Update on the initial infection vector of the Petya ransomware campaign
From reports and analysis performed to date, this version of the ransomware appears to have been delivered via a malicious software update for My Electronic Document (M.E.Doc), which is an accounting software used by Ukrainian based companies. It appears that almost all affected organisations can be linked back to Ukraine either through direct or indirect connections. While only a relatively small number of organisations have been impacted globally, for those affected the impact has been severe.
Some of the initial confusion regarding delivery mechanisms was caused by the public reporting of companies which have networks located within the Ukraine. The propagation mechanism allowed the malware to spread via the corporate network to offices in other countries, where the incidents were publicly reported.
Once devices are infected, the ransomware collects credentials and leverages publically known vulnerabilities in Microsoft Windows as well as common administrative tools for lateral movement. Microsoft published patches to mitigate these vulnerabilities in March 2017.
It is important to note that this is an example of where a lack of patching and continued use of out-dated protocols presents a significant risk to organisational IT security.
The ACSC's recommendations have not changed and are available below.
Update on the impact of the Petya ransomware campaign
We are aware of media reports regarding three allegedly affected companies in Australia and have reached out to offer assistance. CERT Australia has made contact with all of these organisations.
Reporting from the international CERT community indicates that only a relatively small number of victims have been impacted globally.
However, many of the affected organisations are large, multinational companies, and the impact to them has been severe with the effects being seen in multiple countries.
Update on Petya ransomware campaign
The ACSC is aware of a large-scale ransomware campaign that is impacting organisations globally. The campaign is variously known as "Petya", "NotPetya", "SortaPetya", "Petna" or "GoldenEye". Information regarding this campaign has been provided on the ACSC news portal.
The ransomware leverages publically known vulnerabilities in Microsoft Windows as well as common lateral movement techniques utilising administrative tools. Microsoft published patches to mitigate these vulnerabilities in March 2017.
The ACSC recommends undertaking the following actions:
- Apply MS17-010 patches as soon as possible to prevent infection by this ransomware campaign.
- Reconsider the business need for operating SMBv1 and disable the feature wherever possible.
- Investigate disabling Microsoft Office macros via group policy within your organisation. If there is a business need, identify whether allowing only signed macros and centrally managing the signing process fits your needs.
- Investigate deploying Microsoft LAPS which ensures that each domain-joined host in an organisation has unique Local Administrator credentials, preventing ransomware from using the extracted credentials to spread laterally.
- Organisations with application whitelisting, software restriction policies, or end-point security solutions should investigate placing restrictions on the execution of PSEXEC via group policy or other third party tools.
- Review and consider applying ASD Essential Eight mitigations strategies.
- Review the ETERNALBLUE and DOUBLEPULSAR fact sheet and undertake appropriate remediation.
- Review logs for unusual SMB traffic.
- Review logs for unusual usage of the WMI or psexec tools.
- Ensure that important data is backed up to an offline location.
Additionally, Microsoft has released advice and a special hotfix for Windows XP, Server 2003, and Windows 8 RTM.
Initial Infection Vector
From the reports and analysis performed to date, the initial infection vector has not been clearly identified. Initial reports suggest multiple delivery mechanisms via:
- updates for the M.E.Dec software (popular in Ukraine);
- the ETERNALBLUE exploit using the SMBv1 protocol; and
- phishing emails containing macro enabled Microsoft Office documents.
The malware has been seen infecting other devices on the network via the ETERNALBLUE exploit using the SMBv1 protocol.
Initial reports suggest that the malware uses the NetBIOS name cache in addition to DHCP information to identify computers and servers on the network which are then checked for open TCP ports 445 and 139.
Public reporting has identified a possible 'vaccine' mechanism. There are conflicting reports on the effectiveness and technical detail of this alleged vaccine. Even if it provides protection against Petya it is highly unlikely that this 'vaccine' would be effective against any other form of ransomware.
Once infected, the malware creates a scheduled task to sleep between 10 and 60 minutes before a reboot is triggered.
The malware clears system logs to make further analysis more difficult.
When the malware has completed the reboot, it encrypts files on the computer.
The malware also encrypts the master boot record (MBR) to prevent offline tampering or file recovery and adds custom boot code. This code prevents users from loading the computer beyond the ransom screen shown below.
Petya ransomware campaign impacting organisations globally
The ACSC is aware of a global ransomware campaign, Petya. Ransomware is malicious software that makes data or systems unusable until the victim makes a payment.
We are working to confirm reports of two affected companies in Australia and we are reaching out to offer assistance. We are working with our international counterparts to understand the scope and impact.
Early reports indicate the Petya ransomware appears to leverage the same vulnerability as WanaCry.
- Patch/update systems immediately, including Microsoft operating systems. Using unpatched and unsupported software increases the risk of cyber security threats such as ransomware.
- Back-up your data. If you do not have back-ups in place you can arrange to use an off-site backup service. This is good practice for all users.
- Ensure your antivirus software is up-to-date.
- Individuals and organisations should not pay the ransom. Reports indicate that the contact email address provided in the ransom message has been disabled, which means the files are highly unlikely to be recovered by paying the ransom.
All organisations - large and small - need to examine their cyber security posture and have arrangements in place to protect the security of their information systems.
The Australian Cyber Security Centre has advised that, if you are affected by the Petya ransomware incident, you should contact your service provider immediately. Small businesses can contact ACORN (Australian Cybercrime Online Reporting Network). Large organisations are advised to follow their normal procedures and report to the Australian Cyber Security Centre (ACSC) via the number 1300 CYBER1.
We continue to monitor the situation closely for any impact and will provide updates as necessary.
Organisations can minimise the risk of being infected by exploits taking advantage of unpatched vulnerabilities by following the Australian Signal Directorate's Strategies to Mitigate Cyber Security Incidents. These strategies include, but are not limited to:
- patching operating systems and applications to the latest versions
- backing up important data on a daily basis to an offsite location
- implementing application whitelisting to prevent execution of untrusted code
- restricting administrator privileges.
Further ASD advice, such as the Essential Eight Explained, Detecting Socially-Engineered Emails, Minimising Admin Privileges Explained and Application Whitelisting Explained, is available from the ASD Publications page.