Petya (NotPetya/Petna Malware), the latest craziness, started this week on June 27, allegedly coming from Ukraine.
What has already been told about Petya/NotPetya/Petna Malware
– It has automatic built-in lateral movement capabilities – Credential theft from LSASS and using native apps like Psexec and WMIC.
– It’s a wiper, not ransomware; it destroys the MBR, and even if you pay the $300 ransom, you won’t get your files back.
– Current Bitcoin wallet received 45 transactions – 3.99 BTC
– Initial infection started allegedly from a Ukrainian software supply-chain M.E.Doc updates.
– Most of the victims still remain in Ukraine (more than 12,000 Windows machines).
– It creates scheduled tasks to reboot after 1 hour and then wipes your MBR; by then, it will try to find more victims in the network.
After launching the malware, it will destroy the local machine and then try to find more machines on the network. This specific malware is doing ARP scans to find more Windows endpoints, which makes it limited to the local subnet (can use much better techniques).
After finding more targets, it will try to gather credentials from the LSASS to have more users in the “back pocket”. If it doesn’t have local admin rights, it will use the current user context. Using the credentials it has, the next step would be lateral movement to different machines using WMIC or Psexec. If that fails, it will try to launch the EternalBlue as a fallback plan.
We would see many more malware variants doing lateral movement simply because the ROI is higher, and, in most cases, it’s very easy. EternalBlue is maybe patchable but harvesting credentials from the lsass is not.
Disabling Psexec and WMI is not the solution because admins need to manage their network. It doesn’t make sense to disable any of their software. Lack of segmentation and credentials re-use is the main problem.
Javelin vs. Petya
Watch how Javelin would protect you against Petya and any other malicious lateral movement attempts.
Feel free to reach out – firstname.lastname@example.org