Petya Ransomware: What You Need to Know

Jimmy Graham

Last updated on: September 6, 2020

On Tuesday, a variant of the ransomware “Petya” began propagating in several countries across Europe. This new variant leverages the EternalBlue exploit used in WannaCry, and also takes advantage of misconfigured permissions to spread throughout the network.

EternalBlue is a leaked exploit developed by the NSA that leverages the vulnerability patched in MS17-010. All unpatched versions of Windows are vulnerable to EternalBlue, excluding recent versions of Windows 10. Microsoft has also chosen to release patches for some end-of-support versions of Windows.

Detecting EternalBlue and Petya

Qualys Vulnerability Management can detect the vulnerability being leveraged by Petya. The QIDs used for the EternalBlue exploit are still applicable and can be used to determine if you are vulnerable to this attack vector:

QID 91345 can detect this vulnerability with or without authentication, as well as with the Qualys Cloud Agent
QID 91360 is an auth-only check that requires authentication or the Qualys Cloud Agent

The existing WannaCry and Shadow Brokers Dashboard built into Qualys AssetView can also be used to track vulnerable assets. Steps for importing this dashboard from a template are available in the Qualys Community.

We have also added QID 1037, which looks for the presence of Petya itself. Please note that this detection will only work before the system is rebooted, as Petya overwrites the Master Boot Record and prevents Windows from booting. Files can be recovered from systems that have not been rebooted, as the encryption process has not started. Petya does schedule a system reboot, so any backup or recovery attempts should be made with the system powered off and the hard drives accessed directly via a different system.

Preventing Propagation via Administrative Access

The second attack vector uses WMI and psexec to spread using the infected user’s permissions. If the user has administrative rights over other systems, those systems can also become infected. It is highly recommended that administrative permissions be restricted for workstation users.

A common misconfiguration is to add “Domain Users” or “Authenticated Users” to the “Administrators” group to quickly grant all workstation users administrative access to their workstation. This allows the users to access other workstations with full administrative permissions. In this type of situation, the malware can spread without the need for a software vulnerability. Group Policy can be used to remove these groups and ensure that they are not added.

There have also been reports that a variant of Petya also attempts to obtain the local administrative password. In this case, that password could potentially be used to further spread to other systems with the same local admin password. It is recommended that all systems have different local admin passwords, through the use of a tool such as Microsoft’s LAPS.

Qualys Policy Compliance can be used to ensure that systems are configured securely and are hardened according to best practices. Control ID (CID) 2521 can be used to identify members of the local Administrators group across Windows workstations and servers. Additionally, if you have custom Admin groups which could have “Domain Users” or “Authenticated Users”  as members, you can define a User Defined Control (UDC) to identify and report on these groups.

Workarounds

Patching and proper permissions management is the best way to prevent infection. However, some of the workarounds for WannaCry are applicable to stop the EternalBlue attack vector. Disabling SMBv1 will prevent this attack from working.

Disabling the admin$ share through group policy can prevent the second attack vector, though this may break other systems management software.

Another option is to completely block inbound connections to the SMB port (445) to prevent either attack vector; however, this should be thoroughly tested, as it may have unintended consequences.

It has also been reported that creating a file called “perfc” with no extension in %windir% will prevent the malware from executing.

Get Started Now

To start detecting and protecting against critical vulnerabilities, get a Qualys Suite trial. All features described in this article are available in the trial.

Show Comments (1)

Comments

Your email address will not be published. Required fields are marked *