Security Alert


IT and security expert at Sophos, Paul Ducklin, has broken down all the important information about the new Petya ransomware that has hit many countries, including South Africa.

The good news is that Adas make automatic backups to our own online cloud storage once a day to protect the dealers ADAS data.

The new Petya attack reportedly uses the same intrusion tool as a similar attack in May and has been similarly disruptive on daily life with hospitals, government offices and major multinationals among the casualties of the ransomware payload.

The malware attack first manifested itself in Kiev, Ukraine on Tuesday and was slowly spreading across the world.

As in the previous attack a ransom is charged for a digital key which will allegedly restore that encrypted data.

According to Ducklin, while displaying similar traits to the malware attacks that have come before, the new variation of Petya works a bit differently, and businesses need to be full informed about the implications.

Ducklin’s full Q&A can be found here.

What is this new “Petya” ransomware outbreak?

On 27 June, a new strain of ransomware was reported in numerous disparate organisations in many countries.

This malware has been variously, and somewhat confusingly, referred to as Petya, GoldenEye, WannaCry2, NotPetya, PetrWrap and PetyaWrap.

Sophos detects the main file of this malware by the name Troj/Ransom-EOB, but in this article we will refer to it colloquially as PetyaWrap, because it’s easier to say.

Why the name PetyaWrap?

The heart of this new ransomware is almost identical to an existing ransomware strain from 2016 known as Petya.

Unlike most ransomware, which scrambles your data files but leaves your computer able to boot up into Windows and run your regular apps, Petya scrambles your disk down at the sector level, so that it won’t boot normally at all.

But the PetyaWrap variant does much more than the original Petya ransomware.

PetyaWrap includes a number of other concepts and components plundered from other malware strains, including GoldenEye and WannaCry, wrapped up into a new ransomware variant that does much more than the original Petya strain.

What malware techniques does PetyaWrap combine?

Like WannaCry, PetyaWrap is a computer worm, meaning that it can spread by itself.

PetyaWrap can copy itself round your network, and then automatically launch those new copies without waiting for users to read emails, open attachments or download files via web links.

Like the GoldenEye ransomware, PetyaWrap encrypts your data files in such a way that only the attackers know the decryption key, so you can’t unscramble the files without their help.

As if that weren’t enough, after spreading and scrambling your data, PetyaWrap does the same as the original Petya malware – it scrambles your disk down at the sector level, so that you can’t access your C: drive at all, even if you plug the disk into another computer.

How does PetyaWrap spread across my network?

Firstly, it borrows from WannaCry by trying to exploit a pair of critical Windows security holes that were stolen from the US National Security Agency (NSA) and leaked by a hacking crew called Shadow Brokers. (The main vulnerability used is commonly known by its original NSA name: ETERNALBLUE.)

If you are patched against WannaCry – Microsoft issued patches that prevented the attack well before WannaCry came out – then you are patched against this part of PetyaWrap.

Secondly, it tries to spread using a popular Windows remote execution tool called PsExec – PetyaWrap has a copy of the PsExec software embedded inside it, so it doesn’t need to download it first.

PsExec is part of Microsoft’s own Sysinternals suite, commonly misused by cybercriminals as a convenient way of moving around inside a network after they’ve got in from the outside.

Note that the PsExec trick won’t work if the infected computer doesn’t have enough account privilege to run commands on the target it’s attacking – a good reason not to use Administrator accounts all the time, no matter how convenient it might be for IT staff.

Thirdly, PetyaWrap snoops around in memory looking for passwords that will boost its access privileges and give it administrative access to other computers on the network.

This password snooping is done using a modified copy of a password-grabbing tool called LSADUMP from the Mimikatz toolkit – as with PsExec, this hacking tool is embedded into the PetyaWrap program, so it doesn’t need to be downloaded first.

Is patching against WannaCry enough to be safe?

No. As explained above, PetyaWrap has three spreading tricks, of which the WannaCry technique is the first one it tries.

If the WannaCry hole is closed, PetyaWrap tries PsExec; if that doesn’t work, it tries LSADUMP and the Windows Management Interface to “manage” your network to your considerable disadvantage.

Treat the WannaCry patches as necessary but not sufficient.

Will I get my data back if I pay the ransom?

We doubt it. In fact, the email address by which you are supposed to contact the crooks has been suspended, so it’s unlikely you’ll be able to do a deal with them even if you wanted to.

Can PetyaWrap spread across the internet, like WannaCry?

No. And yes. WannaCry had two spreading functions that ran in parallel: one scoured your LAN trying to spread locally; the other went out looking randomly for new victims on the internet.

PetyaWrap doesn’t explicitly try to find new victims out on the internet, but sticks to your LAN, perhaps in the hope of drawing less attention to itself.

Unfortunately, LANs (short for Local Area Networks) often aren’t truly local any more, often including outlying offices and remote workers, including contractors.

Of course, some of those remote computers may be part of more than one LAN, meaning that they can act as a “bridge” between two networks, even if they belong to completely different organisations.

In other words, for all that PetyaWrap isn’t programmed to spread purposefully across the internet, it also isn’t programmed to avoid jumping onto someone else’s network if there’s an interconnection.

Importantly, PetyaWrap uses the networking tools built into Windows for its signposts on where to try next – so if you can browse to a partner company’s servers from your computer, or click through to your home computers from work…then PetyaWrap can do the same.

How did the PetyaWrap outbreak get started?

Early on in the outbreak, fingers were pointed at a Ukrainian software company that produces tax accounting software, suggesting that a hack of the company’s update servers may have given the crooks a window of opportunity to push out an initial wave of infections.

Microsoft now claims to have evidence that a hacked version of the company’s autoupdate program might have been connected to an early PetyaWrap outbreak.

What should I do next?

Ransomware like PetyaWrap can do plenty of damage even if you limit it to a regular user account, because most users have the right to read, write and modify their own files at will.

But any malware, especially a network worm like PetyaWrap, is much more dangerous if it can get administrator-level privileges instead.

So, even if you weren’t touched by the PetyaWrap outbreak, why not use it as the impetus for looking at who in your own network is allowed to do what, and where they’re allowed to do it?

Here are some things to try:

  • Review all domain and local administrator accounts to get rid of passwords that can easily be cracked. If you don’t test your own password strengths, the crooks will test them for you.
  • Review which staff have, or can acquire, administrator privileges on other users’ computers or the domain. If you realise you have privileges you no longer need, tell IT and get them removed – for your own safety as well as everyone else’s.
  • Don’t let IT staff logon or run any software with admin privileges except when they explicitly need to. Once they have completed an administrative task they should demote themselves back to regular user privileges, even though it’s less convenient.
  • Check to see if you have any network shares that are supposed to be limited to your LAN but which show up on the internet. If you don’t check up on your own network, the crooks will check for you.

Never assume that security choices you made last year, or settings you enforced last month, are still in play today.

Scroll Up