Revision history: Update 1 (current): 28th of June, 2017 22:00 (UTC +2)
Q1 Is the Petya attack still in progress?
A: The initial attack vector appears to have been the accounting software M.E.Doc, for which a malicious software update was pushed, that was executed by clients in an automated fashion. Multiple organisations confirmed that this was their initial infection vector. After the initial infection vector Petya can utilize different kind of spreading mechanisms:
Using the EternalBlue and EternalRomance exploits, which are both exploits of the NSA that were published on the 14th of April 2017 by the Shadow Brokers. These exploits can be used to gain unauthorized access to remote Windows systems and execute malicious software with administrative privileges. Using a variety of methods, both legitimate and illegitimate. The following 4 steps are followed by the malware to spread itself:
- Tries to find credentials:
- Method 1: Uses a custom tool to extract credentials from memory (code similarities with MimiKatz and accesses Windows LSASS process)
- Method 2: Steals credentials from the credential store on the infected systems
- Makes an inventory of the local network for other machines. If found, it checks whether port 139 or 445 is open
- Checks via WebDAV whether the enumerated systems have already been infected. If this is not the case, it will transfer the malware to the other systems via SMB;
- Utilizes PSEXEC or WMI tools, to remotely execute the malware.
Please note that the initial infection vector of the M.E.Doc update (and a related watering hole attack on a Ukrainian website) were cleaned. However, Petya can still spread to the following networks for a limited amount of time, based on the functionality outlined above:
- The local network (reserved IP spaces);
- To remote networks of third parties that are directly connected with the networks that contain systems that are already infected with Petya.
Q2 Which attack vectors are used to enter internal networks of organizations?
A At the moment the first infection method that has been observed in the wild concerns the infected update from M.E.Doc. After initial entry into an internal network of an affected organization has been obtained, different spreading methods are used to further infect systems. These methods include the NSA exploits EternalBlue and EternalRomance in combination with harvesting and reusing passwords to perform remote command execution (with psexec and WMI) on other systems.
Q3 Are only companies affected that use M.E.Doc?
A No, the attack initially targeted organizations that were using M.E.Doc, but the worm also spread to other (connected) organizations that were not related to M.E.Doc.
Q4 How is it possible that I became infected with Petya, while being full up to date and having all patches installed?
A: The Microsoft patch MS17-010 protects Windows systems against direct infection by the EternalBlue and EnternalRomance NSA-exploits. However, Petya includes additional methods to spread to Windows systems.
Most notably, the Petya malware can extract local Administrator and domain credentials from systems that are initially infected (for example because these systems were not patched). Subsequently, the malware can leverage these administrative credentials in combination with legitimate Microsoft tools and protocols (PSEXEC and WMI) to infect fully patched Windows systems.
Q5 How can I check if my organization is at risk for the Petya attack?
A Checking if you are at risk for this attack involves multiple actions, due to the fact that the attack itself uses different methods to propagate within networks. The following actions can be performed to identify potential vulnerable machines within the network:
- Perform a network portscan to identify systems on which the TCP ports 139 and 445 are open. The more machines that are accessible on these ports, the more potential risk of the attack spreading to large amounts of systems within the network.
- Perform a vulnerability scan to identify machines which are missing the MS17-010 (and the KB2871997) patch. If the patches are missing, the identified systems are vulnerable to the one of the spreading and infection methods used by the malware.
- Perform an inventarisation of administrative credentials to identify if there are passwords shared between multiple machines. If this is the case, the systems which can be accessed using these administrative credentials are vulnerable to one of the spreading and infection methods used by the malware.
- The most important accounts to focus on during this inventarisation are accounts with elevated privileges such as local Administrator accounts and domain accounts with local administrator privileges.
It is important to consider that the infection, privilege escalation and lateral movement techniques used by the Petya malware are also frequently used during penetration testing on internal networks. It is therefore advised to review previous reports that followed internal penetration tests to get a quick overview of relevant vulnerabilities and to ensure that penetration tests on the internal networks are performed periodically.
Q6 We have infected machines what can we do to recover them? Should we pay the ransom?
A The email address that was used by the attackers to receive payments and release decryption keys has been blocked by the email provider. This makes it impossible for the actor(s) behind the Petya malware to confirm the payments and return the decryption keys to its victims. It is therefore not recommended to pay the ransom of $300 (or the equivalent in the Bitcoin currency) as requested by the malware authors.
Please note that after a system is infected, the malware attempts to spread before it is rebooted and the encryption process is started. Consequently, if a system is infected with Petya, but has not yet been rebooted or the fake CHKDSK process has not been completed, it may still prove possible to (partially) recover data from the infected system.
Q7 Do you know anything about the target of the Petya attack or the actors behind it?
A One of the few confirmed facts is that initially infections occurred due to an infected update from the Ukraine based company M.E.Doc. The software of this company is both broadly and mostly used by organizations in the Ukraine. These organizations within the Ukraine were thus initially targeted by the Petya attack.
This fact, combined with some of the characteristics of the attack, have led to extensive speculation in regard to the actors behind the attack (of which the grugq provides an extensive overview). However, at the moment there is no definitive public evidence to attribute the attack to a specific actor. The investigation into the purpose of the attack and the actors behind the attack are still being actively investigated by Fox-IT and many others.
Q8 How does the Petya attack differ from the Wanacry/Wannacrypt attack?
A This Petya attack seems to be more targeted than Wanacry. While WanaCry included functionality to scan for vulnerable systems on the Internet, the Petya attack primarily targets other systems within the restricted IP spaces of affected networks.
One of the few similarities between Petya and Wanacry concerns the usage of the SMB exploit EternalBlue, which is an exploit that was originally used by the NSA and was subsequently leaked by the Shadow Brokers. This is the only spreading vector of Petya which can be stopped and prevented by installing the MS17-010 patch. The other spreading vectors cannot be fully reduced by patching the systems, although installing the KB2871997 patch can reduce the impact of the other spreading vector.
In addition to EternalBlue, Petya includes further methods for spreading using lateral movement techniques such as credential re-use, PSEXEC and WMI. These techniques, which are often used in manual attacks by advanced attackers as well as during penetration tests on internal networks, have now been adapted and incorporated into an automated attack by the attackers in the Petya malware.
In regards to the encryption of the files Petya and Wanacry differ in the way that the system is rendered inoperable. Petya, in addition to encrypting individual files also encrypts critical operating system components thereby rendering the system inoperable after a reboot. The encryption of the individual files differs due to the way that the files are encrypted as well as the file types that are targeted.
Q9 I have heard rumors about an antidote or kill switch, is this true?
A Petya does not have a remote killswitch in the same way as was present in Wanacry. That is, there is no universal way to stop all Petya infections from occurring. A more limited and local way to prevent the Petya malware from spreading does exist, which is also referred to as a “killswitch” or an “antidote”.
This local antidote involves placing a file called “perfc” or “perfc.dat” in the C:\Windows directory. The reason why this works is because Petya checks if that file exists before infecting a vulnerable system. If the file exists, Petya won’t infect the system. Please note that Petya actually checks for a file with the same name as the filename that it was started from. So if the Petya file is renamed to “example.dll”, subsequent variants of that strain of the Petya malware will actually check if C:\Windows\example” exists, instead of “perfc”. It just so happens to be that “perfc” is the filename of the main variant that’s currently spreading.
Q10 Are the patches for Wanacry and Petya automatically installed by Windows Update?
A On supported operating systems the patch can be installed through the Windows update mechanism. If Windows update has been configured to update automatically, these systems should have been updated with MS17-010 several months ago. However, this is not the case on unsupported operating systems such as Windows 2003, XP and 8. Microsoft has released patches for these operating systems that need to be downloaded and applied manually.