Detecting Petya/NotPetya Ransomware

Petya / NotPetya Poses Risk to Even Patched Systems

On the morning of June 27, 2017, a new ransomware outbreak—similar to the recent WannaCry malware—was discovered in the Ukraine. The malware quickly spread across Europe, affecting varied industries such as banks, government, retail, and power, among others.

Although at first, it seemed that the ransomware was a variant of the Petya family, researchers have determined that they are not related, and have now named the malware “NotPetya.” This ransomware is potentially more devastating than WannaCry, as it does not require vulnerable, unpatched systems to spread on the local network.

Our analysis is ongoing, but this post serves to emphasize the danger to existing patched systems. A thorough analysis and any updates will be posted as new information is discovered.

Petya / NotPetya Tools, Techniques, and Procedures (TTPs)

After infection on the initial victim, NotPetya enumerates all saved SMB credentials on the system and uses these credentials to log onto other machines on the local network. Because the ransomware uses existing SMB credentials to connect to the systems, even patched Windows machines are subject to infection.

Click images to expand

Figure 1: SMB Credential Enumeration

Figure 1. SMB Credential Enumeration

NotPetya can infect additional network systems in one of two ways:

  • Using the remote administration tool “psexec” to execute the malware on the remote host:
psexec -accepteula -s -d c:\windows\system32\rundll32.exe "C:\Windows\<filename>\,#1"
  • Using the built-in Windows Management Instrumentation Command-line tool (WMIC):
c:\windows\system32\wbem\wmic.exe /node:"<node>" /user:"<user>" /password:"<password>" process call create "C:\Windows\System32\rundll32.exe "C:\Windows\<file>\" #1

In the case of the first method, NotPetya attempts to write a copy of the Windows Sysinternals tool “psexec,” which is embedded in its resource section, to %WinDir%\dllhost.dat.

The second method uses WMIC, which is included by default on Windows systems, and allows for connection to remote systems to perform administrative tasks. In the command above, the malware connects to the (IP address or hostname) using the and credentials, and executes the NotPetya DLL on the remote system.

Differences Between Petya / NotPetya and WannaCry Ransomware

Unlike WannaCry, this version of NotPetya does not require vulnerability to the EternalBlue SMB exploit in order to spread to other systems on a network. Successful infection of one host allows the ransomware to spread to any connected systems for which the infected system has SMB credentials. Therefore, patching the SMB vulnerability and disabling SMBv1 will not prevent the spread of the malware as in WannaCry.

AI Engine Rules for Detecting Petya / NotPetya Ransomware

The following are AI Engine rules LogRhythm customers can use to detect elements of NotPetya infection and propagation.

Figure 2: Petya Commands

Figure 2. Petya Commands

Figure 3: Petya File Prep

Figure 3. Petya File Prep

Figure 4: Petya Hash Values

Figure 4. Petya Hash Values

Figure 5: Petya Process Progression

Figure 5. Petya Process Progression

Instructions for Importing AI Engine Rules

Download AI Engine Rules for LogRhythm 7.2

Download AI Engine Rules for LogRhythm 6.3 or Older

LogRhythm Labs has created Petya AI Engine Rules for the latest LogRhythm Version, 7.2.5., as well as for LogRhythm Version 6.3 and older. Please find the download for each version above.

Please note: Due to changes from earlier versions, there is one Petya AI Rule (Petya : Hash Values), which will not import properly if the client environment is running a version older than 7.2. LogRhythm Labs recommends the following workaround:

  • Upgrade the client LogRhythm Platform to 7.2.5 and re-enable the Hash Value AI Engine Rule.
  • Recreate the AI Engine Rule using the “ObjectName” metadata field instead of the “Hash” metadata field. The “ObjectName” metadata field was the default metadata field used for listing hash values prior to the creation of the “Hash” metadata field in version 7.2. If there are custom log sources within the client environment that parse hash values to an alternate metadata field, the AI Engine Rule should be modified to reflect that metadata field.

You will also need to be on KB .390 or greater—or else you may have trouble importing the rules.

Now onto the instructions:

Open the LogRhythm Console.

Navigate to the AI Engine Tab via Deployment Manager > AI Engine Tab.

Figure 6: AI Engine Tab

Figure 6: AI Engine Tab

Select the pull-down menu “Actions,” and then select “Import.”

Figure 7: Pull-Down Menu

Figure 7: Pull-Down Menu > Actions > Import

Select the .airx (AI Rules File Format) files you wish to import, and select “Open.”

Figure 8: Import .airx Files

Figure 8: Import .airx Files

Upon a successful import, you will be presented with the following pop-up window:

Figure 9: Confirmation

Figure 9: Confirmation

It is possible that an error will appear stating that the KB version is out of date with the AI Engine Rules selected for import. If this occurs, upgrade your KB to the latest version, and perform this procedure again.

Check back to our blog for ongoing information and technical analysis of Petya / NotPetya ransomware.

Additional Content

LogRhythm Labs has also created a Network Monitor Deep Packet Analytics (DPA) Rule to detect the lateral movement of Petya. This can be used with the enterprise version or with NetMon Freemium.

Download DPA Rule for Petya

Acknowledgements

Thanks to LogRhythm Labs team members Erika Noerenberg, Nathanial Quist, and Andrew Costis for their continued work analyzing and reporting on Petya / NotPetya ransomware.