Notes About The NotPetya Ransomware

Published on June 28, 2017 00:00 UTC by (permalink)
Last updated on June 28, 2017 09:03 UTC

NotPetya Ransomware

A new ransomware, currently named NotPetya, has begun spreading yesterday. There are many victims, especially in Ukraine, but also large companies have been hit hard such as Maersk or Merck. There are infections in Switzerland as well. As many others we have analyzed the malware and tried to harden evidence about its functioning. As there are many good papers already published, we do not want to repeat all these things but to highlight a few important facts that now can be considered being hardened evidence. [1], [2], [3]

What is NotPetya?

NotPetya is a ransomware that has some familiarity with Petya/Misha that has hit the Internet starting 2016. What was special about Petya was the fact that Petya did encrypt the Master Boot Record. This is only possible with appropriate permissions. If these were not available, the other part of this malware family took over, Misha, which did a normal file encryption.

What is so special with NotPetya / How does it spread?

NotPetya behaves similar in the way it encrypts the computer (MBR) but it also encrypts files directly. What is new and why it is not just another version of Petya is the way it can spread further. The attackers have built in several ways how the malware can propagate in an internal network:

  • Using the vulnerability already known from WannaCry (EternalBlue, MS17-010) [4]
  • Using wmic or psexec and accessing admin shares ($ shares). It enumerates the local network and tries to infect other devices.
  • The malware has the ability to dump credential hashes (LSA Dump) in order to get credentials [5].

Especially the second vector makes NotPetya worse than WannaCry as no actual vulnerability is being exploited. Even though there are possible precautionary measures that would have made an infection less likely, the second attack vector makes it much harder to protect against this threat. The initial infection vector is not yet confirmed. There are however indications that the first infection vector could have been an email or a compromised update server of an Ukrainian firm distributing the malware. However this is unconfirmed and must be treated with caution [5].

What actions did MELANI take?

MELANI did inform its constituency, the National Critical Infrastructures, 27th in the afternoon and provided them with a regularly updated stream of information about how the malware works. As always with such outbreaks, there is a lot of information swirling around that needs to be checked.

What is the impact of NotPetya in Switzerland?

We have been informed by several companies based in Switzerland that they have been hit by the malware. Currently we do not see a larger distribution as we have had in the past with other malware waves such as Locky or Cerber.

How can I protect myself?

Apart from the usual ransomware protection - please see: MELANI Recommendations - and the measures we proposed in the blog post about WannaCry (see: GovCERT Blog ), the following countermeasures can be applied:

Is there a kill switch?

There is a possibility to stop the malware from infecting a device via the wmic/psexec vector by placing a file in the Windows directory [6]: A file named perfc.dat (or just perfc) must be placed in %windir% (e.g. c:windows). You should alter its permission to be read-only. This however does only protect machines that are not yet infected and it does only work with the NotPetya version that has been spreading yesterday. Please note that this is not a "killswitch" such as with WannaCry but more of a vaccination of a device that must be done locally and for every device in a network. Here is the relevant code snippet in pseudo code from IDA:

int __stdcall sub_10008320(LPWSTR pszDest)
  signed int v1; // esi@1
  const WCHAR *v2; // eax@1
  LPWSTR v3; // eax@2

  v1 = 0;
  v2 = PathFindFileNameW(&pszPath);
  if ( PathCombineW(pszDest, L"C:Windows", v2) )
    v3 = PathFindExtensionW(pszDest);
    if ( v3 )
      *v3 = 0;
      v1 = 1;
  return v1;

Other protection measures?

  • A more thorough approach for blocking the spreading via psexec / wmic is to apply AppLocker settings that stop users from starting remote processes. Please take care as - depending on your environment - this might have unwanted side-effects.
  • Another approach is using a GPO to block administrative shares (e.g. c$). This would stop this threat as well as other threats. But as with the other countermeasures, this is likely to have side effects.
  • If not yet done, patch MS17-010 immediately!

Detection possibilities for enterprises?

There are a few detection possibilities:

  • The malware is quite noisy when it comes to networking activity. Therefore it is possible to have an internal IDS/IPS to listen for ARP requests that enumerate the subnet and to disconnect the source of these requests from the network. Again, take care as this can have side effects.
  • If you monitor your Windows Event Logs, a newly infected device can be spotted easily as the malware erases the Eventlog using wevtutil. If you see wevutil erasing all event logs on a system, this is a good trigger that could be used to disconnect the affected device from the network and/or remove it from the domain.

Notes about paying the ransom

We generally recommend never paying a ransom as this only fuels the "criminal industry" with additional funds. In this case, it is not even possible to contact the attackers any more as posteo took down the contact email address being displayed in the ransom note.



Back to top