Whenever a new malware story breaks, lots of questions emerge…
…but some of them are hard to ask!
What if the question seems so obvious that you feel embarrassed not to know the answer?
What if something is really bugging you but the question feels too trivial?
What if there are interesting, even important, details that you never even thought to ask about?
Here you go…
Q. What is this new “Petya” ransomware outbreak?
On 2017-06-27, a new strain of ransomware was reported in numerous disparate organisations in many countries.
This malware has been variously, and somewhat confusingly, referred to as Petya, GoldenEye, WannaCry2, NotPetya, PetrWrap and PetyaWrap.
Sophos detects the main file of this malware by the name Troj/Ransom-EOB, but in this article we will refer to it colloquially as PetyaWrap, because it’s easier to say.
Q. Why the name PetyaWrap?
The heart of this new ransomware is almost identical to an existing ransomware strain from 2016 known as Petya.
Unlike most ransomware, which scrambles your data files but leaves your computer able to boot up into Windows and run your regular apps, Petya scrambles your disk down at the sector level, so that it won’t boot normally at all.
But the PetyaWrap variant does much more than the original Petya ransomware.
PetyaWrap includes a number of other concepts and components plundered from other malware strains, including GoldenEye and WannaCry, wrapped up into a new ransomware variant that does much more than the original Petya strain.
Thus, PetyaWrap in this article, for clarity.
Q. What malware techniques does PetyaWrap combine?
Like WannaCry, PetyaWrap is a computer worm, meaning that it can spread by itself.
PetyaWrap can copy itself round your network, and then automatically launch those new copies without waiting for users to read emails, open attachments or download files via web links.
Like the GoldenEye ransomware, PetyaWrap encrypts your data files in such a way that only the attackers know the decryption key, so you can’t unscramble the files without their help.
As if that weren’t enough, after spreading and scrambling your data, PetyaWrap does the same as the original Petya malware – it scrambles your disk down at the sector level, so that you can’t access your C: drive at all, even if you plug the disk into another computer.
Q. How does PetyaWrap spread across my network?
Firstly, it borrows from WannaCry by trying to exploit a pair of critical Windows security holes that were stolen from the US National Security Agency (NSA) and leaked by a hacking crew called Shadow Brokers. (The main vulnerability used is commonly known by its original NSA name: ETERNALBLUE.)
If you are patched against WannaCry – Microsoft issued patches that prevented the attack well before WannaCry came out – then you are patched against this part of PetyaWrap.
Secondly, it tries to spread using a popular Windows remote execution tool called PsExec – PetyaWrap has a copy of the PsExec software embedded inside it, so it doesn’t need to download it first.
PsExec is part of Microsoft’s own Sysinternals suite, commonly misused by cybercriminals as a convenient way of moving around inside a network after they’ve got in from the outside.
Note that the PsExec trick won’t work if the infected computer doesn’t have enough account privilege to run commands on the target it’s attacking – a good reason not to use Administrator accounts all the time, no matter how convenient it might be for IT staff.
Thirdly, PetyaWrap snoops around in memory looking for passwords that will boost its access privileges and give it administrative access to other computers on the network.
This password snooping is done using a modified copy of a password-grabbing tool called LSADUMP from the Mimikatz toolkit – as with PsExec, this hacking tool is embedded into the PetyaWrap program, so it doesn’t need to be downloaded first.
Q. Is patching against WannaCry enough to be safe?
No.
As explained above, PetyaWrap has three spreading tricks, of which the WannaCry technique is the first one it tries.
If the WannaCry hole is closed, PetyaWrap tries PsExec; if that doesn’t work, it tries LSADUMP and the Windows Management Interface to “manage” your network to your considerable disadvantage.
Treat the WannaCry patches as necessary but not sufficient.
Q. Can Sophos products block the components used by PetyaWrap to spread?
Yes.
The main PetyaWrap program, which contains the WannaCry-style “worming” code, is blocked as malware: Troj/Ransom-EOB.
The PsExec program for the second spreading trick is blocked as a Potentially Unwanted Application (PUA): PsExec of type Hacktool.
The LSADUMP snooping tool for the third spreading trick is blocked as malware: Troj/Mimikatz-A.
Q. Can Sophos products block the ransomware components if they try to scramble your files and disk?
Yes.
Sophos Intercept X (and Sophos Home Premium Beta) includes proactive malware-blocking tools that detect, block and repair ransomware activity.
The file-scrambling part of PetyaWrap is detected and blocked by CryptoGuard.
The sector-scrambling part of PetyaWrap is detected and blocked by WipeGuard.
Q. Will I get my data back if I pay the ransom?
We doubt it.
In fact, the email address by which you are supposed to contact the crooks has been suspended, so it’s unlikely you’ll be able to do a deal with them even if you wanted to.
Q. Can PetyaWrap spread across the internet, like WannaCry?
No. And yes.
WannaCry had two spreading functions that ran in parallel: one scoured your LAN trying to spread locally; the other went out looking randomly for new victims on the internet.
PetyaWrap doesn’t explicitly try to find new victims out on the internet, but sticks to your LAN, perhaps in the hope of drawing less attention to itself.
Unfortunately, LANs (short for Local Area Networks) often aren’t truly local any more, often including outlying offices and remote workers, including contractors.
Of course, some of those remote computers may be part of more than one LAN, meaning that they can act as a “bridge” between two networks, even if they belong to completely different organisations.
In other words, for all that PetyaWrap isn’t programmed to spread purposefully across the internet, it also isn’t programmed to avoid jumping onto someone else’s network if there’s an interconnection.
Importantly, PetyaWrap uses the networking tools built into Windows for its signposts on where to try next – so if you can browse to a partner company’s servers from your computer, or click through to your home computers from work…
…then PetyaWrap can do the same.
How did the PetyaWrap outbreak get started?
We can’t say for sure.
Early on in the outbreak, fingers were pointed at a Ukrainian software company that produces tax accounting software, suggesting that a hack of the company’s update servers may have given the crooks a window of opportunity to push out an initial wave of infections.
Microsoft now claims to have evidence that a hacked version of the company’s autoupdate program might have been connected to an early PetyaWrap outbreak.
Has PetyaWrap appeared in any phishing emails?
We haven’t yet seen any evidence of any phishing emails spreading this ransomware.
But don’t let your guard down!
Phishing emails are one of the most common conduits for malware, especially ransomware, to make its first appearance inside your organisation.
LEARN MORE: Phishing – how this troublesome crime is evolving [PODCAST] ►
What should I do next?
Ransomware like PetyaWrap can do plenty of damage even if you limit it to a regular user account, because most users have the right to read, write and modify their own files at will.
But any malware, especially a network worm like PetyaWrap, is much more dangerous if it can get administrator-level privileges instead.
So, even if you weren’t touched by the PetyaWrap outbreak, why not use it as the impetus for looking at who in your own network is allowed to do what, and where they’re allowed to do it?
Here are some things to try:
- Review all domain and local administrator accounts to get rid of passwords that can easily be cracked. If you don’t test your own password strengths, the crooks will test them for you.
- Review which staff have, or can acquire, administrator privileges on other users’ computers or the domain. If you realise you have privileges you no longer need, tell IT and get them removed – for your own safety as well as everyone else’s.
- Don’t let IT staff logon or run any software with admin privileges except when they explicitly need to. Once they have completed an administrative task they should demote themselves back to regular user privileges, even though it’s less convenient.
- Check to see if you have any network shares that are supposed to be limited to your LAN but which show up on the internet. If you don’t check up on your own network, the crooks will check for you.
Never assume that security choices you made last year, or settings you enforced last month, are still in play today.
Got more questions? Please ask below and we’ll do our best to answer them too.
MossyRock
“Microsoft now claims to have evidence that a hacked version of the company’s autoupdate program might have been connected to an early PetyaWrap outbreak.”
The words “have evidence” are in blue, and when moused over, becomes underlined, implying a link, but does nothing when clicked. However, all other embedded links on this page work correctly.
Is this supposed to be a link?
Paul Ducklin
Link typo. I fixed it…thanks.
Mark Bales
“download/visit link of podcast not working, unless it is supposed to d/l “Tax_Exempt_Foundations_Hearing…”
Anonymous
Thank you for this article
Wilderness
Is “numerous different” a redundant statement? I’m not trying to pick on anyone, it’s just an interesting grammatical question. Could the ‘different’ be removed without affecting the meaning?
Anonymous
“I have numerous fish.” “I have numerous different fish.” Are these two the same? I would say no. The first suggests many fish, the second suggests many fish of different kinds.
Granted, organizations in this context can probably be assumed to be different unless explicitly described as similar (numerous accounting organizations, numerous political organizations), but I don’t think it’s redundant to explicitly state that they are different..
Paul Ducklin
I think I meant “numerous disparate”, in order to get across the message that they weren’t obviously related. And if I didn’t mean “disparate”, I do now because that’s what I changed it to :-)
I meant it in the sense you suggested – as in “numerous different fish” to emphasise that there were not only many of them, but also that they weren’t all cod :-) But in the context of multiple organisations, I accept that “different” is tautological.
Wilderness
Thanks for being so accessible, Paul!
Wilderness
…and by the way, this is an excellent article!
Paul Ducklin
Thanks. On the redundant word “different” you mentioned above, I think you were right, and even if you weren’t, it was the wrong word anyway :-) So I changed it.
Laurence Marks
There are several blue-bar “LEARN MORE” objects in the text which appear to be links but don’t actually do anything. Windows 10, Chrome.
Paul Ducklin
Hmm. Thought I’d checked them all. WordPress’s HTML editor/reformatter may have munged them – let me check…
Paul Ducklin
…yep, the links were originally correct, got automunged by WordPress during a later edit, should be right again now. Sorry sbout that, and thanks for noticing.
Alex
Paul, you wrote an excellent article on this hot topic, well done! I have read many other similar articles and none has adopted the style of an FAQ – which in fact is the most effective way for readers to understand the exact context.
Paul Ducklin
Thanks – I appreciate your kind words.
Gergely Szabo
Some sources mention as a partial prevention method of getting the computer encrypted to place a read-only file named perfc.dat to c:\Windows folder, because if the ransomware finds this file it does not activate itself on the given computer. Is it true?
Paul Ducklin
Actually, the file should be called whatever the malware file is copied across as, *minus its extension*.
In the samples we’ve looked at, the malware uses the name perfc.dat so the “immunisation” file you need would be C:\WINDOWS\perfc (leave off the dot-dat).
MossyRock
So, do we know if this will indeed “immunize” a machine?
Peter M
adding to this though it only stops file encryption so the MBR is still encrypted and the 3 methods it uses to spread aren’t affected either. So basically it is fairly pointless. Just make sure you have Sophos installed and all will be fine (disclaimer I work for Sophos)
MrGutts
I really wish security company’s would start making affordable hardware based ( inline ) Firewalls and IDS’s for the Consumer.
TinHat
ditto
Good easily configurable bits of hardware (preferably running open source software!) would be very welcome.
Internet > Modem/Access point with minimal functionality
with ports to connect
Firewall boxes (want multiple boxes even in home; one for private network, another for all those pesky semi-secure IoT “things”) running security software
connecting to
WiFi/Wired distribution boxes with minimal functionality
There is a reassurance in seeing different boxes doing different things and being able to define the level of security available on a given port.
Paul Ducklin
You might want to take a look at OpenWRT. Just pick a SoHo router that is well-supported already.
If you have a spare laptop handy, or a home server than can run an extra VM or two, you might also take a look at:
https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
It’s our corporate product, with all its modules licensed free for home use – email and web filtering, IPS, a full-blown VPN, anti-virus scanning, and all the traditional stuff you’d expect in a firewall.
(OK, so we aren’t giving you free hardware, or even offering to sell you subsidised hardware at consumer prices, but the firmware and software is 100% free of charge. You get quite a lot for your money :-)
Anonymous
You could always use open source software and build one yourself.
Mahhn
From all the data gathered, there never was any intention to make money off of the ransom part. (one address, one wallet, overly destructive, targeted attack)
It was obviously an attack on Ukraine’s infrastructure. Everyone else is collateral damage.
This makes the question of who did it. There are only two potential villains here: The governments of Russia and the US.
Russia would be the easy pick, but the US CIA has the biggest reputation in the world for false flag events to force policies. Until the next Snowden, we may not know.
However, since there is an “immunization” of having a file “perfc” with no extension in the “c:\windows\” directory, when we find a PC that has the perfc file on it that predates the initial infection, it can lead us to exactly who knew of it prior to deployment and lead us to the bad guys.