- The National Health Information Sharing and Analysis Center (NH-ISAC) announced that it had a Petya ransomware vaccine, and also discussed mitigation tactics that organizations can follow to minimize the potential risk of infection.
Entities can create a “vaccine file,” NH-ISAC explained.
“On execution, the known Petya samples delete themselves and perform a check to verify if this deletion is successful,” the ransomware update stated. “If the file is still present, Petya will exit. This behavior can be turned into a protection mechanism of sorts.”
The file permissions must also be set to deny write permissions to everyone, including system administrators. Petya cannot spread when it is unable to copy itself over.
“Keep in mind that some security tools operate on very simple signatures, and it’s possible you’ll get alerts,” NH-ISAC cautioned. “This prevents all currently known lateral spread methods.”
The Petya ransomware utilizes self-replicating mechanisms, the center explained. This is why the ransomware strain has been so widespread.
However, the latest NH-ISAC update added that the “only confirmed infection vector is a MeDoc update.”
“MeDoc is accounting software in widespread use in Ukraine produced by a Ukranian company,” the center said on its website. “Virtually all Ukranian companies, in virtually all sectors use MeDoc. This includes American companies operating in Ukraine. The MeDoc software suite features an auto-update mechanism through which software updates can be distributed to clients.”
Additionally, there are not any known instances of the ransomware spreading through email, driveby downloads, exploit kits, or other typical ransomware delivery options.
NH-ISAC added that Petya uses multiple mechanisms to decide which computers to spread to. One such mechanism returns all active SMB connections on the infected computer.
Another one will scan the local network “as defined by the IP address and network mask of the infected computer.”
“Petya will attempt to copy itself to each identified target,” NH-ISAC stated. “In order to copy the file to target machine, Petya will harvest credentials from the infected system.”
Finally, the malware strain will try “to execute the new copy of itself on the target.”
“If the approaches above have failed to result in execution on the target, as a final resort, Petya will attempt to use ETERNALBLUE and ETERNALROMANCE exploits to both copy and execute itself on the target,” warned NH-ISAC. “The vulnerabilities targeted by these exploits have been patched some months ago under MS17-010.”
However, NH-ISAC contended that local firewalls can help facilitate some mitigation. Petya cannot spread if it cannot reach ports 139 and 445.
“If Petya is unable to mount the ADMIN$ share it can’t spread (Except through exploits),” NH-ISAC advised. “You can administratively disable ADMIN$ share through GPO. Apply Microsoft Patch MS17-010 to all internal systems. Enable protective signatures on all security devices to prevent EternalBlue from spreading.”
In an earlier Petya ransomware update, NH-ISAC explained that the ransomware attack was first observed on June 27, 2017. While the majority of reports said the affected entities were in the EU, there was a report of a US healthcare organization being affected.
Financial, telecom, transportation, healthcare and energy sectors had all reported that their operations were impacted, the center stated.
Last week, the Department of Homeland Security’s (DHS) US Computer Emergency Readiness Team (US-CERT) reported that using unpatched and unsupported software could increase the risk of being affected by types of malware, including the Petya strain.
With Petya specifically, US-CERT explained that it encrypts the master boot records of infected Windows computers. It then exploits vulnerabilities in Server Message Block (SMB) and makes devices unusable.
“An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server,” US-CERT said. “To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.”
Petya had also been reported as using the same approach as the WannaCry ransomware strain, which took advantage of the National Security Agency’s (NSA) EternalBlue exploit. WannaCry caused NHS to shut down its system in May 2017.
“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices,” stated US-CERT. “The benefits of mitigation should be weighed against potential disruptions to users.”