Andrew Costis
Threat Research Engineer, LogRhythm Labs

NotPetya Anniversary — Is a Version 2 Coming?

Just over a year ago, the world saw two major ransomware outbreaks in short succession. The first being WannaCry, followed by NotPetya a few weeks later. Unlike WannaCry, NotPetya infected machines on a network by exploiting the devices that were susceptible to the EternalBlue and EternalRomance SMBv1 vulnerabilities. NotPetya also harvested credentials on the victim host to infect additional systems by utilizing SMB shares on a remote system.

An Attack on the Horizon

Just less than a week ago — almost a year after NotPetya made its mark on numerous victims around the world — Serhiy Demedyuk, the police chief of the Ukraine, made a statement that surfaced via a Reuters news article with the following claim: “Hackers from Russia are infecting Ukrainian companies with malicious software to create ‘back doors’ for a large, coordinated attack.” Serhiy Demedyuk also added, “Analysis of the malicious software that has already been identified and the targeting of attacks on Ukraine suggest that this is all being done for a specific day.”

Answering the “When?”

While no technical details of these recent findings have yet been revealed, LogRhythm’s Threat Research team is actively monitoring the situation and looking for existence of such malware, as well as its respective indicators of compromise (IOCs). The “specific day” referenced above had the potential to be June 28, the Constitution Day in the Ukraine, but that day has come and gone without incident. However, another possible date for the attack could be August 24, Independence Day in the Ukraine. Of course, there is always the possibility that this attack does not happen at all, or it could, in fact, fall outside of these more meaningful dates.

Detecting NotPetya-Like Movement with LogRhythm

Fortunately, thanks to the recent release of the Current Active Threats (CAT) module, in such an event, the LogRhythm Threat Research team will protect all existing LogRhythm customers via rapid release updates in the form of AI Engine rules. In addition, with the User and Entity Behavior Analytics (UEBA) module enabled, LogRhythm customers can utilize out-of-the-box “Progression rules,” which will trigger when a second AI Engine rule fires farther along the Cyber Attack Lifecycle. This ability provides instant risk visibility at the highest level, showing how an attack is progressing, all in real time. Lastly, NetMon Freemium can enable a Deep Packet Analytics rule, specifically designed to detect NotPetya-based lateral movement activities over SMB.