Industrial Security
Industrial Ethernet
Data Centers
Broadcast AV
Belden News
Blog Home

Is Petya Making You WannaCry? How to Protect Against This Ransomware

Posted by: Katherine Brocklehurst on July 11, 2017

Petya ransomware surfaced publicly in June 2017, starting first in the Ukraine, rapidly moving to Europe and now into the United States. This global ransomware epidemic will not only encrypt your systems – essentially denying you access to everything it holds – it also “wipes” (overwrites) the hard drive master boot record (MBR) so that it cannot boot up its operating system. Without a backup, your system is dead and all the data lost. Some researchers believe even if the Bitcoin ransom were paid and keys obtained, they would not work to decrypt and restore your systems.

Global victims of Petya and its variants include power companies, airports and public transit. Known victims have been a state-run aircraft manufacturer in Ukraine, the Kiev airport, advertising company WPP in the UK, Danish shipping and energy company Maersk, the Central Bank, pharmaceutical company Merck, Rosnoft, a Russian oil company and U.S. legal firm DLR Piper.

Maersk was debilitated and has been gradually recovering. On its blog, customers and the public have been staying apprised. They confirmed the Petya attack and apologized for losing visibility into the cargo in their custody. Maersk’s sobering comments infer the extent of the business damage they and many others are experiencing.

Image showing global spread of Petya. (Source: MTBW Services, Inc.)

FireEye, a cybersecurity and malware protection company, has said ransomware attacks were up 35 percent in 2016 and that figure will likely adjust even higher for 2017. Russian multinational cybersecurity and anti-virus firm Kaspersky Labs warns that attackers have pivoted away from individual users and are aiming at businesses as more lucrative ransomware targets. In April of 2016, the Board of Power and Light in Lansing, Michigan was hit with ransomware and ended up paying a ransom to get their systems back online. For every headline, there are hundreds that never come to public attention.

May 2016 was when Kaspersky first discovered Petya (also called Petrwrap, ExPetr and a new variant known as NotPetya). This destructive ransomware is also a “worm,” like WannaCry, and can similarly exploit a Microsoft Windows Server Message Block 1.0 (SMBv1) server vulnerability termed “EternalBlue,” for quickly transferring itself to other computers on the network. EternalBlue will allow remote code execution if an attacker sends specially crafted messages. Many believe EternalBlue to be the work of the U.S. National Security Agency (NSA), as leaked by a hacker group called the Shadow Brokers in April 2017.

However, a significant difference from WannaCry – according to Wendy Whitmore with IBM – is that Petya does not require the SMB vulnerability to spread. If it couldn’t leverage the SMB vulnerability, Petya can still move laterally by harvesting credentials from the infected system and using PsExec and WMIC (native remote administrative tools) to gain access to other systems on the network.

The black and red ransom note that gets displayed on screens of Microsoft Windows computers infected with Petya. (Source: Krebsonsecurity.com)

Unlike other strains, Petya could also be termed a “wiper.” This is malware designed for destruction not just disruption and profit because it also overwrites and corrupts the hard drive’s MBR so that it cannot boot up its operating system.

Microsoft released a patch for the EternalBlue exploit in March 2017 (MS17-010). Organizations and individuals who have not yet applied the Windows update for the Eternal Blue exploit are advised to patch now. Many who delayed installing the patch were later hit in May with WannaCry ransomware.

Is Your System At Risk? The Steps to Take
 

Without a doubt, there is no better advice than the highly unhelpful “patch your systems.” Here are suggestions from the experts at both Belden and Tripwire (a Belden company). Unfortunately, it’s very likely not the last time you’ll see those words in print given the rapid adaptability and velocity we’re seeing in the threat landscape.

Microsoft’s Alert (MS-17-010) will broaden your understanding of the vulnerability being exploited and to help you figure out how much risk you may have. There are also helpful Knowledge Base and CVE links embedded in their alert.

The table below identifies vulnerable versions of Microsoft Windows installed on systems you wouldn’t want to lose to ransomware. Narrow down which patches to install across the environment to those which specifically deal with closing the EternalBlue server message block (SMB) vulnerability leveraged by Petya, WannaCry and others. If the patch is already installed, your system is safe for the time being. This would be an especially useful task for IT to help with.

MS Knowledge Base Number

Platform

4012212

Windows 7 SP1
Windows Server 2008 R2 SP1

4012213

Windows 8.1
Windows Server 2012 R2

4012214

Windows Server 2012

4012215

Windows 7 SP1
Windows Server 2008 R2 SP1

4012216

Windows 8.1
Windows Server 2012 R2

4012217

Windows Server 2012

4012598

Windows XP
Windows Vista
Windows 8
Windows Server 2003 SP2
Windows Server 2008

4013429

Windows 10 Version 1607
Windows Server 2016

4015217

Windows 10 Version 1607
Windows Server 2016

4015438

Windows 10 Version 1607
Windows Server 2016

4015549

Windows 7 SP1
Windows Server 2008 R2 SP1

4015550

Windows 8.1
Windows Server 2012 R2

4015551

Windows Server 2012

4015552

Windows 7 SP1
Windows Server 2008 R2 SP1

4015553

Windows 8.1
Windows 2012 R2

4016635

Windows 10 Version 1607
Windows Server 2016

4019215

Windows 8.1
Windows Server 2012 R2

4019216

Windows Server 2012

4019264

Windows 7 SP1

Windows Server 2008 R2

4019472

Windows 10 Version 1607
Windows Server 2016

 

5 Cyber Security Tips to Consider
 

Given the suggestions outlined here, this may also be a time to call your IT team and get proactive about assuring they understand your specific need and the environment. They may be able to help in an efficient and accelerated manner for the tasks outlined below. In addition, these fast-moving attacks are keeping researchers busy as new facets turn up in the behavior of various strains of Petya and others, so your IT team may have their hand on the pulse for late-breaking updates and what to do about it in the plant.

1. Disable SMBv1

The vulnerability being exploited is in the way Windows handles SMB connections. By disabling SMBv1 entirely on systems that do not rely on it, you can protect systems without having to install a patch. But beware that Petya doesn’t necessarily need the SMBv1 vulnerability, so look to how you can protect credentials and unauthorized traversal across your networks. A secure zone protected by Tofino Xenon could thwart both ingress and egress. And, it’s still a good idea to disable SMB connections if not needed because it’s a common method used by these strains of ransomware.

The easiest way to accomplish this on 2008 R2 and earlier systems is to set the following two registry keys to 0, which will disable the appropriate versions.

On more recent systems, the following two commands will disable SMBv1:

For more information on enabling and disabling SMB, see this Microsoft Support article. Tripwire can tell if SMB is enabled, what version and has other indicators of compromise built in. That content is available from Tripwire’s Customer Support Portal.

Tofino Security (another Belden company and part of the industrial cyber security solution portfolio) can disallow SMB connections and prevent ingress or even egress of SMB connection requests if configured to do so. Sample rules for Tofino are available from Belden’s support organization – ask for Tofino experts.

2. Block SMB Firewall Ports

Another option to help protect against this strain of malware is to block the ports on which SMB relies for communication. The ports used for SMB are TCP 139 and 445.

Belden’s Hirschmann and GarrettCom firewalls (as well as Tofino Xenons) can set and enforce this rule. Again, you can get assistance setting the appropriate firewall rules by contacting the backline support linked above. Tripwire also has a log solution that can passively receive all types of ICS system syslogs. Upon detecting potential threats the Log Center can send alerts as well as be a source of forensics, if needed.

3. Assure Current Backups, Test That They Restore Properly

Backups should be running consistently and see if you can find the latest – and check how old it is. If you can lay hands on it, testing that it accurately restores is recommended. Tripwire can verify if backups are set to be run and when the last backups have been performed on your Windows systems.

4. Check With Your ICS Vendor

There may be components from your ICS vendor, such as an HMI or data historian, that could be running on vulnerable Windows OS. Get help from your ICS equipment manufacturers.

5. Update Your Antivirus

Though a somewhat outdated security control, antivirus still has a place and especially for Windows-based systems. Most of the major antivirus vendors have developed signatures for many strains of recent malware and ransomware. Contact them to get the right version of their software to run for EternalBlue and other vulnerabilities. This is another good task for IT to assist.

Tripwire can detect if antivirus is in place and if present, is running. This could be a great way to verify that the right version needed is in fact in use on systems Tripwire monitors. Many times attackers disable antivirus to hide their tracks although in these ransomware variants it hasn’t been seen. Still, it’s something important to confirm for some systems.

Summary
 

Every cyber security defender, researcher, security firm and new report is saying the same things – increasingly sophisticated and targeted attacks are coming with faster velocity and able to remove evidence of their actions, can call home undetected and even morph in place. Defenders must be ever-vigilant because as we know, the adversary needs to only win once.

Related Content to Download
 

Related Links
 

Tags:Petya, WannaCry, Ransomware, ICS Security, ICS Cyber Security, ICS Cybersecurity, Industrial Security, Petrwrap, ExPetr, NotPetya, EternalBlue, Microsoft Windows SMB Vulnerability, Bitcoin, Ransom

Bookmark and Share

Comments

 
 

Post A Comment






 
Follow Us

Subscribe
Industrial Security
RSS Feed
Industrial Security
Email Notifications

Search
Industrial Security Blog
All Belden Blogs


Stay Informed