Multiple Petya Ransomware Infections

Summary

Systems Affected: Microsoft Windows operating systems.

Per Alert (ICS-ALERT-17-181-01C) Petya Malware Variant (Update C)

ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware.

Cybersecurity researchers have been aware of the Petya malware since 2016 and have recently identified a new enhanced variant with several different names, including “NotPetya,” “Petrwrap,” “GoldenEye,” and “Nyetya.” Current reporting suggests that the initial infection vector for the Petya variant may be the result of a supply chain attack against accounting software MEDoc.

The Petya variant is a self-propagating worm that can laterally move through an infected network by harvesting credentials and active sessions on the network, exploiting previously identified SMB vulnerabilities, and using legitimate tools such as the Windows Management Instrumentation Command-line (WMIC) tool and the PsExec network management tool. After initial infection, the affected system scans the local network for additional systems to infect via Port 139/TCP and 445/TCP, prior to encrypting files and overwriting the Master Boot Record (MBR) or wiping sectors of the disk drive. There are several reports that suggest that the Petya variant’s creators intend it to be destructive in nature, rather than a traditional, economically motivated ransomware. Regardless, the U.S. Government does not encourage paying a ransom to criminal actors.

Unaffected Quantum Products

The following Quantum products are known to be unaffected by the Multiple Petya Ransomware Infections:

• DXi
• Scalar Key Manager
• Scalar Tape Libraries
• Scalar LTFS
• SuperLoader 3
• StorNext Q-series QD/QS/QSX
• Lattus (C5, A10, S10, S20, S30)
• LTO Drives
• StorNext Software
• StorNext Appliances
• Vision
• vmPRO

Vulnerable Quantum Products

Versions of the following Quantum products are known to be vulnerable to Multiple Petya Ransomware Infections:

• Xcellis Application Director

  Xcellis Application Director is running Windows 2012R2. Customer is responsible for administration of Windows OS and any related Video Security Application installed. As such Customer is responsible for updating Windows OS to latest patches and backing up the system.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including:

• temporary or permanent loss of sensitive or proprietary information,
• disruption to regular operations,
• financial losses incurred to restore systems and files, and
• potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Recommended Steps to minimize the risk associated with the Petya malware:

• Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
• Disable SMBv1 on every system connected to the network. Information on how to disable SMBv1 is available from Microsoft. While many modern devices will operate correctly without SMBv1, some older devices may experience communication or file/device access disruptions.
• Microsoft recommends blocking all traffic on Port 139/TCP and 445/TCP to prevent propagation. Microsoft has also recommended that their users can also disable remote WMI and file sharing.
• Isolate or protect vulnerable embedded systems that cannot be patched from potential network exploitation.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls, and isolate them from the business network

Recommended Best Practices

• Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
• Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
• Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
• Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
• Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
• Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
• Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
• Have regular penetration tests run against the network. No less than once a year. Ideally, as often as possible/practical.
• Test your backups to ensure they work correctly upon use.

References

• https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported
• https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01
• https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01A
• https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01B
• https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01C
• https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability
• https://technet.microsoft.com/library/security/MS17-010

Contact Information

In US, call 800-284-5101. In Europe, call toll free +800-7826-8888 or direct +49 6131 324 185. You will need your system serial number. For additional contact information, go to http://www.quantum.com/serviceandsupport/get-help/index.aspx#contact-support