Security | Jun 29, 2017
As of Wednesday, June 28, there are a number of updates around NotPeyta. Here are a few key observations:
#1 Vaccination Discovered
Cybereason Principal Security Researcher Amit Serper discovered a pretty simple vaccination to prevent the NotPeyta ransomware from infecting computers. Unlike a “kill switch” which could globally prevent all ransomware infections, this method is more of a vaccination because each user must independently create a local file. Users must create an extensionless file in C:\Windows called perfc and make it read only. According to Cybereason “When first run, the NotPetya ransomware searches for its own filename in the C:\windows\ folder, and if it is found, will cease operating.”
#2 NotPeyta Still Spreading
Although the vaccination appears to be working on specific machines, it does not prevent NotPeyta from spreading.
According to the June 27, 2017 report from the Verizon Threat Research Advisory Center the threat can spread in a number of ways:
“Multiple distribution methods have been reported. Petya’s previous initial infection vector has been phishing emails containing weaponized Rich Text Format (RTF) documents designed to exploit CVE-2017-0199. If successful, the Petya ransomware component is downloaded as a Windows Dynamic Link Library (DLL).
Server Message Block (SMB) exploitation has been observed for internal propagation as well as PSEXEC and Windows Management Instrumentation Command-line (WMIC). Multiple sources have attributed the SMB activity to the use of the ETERNALBLUE exploit, but further analysis is required to confirm the exact nature of the SMB exploitation.”
This lateral movement has been confirmed by targeted corporations. For example, Copenhagen-based shipping giant Maersk reported that the malware was able to move laterally through their networks across geographically dispersed operations. Maersk reported outages not only in Denmark, but also the United Kingdom, Ireland and beyond.
See you next month
CNET security reporter Alfred Ng said it succinctly: “The attacks are getting smarter, making more money and being sold as tools. And people are leaving themselves vulnerable. I'll see you in a month for the next massive attack.”
We agree. More attacks are coming and each will have its own challenges.
The key takeaway from recent attacks is not panic or fear. Rather, it remains absolutely imperative that companies have an incident response plan and process in-place before attacks like these happen.
Guidance Software’s Forensic Security Suite
EnForce Risk Manager is a proactive risk management tool that allows organizations to identify, categorize, and remove sensitive data from unauthorized locations. When ransomware strikes, less machines with sensitive data will mean less machines to decrypt or restore. Next, EnCase Endpoint Security, ranked #1 in Endpoint Detection and Response by Gartner, offers anomaly detection through conditional behavior scans and cloud-based threat intelligence. Ransomware can propagate within ten minutes after evading perimeter-based protection platforms, so organizations need to quickly identify and remediate these threats at the endpoint. And lastly, EnCase Endpoint Investigator can help organizations conduct low-level forensic investigations to better understand attack vectors and root cause for intelligence gathering.
With more advanced forms of attacks, including ransomware, security teams require a standalone, best-of-breed EDR solution that integrates with your layered security approach and tools.