ilolab - Fotolia

Petya-like global ransomware attack can be mitigated

A new global ransomware attack has been spreading quickly using the same exploits as WannaCry, but researchers have already found ways to protect users from the damage.

A new global ransomware threat has been spreading quickly by exploiting the same vulnerabilities used in the WannaCry ransomware attacks, but researchers have found different ways to mitigate the damage.

Security researchers have been inconsistent in the branding of this global ransomware threat because it can be seen as a variant of both the Petya ransomware and GoldenEye, which itself was a variant of Petya. This led to a number of names being used, including NotPetya, ExPetr, PetrWrap, GoldenEye, Petya.A, Petya.C and PetyaCry.

However, Tod Beardsley, research director at Rapid7, based in Boston, said the name should not be the focus.

"We're mostly interested in the capabilities and indicators of compromise, and not so much what the real name is. After all, different security vendors end up calling malware samples like these different things all the time," Beardsley told SearchSecurity.

Petya-like global ransomware spreads

This new global ransomware attack was first detected in Ukraine government systems before spreading to a range of organizations around the world. A number of security research firms began analyzing the incidents and found multiple attack vectors.

Screenshot of ransomware message shown after files have been encrypted.

Cisco Talos reported the initial point of entry to government systems in Ukraine was through a malicious software update for a tax accounting package called MeDoc

Kaspersky Lab found the attack could be spread via the EternalRomance remote code exploit tool found in the National Security Agency (NSA) cyberweapons dump.

However, the most common attack vector, reported by multiple research groups, was via phishing emails with malicious Office documents attached.

The malicious doc targeted systems that had not been patched against the EternalBlue vulnerability (MS17-010) in Windows Server Message Block version 1, and it contains the DoublePulsar NSA tool to help the infection spread. Both of these exploits were used in the WannaCry ransomware attacks.

Marco Ramilli, malware evasion expert and CTO of Yoroi, a threat intelligence firm based in Italy, told SearchSecurity via Twitter that Petya-like had a backup option to help this infection spread, compared to previous Petya variants:

There only needs to be one vulnerable machine on a network for it to get in; it can then spread to other machines within the network that have been properly patched.
Lysa Myerssecurity researcher at ESET

According to Avira's Virus Lab, "The Trojan collects the locally stored Windows login credentials and misuses them with the PsExec tool. This is just a regular tool, usually used by system admins, to run other tools on remote machines they have regular access or logins to. This method works even if the system is fully patched, as PsExec is not an exploit, but a regular tool from Microsoft and Sysinternals."

Lysa Myers, security researcher at ESET, said using the PsExec tool, which is a trusted part of Windows, "means that there only needs to be one vulnerable machine on a network for it to get in; it can then spread to other machines within the network that have been properly patched."

Tying this global ransomware threat to the GoldenEye variant of Petya is the use of the Mischa component, which can encrypt individual files. But the main danger of Petya-like is it will encrypt the Master Boot Record of a system after forcing a reboot.

Potential mitigation of the Petya-like global ransomware

Matthew Hickey, co-founder and director at London-based cybersecurity consultancy Hacker House, found one way to avoid damage from this ransomware begins at the reboot process:

Another mitigation technique against the Petya-like global ransomware came from Amit Serper, security researcher at Boston-based Cybereason, and Dave Kennedy, founder of Binary Defense and TrustedSec. Serper and Kennedy found one specific file that could be blocked and trigger a sort of "kill-switch."

For more preventative measures against this global ransomware threat, experts suggested the same precautions as for WannaCry, including patching against the EternalBlue exploit and blocking port 445 on any potentially vulnerable device.

Paul Vixie, CEO of Farsight Security, based in San Mateo, Calif., said there is one mitigation strategy that supersedes all others when it comes to any ransomware threat.

"The only proven defense against ransomware is backups of all important data," Vixie told SearchSecurity. "No one with backups has yet lost data to a ransomware attack. So, the most important thing, in my opinion, is to back up your data and have a plan for recovering from those backups."

Next Steps

Learn tips on how to avoid being hit by ransomware.

Find out how enterprises can mitigate Ransomware as a service.

Get info on why global ransomware threats may expose the irrelevance of GDPR.

Dig Deeper on Threats and vulnerabilities