vulnerability patches by public and private sector organizations around the world.
  • According to US-CERT, Petya gains access to servers through a weakness in Windows SMB, which allows computers to share files and other resources. More specifically, the malware encrypts a computer’s master boot record and then its master file table.
  • While a patch had earlier been released (the original patch MS17-010 was distributed March 14, 2017), the reality is that many organizations are slow to implement patches for a variety of reasons (e.g., competing priorities on often over-taxed IT teams, desire to test patches before implementing them to ensure the patch itself won’t break something, etc.)

Who has been impacted?

  • Initial reports detailed incidents affecting Ukrainian targets, including government ministries, radiation monitoring systems at Chernobyl, banks, and metro systems. Other affected entities reportedly include Danish shipping company Maersk, Russian energy company Rosneft, U.S. drug company Merck, and multinational law firm DLA Piper.

 How is it different from WannaCry?

  • While both WannaCry and the updated Petya strain reportedly exploit EternalBlue, Petya does not appear to have the same “kill switch” function that enabled a private researcher to shut down the WannaCry campaign (and thereby reduced the scale of WannaCry infection worldwide.
  • In response to the WannaCry campaign, more organizations installed critical security updates like MS17-010 to reduce the risk of future exploitation of the SMB vulnerability.
  • According to unconfirmed reports, Petya can utilize a counterfeit Microsoft digital signature to avoid detection by some anti-virus tools.
  • Petya can reportedly also leverage internal Microsoft utilities like PsExec to move laterally and spread infection.

What it means for you. The nature of the threat underscores the importance of a layered defense.

For executives

  • Governance and risk management (assess, mitigate, monitor). Understand your most critical assets – applications, users, and business processes. Talk to your security teams about the use of a layered defense, including for example segmenting these assets to limit their exposure to malicious activity already inside your network. Conduct focused testing and audit to ensure that security tools are fully implemented and operating effectively.
  • Information sharing. Discuss whether your firm participates in an Information Sharing and Analysis Organization so that, as new threat information becomes available on Petya variants or other attacks leveraging Shadow Brokers disclosures, your security teams know about it and can act on it.
  • Asset, configuration and vulnerability management. When patches are released by software vendors like Microsoft, can your firm find and remediate at-risk assets comprehensively and quickly? A dramatic increase in “endpoints” across many organizations can complicate these tasks, so consider a comprehensive endpoint management plan (people, process and technology) to include asset, configuration and patch management.
  • Third party risk management. Talk to your business, security and procurement teams about controls on third party access to your network, as well as contingencies for when a critical third party is incapacitated by an attack.
  • Incident management. Ransomware has become a very popular form of malware. What if your firm is victimized by a Petya variant?  Will the incident response and business continuity/disaster recovery program limit the damage?  Are there protocols in place for accessing bitcoin?
  • Culture and training are important. Everyone in your firm should know basic cyber hygiene. Even though it appears Petya may gain access through server-side infrastructure, ransomware is often introduced through user endpoints. All users should thus:
    • Understand the risks of clicking on links or opening attachments sent via email, particularly from untrusted users.
    • Understand the risks of downloading software from Internet websites, particularly from untrusted websites.
    • Understand what to do if you suspect your device has been compromised.

For practitioners

  • First and most obvious, refer to Microsoft Security Bulletin MS17-010 and leverage the security update information provided in the Bulletin. Also review the US-CERT notification on Petya and TA16-091A on ransomware in general.
  • The EternalBlue and DOUBLEPULSAR vulnerability leveraged by Petya was not the only vulnerability disclosed by Shadow Brokers, so it is recommended that organizations urgently review patches related to the April leak (see, e.g., https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/) and ensure they have been implemented.
  • Conduct internal and external scans for SMB ports, and where practicable consider isolating and restricting the SMB protocol (particularly SMB v1) as it is reportedly being leveraged by the malware (https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012).
    • Researchers recommend ensuring that any inbound connections TCP port 445 are blocked.
  • Conduct targeted education and awareness with users. Alert them to the potential implications of this attack and the need to exercise extreme caution in opening emails, clicking on attachments, visiting untrusted sites, etc.
  • Consider implementing and then properly configuring email filtering tools to block executable content from reaching end users, and disabling macros in Microsoft Office products transmitted by email.
  • Ensure anti-virus/malware detection tools are updated and conducting regular scans.
  • To minimize internal spread, organizations should also consider limiting workstation-to-workstation communications, removing local administrative privileges on endpoints, applying application whitelisting capabilities and consistently implementing the principle of “least privilege.”
  • As an additional preparedness measure, organizations should have comprehensive backup plans and practices in place to facilitate successful business continuity and disaster recovery.  Per US-CERT, backup copies of sensitive data should not be readily accessible from local networks.

Please contact us if you have any questions or concerns (info@chertoffgroup.com).

About The Chertoff Group

The Chertoff Group is a premier global advisory firm focused on security and risk management. The Chertoff Group helps clients grow and secure their enterprise through risk management, business strategy, and merchant banking advisory services. We apply our insights into technology, threat, and policy to help our clients improve their resiliency, build competitive advantage, and accelerate growth. The Chertoff Group, and its investment banking subsidiary Chertoff Capital, have advised on multiple M&A transactions totaling nearly $7 billion in deal value. Headquartered in Washington D.C., the firm maintains offices in Menlo Park and New York. For more information about The Chertoff Group, visit www.chertoffgroup.com.

Let's Talk.

Let's explore ways we can help you manage risk or position for strategic growth.

Linkedin Twitter Youtube

202.552.5280 | Mon. – Fri. 8:00 AM – 5:00 PM EDT