WannaCry II: How To Stop NotPetya Infections With The Cato Cloud

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Just a little more than a month after WannaCry delivered the “largest” ransomware attack in history, the industry was reeling from it’s sequel, NotPetya.

Like WannaCry, NotPetya leverages the SMB protocol to move laterally across the network, an EternalBlue exploit attributed to the National Security Agency (NSA) and leaked by the Shadow Brokers hacking group last April.

But the ransomware, a variant of the NotPetya ransomware discovered more than a year ago, significantly improves on WannaCry. First, NotPetya extracts user credentials from the infected machine’s memory using Mimikatz, an open-source tool. Using the harvested credentials, the malware employs the PsExec Microsoft utility and WMIC (Windows Management Instrumentation Command Line), a utilities bundled with Windows, to execute commands on remote machines.

IT managers should take action to protect users and their networks even if they have already done so against WannaCry. All Windows-based machines should be updated, including industrial devices, such as ATMs, and Windows 10 devices. Detailed steps for protecting your network with Cato are provided below, including a video illustrating EternalBlue-based attacks.

Inside The Attack

While the source of the NotPetya campaign has been speculated, Microsoft now claims to have evidence that “patient zero” is MeDoc, a Ukraine-based software company. Attackers allegedly planted the malware in the company’s update servers. The company then erroneously distributed the malware as part of a software update. Ukraine was indeed the primary victim for this attack.

Other attack vectors that were found in the wild are Microsoft Office documents armed with embedded HTAs (HTML Applications) that are designed to exploit CVE-2017-0199, first discovered in April 2017. Once the document is opened the HTA code executes and drops the malware to the attacked computer. The machine is then forced to reboot, encrypting the files and locking the computer. Victims are asked to pay $300 to remove the infection (see Figure 1). A total of 3.8 Bitcoin (BTC), approximately $8,000, have been collected to date by NotPetya.

Figure 1: Ransomware screen from a computer infected by NotPetya

What You Can Do

If machines have not already been updated, Cato Research recommends that all organizationsupdate them. To protect the network, take the following actions:

Use URL filtering to block malicious sites.Add a read-only file to user machines, preventing NotPetya from executing.Scan incoming files with anti-malware.Use IPS to detect and block incoming attacks.

Do not attempt to pay the ransom. The mailboxes that were used by the attackers have been disabled by the email provider. It’s also unlikely that paying the ransom will provide a decryption key (Figure 2). Recent reports indicate that encryption key may randomized and therefore impossible to provide. Notify users that if their computer restarts abruptly to shut down immediately and alert IT. This way the malware will not be able to encrypt files and can be extracted by IT personnel.

Figure 2: The email account used by NotPetya has been blocked.

Use URL filtering to block malicious sites

As was documented with WannaCry, URL filtering can minimize the attack surface available to NotPetya (Figure 3). Any malicious domain should be blocked, if not already done so. With Cato, malicious domain are blocked by default.

Figure 3: IT should block access to malicious domain

Add a Read-Only File to User Machines to prevent infection

While WannaCry could be stopped by preventing the malware from communicating back to the C&C server, no such kill-switch exists with NotPetya. However, Amit Serper, a security researcher from Cybereason, has discovered that adding a read-only file to the C:\windowsdirectory with the same name as the malicious DLL, perfc (without an application extension), disables the execution of the malware (Figure 4). 

Figure 4: Placing a file named perfc in the Windows directory will prevent installation of NotPetya in a machine.

Scan incoming files with anti-malware

Threat protection should also be enabled to scan every download and payload (Figure 5). With Cato’s anti-malware capabilities, customers are protected by blocking HTTP/S traffic containing NotPetya. Even if an email attachment contains NotPetya, the payload is still transferred across HTTP and will be blocked.

Figure 5: Cato threat protection blocks infected files and messages

Additional rules monitor for suspicious SMB traffic. To date, SMB traffic patterns pointing to the malware have not been detected on our network.

The above actions should protect your organization against NotPetya. 

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Cato Networks
Cato Networks is rethinking network security from the ground up and into the Cloud. Cato has developed a revolutionary new Network Security as a Service (NSaaS) platform that is changing the way network security is delivered, managed, and evolved for the distributed, Cloud-centric, and mobile-first enterprise. Based in Tel Aviv, Israel, Cato Networks was founded in 2015 by cybersecurity luminary Shlomo Kramer, who previously co-founded Check Point Software Technologies and Imperva, and Gur Shatz, who previously co-founded Incapsula.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?