ANNOUNCEMENT

Introduction

On June 27 2017, multiple organisations globally had reported of disruptions attributing to ransomware. Based on initial information received, a variant of Petya ransomware may be responsible for the incidents. National Cyber Coordination and Command Centre is currently monitoring closely for any signs of infection or propagation in Malaysia.

Impact

Encrypt user files and demand ransom to decrypt the files for USD300 worth of Bitcoin.

Brief Description

The ransomware is currently being discussed as a variant of Petya, which modifies the Master Boot Record (MBR) and have a similar trait to WannaCry in which it is using the EternalBlue and WMI for propagation inside an affected network. What is different between WannaCry and this ransomware is that it scans the affected internal network and does not appear to have an external scanning component to it.

Currently it is referred by various names such as NotPetya, Petrwrap, GoldenEye and been named as Nyetya by Talos.

Based on initial analysis, the ransomware in this campaign mimics Petya in some ways and the MBR reboot page is identical. However, there are some notable changes to include the propagation mechanism and an hour delay to encrypting files, which may be intended to allow propagation to occur before it reboots the infected machine.

The malware has three mechanisms used to propagate once a device is infected:

1. EternalBlue - the same exploit used by WannaCry;
2. Psexec - a legitimiate Windows administration tool; and
3. WMI - Windows Management Instrumentation, a legitimate Windows component

These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally.

Affected Products

All Microsoft Windows Operating System

Recommendation

We advise agencies to take the following actions:

1. Update your critical assets with the latest security patches and updates from Microsoft;
2. Ensure your organisation is running an actively supported operating system that receives security updates;
3. Block SMB ports (139, 445) from all accessible hosts at both endpoints, across VLANS as well as Internet and network gateway. If the SMB service is required, please ensure the patch (MS17-010) has been applied;
4. Ensure that anti-virus/anti-malware signatures is up to date and functioning;
5. If you receive an email with an unexpected attachment or link, verify with the sender BEFORE opening the attachment or clicking on the link;
6. Warn your users not to open or click on unsolicited mails and links with/without attachments;
7. Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organisations, it may be best to block email messages with attachments from suspicious sources;
8. Back up your important files and data to an external drive;
9. Update your IPS and application layer firewall rules to monitor and detect any indicators of compromise;
10. Update SNORT SMB signatures related to detect any SMB scan in your network. https://docs.emergingthreats.net/bin/view/Main/2024218. This signature can be used to detect all infected machines in a network. Once infected machines are identified, they need to be disconnected from the network and malware removal process should take place. Please make sure that your operating system is patched with the latest updates and patches prior to re-connecting to the network;
11. System administrators with high level of access should avoid using their administrator accounts for email and web browsing;
12. Change the password upon recovery of infected system;
13. Use application whitelisting to help prevent malicious software and unapproved programs from running;
14. Restrict users' ability (permissions) to install and run unwanted software applications, and apply the principle of "Least Privilege" to all systems and services;
15. Have effective patch management that deploys security updates to endpoints and other critical systems within your infrastructure in a timely manner;
16. Do not pay the ransom to the perpetrators; and
17. For any incidents related to this attack, please report to NC4.

References

Microsoft Security Bulletin MS17-010
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Microsoft Safety Scanner
http://www.microsoft.com/security/scanner/

New Ransomware Variant Nyetya Compromises Systems Worldwide
http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html?m=1

28-06-2017