Petya/NotPetya Ransomware Detection for the Modern Enterprise

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

A new version of the Petya malware is spreading through the European Union, primarily in Ukraine and Russia. It has already impacted many organizations, both large and small, and has compromised systems at Ukraine’s central bank, its state telecommunications company, municipal metro, and Kiev’s Boryspil International Airport.

Background

Petya ransomware is powered by Shadow Brokers exploits, which were leaked earlier this year. After compromising a system, the malware encrypts the data using a private key, and prevents users from accessing the system until it is restored or decrypted. The ransomware leverages a couple of vulnerabilities to quickly spread across the organization. It first leverages CVE-2017-0199, a vulnerability in Microsoft Office documents, which enables the execution of a malicious HTA file. The malware then infects systems that are vulnerable to MS17-010 and spreads laterally across the infrastructure.

Note: The Petya malware creates a scheduled task which reboots up to one hour after infection. If the task is removed before execution, it does not reschedule, buying you some time.

Similar to the WannaCry ransomware that infected systems globally earlier this year, Petya takes advantage of known vulnerabilities that already have patches. In a world where malware threats arise every day, chasing daily threats is not advised. Organizations everywhere and of every size need a more strategic approach to proactively manage security threats (and protect themselves and their customers) by implementing good cyber hygiene practices, including regular patching, updates, backups, and continuous monitoring.

How Tenable can help

Patch vulnerabilities

Tenable customers should immediately patch systems vulnerable to CVE-2017-0199 and MS17-010 if you haven’t already done so. Tenable.io™ Vulnerability Management has the following four plugins, released earlier this year, to detect vulnerable systems:

Plugin ID Plugin Title/Comments Exploits

99285

KB4015551: Windows Server 2012 Standard April 2017 Cumulative Update

CVE-2017-0199

99304

KB4015549: Windows 7 and Windows 2008 R2 April 2017 Cumulative Update

CVE-2017-0199

97737

MS17-010: Security Update for Microsoft Windows SMB Server (4013389)

ETERNALBLUE

ETERNALCHAMPION ETERNALROMANCE ETERNALSYNERGY

WannaCry

EternalRocks

97833

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) uncredentialed check

ETERNALBLUE

ETERNALCHAMPION ETERNALROMANCE ETERNALSYNERGY WannaCry

EternalRocks

Malware scan

Tenable customers can use the Malware Scan Policy in Tenable.io™ or SecurityCenter™ to detect machines infected with Petya, and the results will be reported under plugin 59275:

Plugin 59275 output

YARA detection

Tenable customers can also use YARA rules to identify infected systems through the Malicious File Detection Using YARA Nessus plugin.

Here’s a sample rule from Kaspersky which can be used with Nessus to detect the Petya malware :

Sample YARA rule for Nessus to detect Petya

Dashboards

The Petya dashboard uses all the available methods mentioned above to consolidate the data for easy understanding of the systems most likely affected or at risk from the malware. The components bring in netstats from Nessus and the Nessus Network Monitor, and also display the content related to missing patches associated with SMB vulnerabilities.

Wrap-up

Most ransomware exploits well-known vulnerabilities that already have patches available. Implementing a proactive security program that includes regular patching and system updating is one of the best strategies you can use to prevent malware from infecting your systems. Make it a regular habit to patch and protect.

For more information

  • Learn more about Tenable.io, the first vulnerability management platform for all modern assets
  • Get a free 60-day trial of Tenable.io

Many thanks to the Tenable research team for their contributions to this blog.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
1589 Followers
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into Tenable.io™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at tenable.com.
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel