As you know, a new ransomware attack has occurred, referred to by names such as NotPetya, Petna and Petya (even though it isn’t Petya). It appears to be an evolution of the WannaCry ransomware. However, this time, it shipped without a kill switch. Once accessed, the malware infects systems that are vulnerable to MS17-010. It then spreads across the Windows infrastructure.
More information on Microsoft Security Bulletin MS17-010 can be found here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.
The Process of Infection
NotPetya begins its process by looking for a file in the %windir% directory called “perfc” with no file extension. It then attempts to download and use an embedded SysInternals tool called PSEXEC.EXE. This file is embedded in another file called “DLLHOST.DAT” which is also written to the %windir% directory.
If PSEXEC cannot be used, it can also use the WMI command line tool (WMIC.exe). WMI is available on all modern Windows systems post Windows NT 4.
The process then utilizes a tweaked version of mimikats to extract network credentials cached on the running system to begin the process of infecting subsequent systems. In short, it takes advantage of the fact that many organizations employ flat, non-air-gapped networks in which an IT administrator on one endpoint can control other machines. Or it can sniff domain admin credentials present in memory, until the network is completely under its control.
Stopping NotPetya Before it Begins
Here at Lieberman Software, our RED Systems Management tool can quickly block access to the files NotPetya intends to use to infect you. With patented Access Control List (ACL) management technology called File Cratering, RED Systems Management can lockout NotPetya from executing on client systems.
Post Prescription NotPetya Remedy
By now you know you should patch your computers to stop the Server Message Block (SMB) exploits with the patches described in MS17-01 to prevent infection from NotPetya. But you should also disable SMBv1.
SMB versioning is controlled by registry entries that can be set by Active Directory Group Policy Preferences. For more information, see: https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/.
Unfortunately group policy provides no feedback of success or failure of the policy to apply, and may take many hours before it goes into effect. Fortunately, this is another area where RED Systems Management can help. It can proactively handle the change using its REGEDIT feature. This functionality provides immediate feedback of success or failure. It can also verify the success of the change with its registry reporting.
Remove Persistent Administrative Access
To minimize the damage of future ransomware attacks, RED Systems Management can control local and domain group membership en masse with its Local Members and Global Members functionality. This process helps stop the re-use of high-powered credentials that grant elevated access to critical systems.
If elevated access is later required, RED Identity Management (which, along with RED Systems Management, is part of the Lieberman RED Suite) can temporarily elevate a credential to a minimally privileged group. It can then later remove that privilege.
We’d like to invite you to try RED Systems Management for yourself and see how it can help protect you from cyber attacks. A free, fully functional trial version is available at https://liebsoft.com/free-trials/.
By Chris Stoneff, Vice President Technical Management, Lieberman Software
Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software, and is instrumental in guiding the development of the Lieberman Software products portfolio.
If you like this topic, please subscribe to our Cyber Defense Newsletter.