On June 27th, my day began like any other. While going through morning emails and looking at the headlines in tech, I began to see stories emerging about a ransomware virus that was affecting huge amounts of users over in Europe, specifically in Russia and the Ukraine. @SwiftOnSecurity posted a blip of a conversation they were having with an anonymous source, stating “They’ve just pulled core access to one site in USA with 10,000 users. This is some disaster. Not quite sure how much product could be wiped.”
As the day continued, stories were posted about entire organizations being infected with what was believed to be the Petya virus making a second round. Organizations using Mac/Linux were oblivious to anything going on as the virus only affects Windows systems.
Petya but NotPetya
Security researchers worked with each other over Twitter and other networks to try to put a stop to the spread. As more info came in, it turned out that the virus was not Petya, it was instead a virus designed to look like ransomware but it wiped the machine completely without providing a decryption key. Dubbed a “wiper,” this piece of malicious software was a re-written version of Petya.
The virus makes use of the EternalBlue vulnerability developed by the NSA. Leaked by shadow brokers back in April, the vulnerability exploits Microsoft’s implementation of the SMB protocol (CVE-2017-0144). So after the user paid the $300 in Bitcoin demanded by the virus, they were still left with all their data destroyed and out several hundred dollars.
Once Kaspersky labs had determined it was not Petya causing all the damage, the virus was renamed NotPetya. Microsoft has since published a patch for this vulnerability, but adoption of the patch is clearly not as widespread as it should be. Victims included the Madrid office of Washington-based LDA Piper, a Ukrainian grocery store’s point of sale system, U.K. media agency MediaCom, and other countries including France.
How to fix
It wasn’t until that evening that workarounds and fixes started to come in. For administrators who have a hard time getting all their users to install patches, Microsoft’s WSUS allows you to set deadlines for all your workstations, helping to ensure the patches are installed. Information on how to set that up can be found here.
Users using Windows at home need to make sure their copies of Windows and Microsoft Office are fully up to date. Admins will also need to block C:\Windows\perfc.dat from writing and executing. NotPetya uses group policy to infect a user with Domain Access and then spread to other users on the domain. The snippet of code where this occurs looks like this:
So, what essentially happens from start to finish with NotPetya is that it infects a host, overwrites the MBR, drops in a customized version of mimikatz and PsExec, uses a Domain User to move laterally, and then executes a shutdown.exe program that forever destroys the data. A stiff penalty for not running your Windows updates.
And with that, I leave you to go run your Windows update. If you’re a network admin, you should go check on all your windows devices immediately.