Information regarding this campaign has been provided on the ACSC news portal.
The ransomware leverages publicly-known vulnerabilities in Microsoft Windows as well as common lateral movement techniques utilising administrative tools. Microsoft published patches to mitigate these vulnerabilities in March 2017.
The ACSC recommends undertaking the following actions:
- Apply Microsoft's MS17-010 patches as soon as possible to prevent infection by this ransomware campaign.
- Reconsider the business need for operating SMBv1 and disable the feature wherever possible.
- Investigate disabling Microsoft Office macros via Group Policy within your organisation. If there is a business need, identify whether allowing only signed macros and centrally managing the signing process fits your needs.
- Investigate deploying Microsoft LAPS, which ensures that each domain-joined host in an organisation has unique local administrator credentials, preventing ransomware from using the extracted credentials to spread laterally.
- Organisations with application control, software restriction policies or end-point security solutions should investigate placing restrictions on the execution of PsExec via Group Policy or other third-party tools.
- Review and consider applying ASD's Essential Eight mitigation strategies.
- Review the ACSC ETERNALBLUE and DOUBLEPULSAR fact sheet (PDF) and undertake appropriate remediation.
- Review logs for unusual SMB traffic.
- Review logs for unusual use of the WMI or PsExec tools.
- Ensure that important data is backed up to an offline location.
Additionally, Microsoft has released advice and a special hotfix for Windows XP, Windows Server 2003 and Windows 8 RTM.
- Microsoft New ransomware, old techniques: Petya adds worm capabilities
- Microsoft Customer Guidance for WannaCrypt attacks
- Microsoft KB4012598 Security Update
Initial infection vector
From the reports and analysis performed to date, the initial infection vector has not been clearly identified. Initial reports suggest multiple delivery mechanisms via:
- updates for the M.E.Dec software (popular in Ukraine)
- the ETERNALBLUE exploit using the SMBv1 protocol
- phishing emails containing macro-enabled Microsoft Office documents.
The malware has been seen infecting other devices on the network via the ETERNALBLUE exploit using the SMBv1 protocol.
Initial reports suggest that the malware uses the NetBIOS name cache in addition to DHCP information to identify computers and servers on the network which are then checked for open TCP ports 445 and 139.
Public reporting has identified a possible 'vaccine' mechanism. There are conflicting reports on the effectiveness and technical detail of this alleged vaccine. Even if it provides protection against Petya it is highly unlikely that this 'vaccine' would be effective against any other form of ransomware.
Once infected, the malware creates a scheduled task to sleep between 10 and 60 minutes before a reboot is triggered.
The malware clears system logs to make further analysis more difficult.
When the malware has completed the reboot, it encrypts files on the computer.
The malware also encrypts the master boot record (MBR) to prevent offline tampering or file recovery and adds custom boot code. This code prevents users from loading the computer beyond the ransom screen shown below.