Petya / NotPetya Poses Risk to Even Patched Systems
On the morning of June 27, 2017, a new ransomware outbreak—similar to the recent WannaCry malware—was discovered in the Ukraine. The malware quickly spread across Europe, affecting varied industries such as banks, government, retail, and power, among others.
Although at first, it seemed that the ransomware was a variant of the Petya family, researchers have determined that they are not related, and have now named the malware “NotPetya.” This ransomware is potentially more devastating than WannaCry, as it does not require vulnerable, unpatched systems to spread on the local network.
Our analysis is ongoing, but this post serves to emphasize the danger to existing patched systems. A thorough analysis and any updates will be posted as new information is discovered.
Petya / NotPetya Tools, Techniques, and Procedures (TTPs)
After infection on the initial victim, NotPetya enumerates all saved SMB credentials on the system and uses these credentials to log onto other machines on the local network. Because the ransomware uses existing SMB credentials to connect to the systems, even patched Windows machines are subject to infection.
Figure 1. SMB Credential Enumeration (Click on images to view larger.)
NotPetya can infect additional network systems in one of two ways:
- Using the remote administration tool “psexec” to execute the malware on the remote host:
- Using the built-in Windows Management Instrumentation Command-line tool (WMIC):
In the case of the first method, NotPetya attempts to write a copy of the Windows Sysinternals tool “psexec,” which is embedded in its resource section, to %WinDir%\dllhost.dat.
The second method uses WMIC, which is included by default on Windows systems, and allows for connection to remote systems to perform administrative tasks. In the command above, the malware connects to the
Differences Between Petya / NotPetya and WannaCry Ransomware
Unlike WannaCry, this version of NotPetya does not require vulnerability to the EternalBlue SMB exploit in order to spread to other systems on a network. Successful infection of one host allows the ransomware to spread to any connected systems for which the infected system has SMB credentials. Therefore, patching the SMB vulnerability and disabling SMBv1 will not prevent the spread of the malware as in WannaCry.
AI Engine Rules for Detecting Petya / NotPetya Ransomware
The following are AI Engine rules LogRhythm customers can use to detect elements of NotPetya infection and propagation.
Figure 2. Petya Commands
Figure 3. Petya File Prep
Figure 4. Petya Hash Values
Figure 5. Petya Process Progression
Instructions for Importing AI Engine Rules
LogRhythm Labs has created Petya AI Engine Rules for the latest LogRhythm Version, 7.2.5., as well as for LogRhythm Version 6.3 and older. Please find the download for each version above.
Please note: Due to changes from earlier versions, there is one Petya AI Rule (Petya : Hash Values), which will not import properly if the client environment is running a version older than 7.2. LogRhythm Labs recommends the following workaround:
- Upgrade the client LogRhythm Platform to 7.2.5 and re-enable the Hash Value AI Engine Rule.
- Recreate the AI Engine Rule using the “ObjectName” metadata field instead of the “Hash” metadata field. The “ObjectName” metadata field was the default metadata field used for listing hash values prior to the creation of the “Hash” metadata field in version 7.2. If there are custom log sources within the client environment that parse hash values to an alternate metadata field, the AI Engine Rule should be modified to reflect that metadata field.
You will also need to be on KB .390 or greater—or else you may have trouble importing the rules.
Now onto the instructions:
Open the LogRhythm Console.
Navigate to the AI Engine Tab via Deployment Manager > AI Engine Tab.
Figure 6: AI Engine Tab
Select the pull-down menu “Actions,” and then select “Import.”
Figure 7: Pull-Down Menu > Actions > Import
Select the .airx (AI Rules File Format) files you wish to import, and select “Open.”
Figure 8: Import .airx Files
Upon a successful import, you will be presented with the following pop-up window:
Figure 9: Confirmation
It is possible that an error will appear stating that the KB version is out of date with the AI Engine Rules selected for import. If this occurs, upgrade your KB to the latest version, and perform this procedure again.
Check back to our blog for ongoing information and technical analysis of Petya / NotPetya ransomware.
LogRhythm Labs has also created a Network Monitor Deep Packet Analytics (DPA) Rule to detect the lateral movement of Petya. This can be used with the enterprise version or with NetMon Freemium.
Thanks to LogRhythm Labs team members Erika Noerenberg, Nathanial Quist, and Andrew Costis for their continued work analyzing and reporting on Petya / NotPetya ransomware.